Compare commits

..

486 Commits

Author SHA1 Message Date
peterd
fa5b7371c9 updated Bv9ARM.xml ch five 2020-04-23 10:38:34 +00:00
peterd
1629db4804 updated Bv9ARM.xml ch five 2020-04-23 10:18:15 +00:00
peterd
3c28decfa6 updated Arm ch05 2020-04-23 09:33:05 +00:00
Michal Nowak
f6d15d5af8 Merge branch 'mnowak/1751-abi-check-does-not-know-which-source-is-older-newer' into 'master'
abi-check does not know which source is older, newer

Closes #1751

See merge request isc-projects/bind9!3374
2020-04-23 06:52:05 +00:00
Michal Nowak
8e3e2836b0 Ensure proper comparison order in "abi-check" jobs
Right before the release API version (LIBINTERFACE, LIBREVISION, LIBAGE)
for older and newer libraries tends to be the same. Given that, commit
hash can't be the determining factor here, Unix time of the commit
should suit us better and is placed after the API version. The commit
hash is preserved as it's useful to see it in the actual report.

'-nosymtbl' versions of libraries are not produced in Automake builds.
2020-04-23 08:49:29 +02:00
Ondřej Surý
7a0ebb14f3 Merge branch 'ondrej/make-merge_copyrights-ignore-hidden-files' into 'master'
Make merge_copyrights ignore hidden files

See merge request isc-projects/bind9!3417
2020-04-23 05:58:36 +00:00
Ondřej Surý
6d46082d82 Make merge_copyrights ignore hidden files 2020-04-23 07:57:29 +02:00
Ondřej Surý
a9fb6fa862 Merge branch 'ondrej/update-lgtm.com-configuration' into 'master'
Add configuration for LGTM.com static code analyzer

See merge request isc-projects/bind9!3415
2020-04-22 14:57:40 +00:00
Ondřej Surý
fea3fe9996 Add configuration for LGTM.com static code analyzer 2020-04-22 16:14:43 +02:00
Evan Hunt
8e85ce3d77 Merge branch '1779-lock-rpzs' into 'master'
acquire maintenance lock when running incremental RPZ updates

Closes #1779

See merge request isc-projects/bind9!3411
2020-04-21 23:59:37 +00:00
Evan Hunt
2cf3d4c700 CHANGES 2020-04-21 16:59:02 -07:00
Evan Hunt
286e8cd7ea acquire maintenance lock when running incremental RPZ updates
this addresses a race that could occur during shutdown or when
reconfiguring to remove RPZ zones.

this change should ensure that the rpzs structure and the incremental
updates don't interfere with each other: rpzs->zones entries cannot
be set to NULL while an update quantum is running, and the
task should be destroyed and its queue purged so that no subsequent
quanta will run.
2020-04-21 15:53:58 -07:00
Ondřej Surý
bb4515346a Merge branch '4-add-changes-and-release-notes' into 'master'
Add CHANGES and Release Notes for "Convert to modern autotools (autoconf + automake + libtool)"

See merge request isc-projects/bind9!3410
2020-04-21 13:38:21 +00:00
Ondřej Surý
5d0897ab15 Add release notes for #4 2020-04-21 15:36:47 +02:00
Ondřej Surý
4e9801e68d Add CHANGES for GL #4 2020-04-21 15:25:41 +02:00
Ondřej Surý
01b3495000 Merge branch '4-convert-to-modern-autotools-autoconf-automake-libtool' into 'master'
Convert to modern autotools (autoconf + automake + libtool)

Closes #4

See merge request isc-projects/bind9!985
2020-04-21 13:06:22 +00:00
Ondřej Surý
978c7b2e89 Complete rewrite the BIND 9 build system
The rewrite of BIND 9 build system is a large work and cannot be reasonable
split into separate merge requests.  Addition of the automake has a positive
effect on the readability and maintainability of the build system as it is more
declarative, it allows conditional and we are able to drop all of the custom
make code that BIND 9 developed over the years to overcome the deficiencies of
autoconf + custom Makefile.in files.

This squashed commit contains following changes:

- conversion (or rather fresh rewrite) of all Makefile.in files to Makefile.am
  by using automake

- the libtool is now properly integrated with automake (the way we used it
  was rather hackish as the only official way how to use libtool is via
  automake

- the dynamic module loading was rewritten from a custom patchwork to libtool's
  libltdl (which includes the patchwork to support module loading on different
  systems internally)

- conversion of the unit test executor from kyua to automake parallel driver

- conversion of the system test executor from custom make/shell to automake
  parallel driver

- The GSSAPI has been refactored, the custom SPNEGO on the basis that
  all major KRB5/GSSAPI (mit-krb5, heimdal and Windows) implementations
  support SPNEGO mechanism.

- The various defunct tests from bin/tests have been removed:
  bin/tests/optional and bin/tests/pkcs11

- The text files generated from the MD files have been removed, the
  MarkDown has been designed to be readable by both humans and computers

- The xsl header is now generated by a simple sed command instead of
  perl helper

- The <irs/platform.h> header has been removed

- cleanups of configure.ac script to make it more simpler, addition of multiple
  macros (there's still work to be done though)

- the tarball can now be prepared with `make dist`

- the system tests are partially able to run in oot build

Here's a list of unfinished work that needs to be completed in subsequent merge
requests:

- `make distcheck` doesn't yet work (because of system tests oot run is not yet
  finished)

- documentation is not yet built, there's a different merge request with docbook
  to sphinx-build rst conversion that needs to be rebased and adapted on top of
  the automake

- msvc build is non functional yet and we need to decide whether we will just
  cross-compile bind9 using mingw-w64 or fix the msvc build

- contributed dlz modules are not included neither in the autoconf nor automake
2020-04-21 14:19:48 +02:00
Ondřej Surý
4df5a5832c Remove files generated by autotools 2020-04-21 14:19:30 +02:00
Ondřej Surý
98b3b93791 Remove python based tools (dnssec-keymgr, dnssec-coverage, dnssec-checkds)
With the introduction of dnssec-policy, the aforementioned tools were
either rendered obsolete, or they will be replaced with dnssec-policy
based tools.  Remove the tools and the requirement to have Python
installed.  Python 3 is still being used for tests, so keep the autoconf
test, but make it much simpler.
2020-04-21 14:19:30 +02:00
Ondřej Surý
4b8e599855 Merge branch 'ondrej/enable-quota-test-in-Kyuatest' into 'master'
Enable quota_test in Kyuafile

See merge request isc-projects/bind9!3408
2020-04-21 12:18:07 +00:00
Witold Kręcicki
62f738ba48 Fix detaching the extra quotas in the quota_test 2020-04-21 14:17:20 +02:00
Ondřej Surý
54defc8b78 Enable quota_test in Kyuafile 2020-04-21 12:30:11 +02:00
Mark Andrews
6b98a58c58 Merge branch 'marka-placeholer' into 'master'
Marka placeholer

See merge request isc-projects/bind9!3407
2020-04-20 23:59:50 +00:00
Mark Andrews
4dd73e408f placeholder 2020-04-21 09:57:42 +10:00
Ondřej Surý
cbfd8aae94 Merge branch '1763-pkcs11-code-cleanups' into 'master'
Update to PKCS#11 v3.0 EdDSA macros and cleanup the PKCS#11 code

See merge request isc-projects/bind9!3391
2020-04-20 09:55:51 +00:00
Ondřej Surý
48473d464f Add CHANGES 2020-04-20 11:48:45 +02:00
Ondřej Surý
cf30e7d0d1 Use switch instead of if when evaluating curves
Previously, the code would do:

    REQUIRE(alg == CURVE1 || alg == CURVE2);

    [...]

    if (alg == CURVE1) { /* code for CURVE1 */ }
    else { /* code for CURVE2 */ }

This approach is less extensible and also more prone to errors in case
the initial REQUIRE() is forgotten.  The code has been refactored to
use:

    REQUIRE(alg == CURVE1 || alg == CURVE2);

    [...]

    switch (alg) {
    case CURVE1: /* code for CURVE1 */; break;
    case CURVE2: /* code for CURVE2 */; break;
    default: INSIST(0);
    }
2020-04-20 11:40:42 +02:00
Ondřej Surý
da38bd0e1d Refactor the code using the pk11 ECC constants.
The pk11/constants.h header contained static CK_BYTE arrays and
we had to use #defines to pull only those we need.  This commit
changes the constants to only define byte arrays with the content
and either use them directly or define the CK_BYTE arrays locally
where used.
2020-04-20 11:40:42 +02:00
Ondřej Surý
9d979d7cd6 Only print warning when PKCS#11 dnssec-keygen fails from Edwards curves 2020-04-20 11:40:42 +02:00
Aaron Thompson
541d7bafe6 Fix a segfault when a PKCS#11 token is not found. 2020-04-20 11:40:42 +02:00
Aaron Thompson
46cae09023 Fix bad syntax in pkcs11eddsa_link.c.
Introduced in 994e656977.
2020-04-20 11:40:41 +02:00
Aaron Thompson
3e685fe01a Update to PKCS#11 v3.0 EdDSA macros. 2020-04-20 11:40:41 +02:00
Aaron Thompson
2ef379d911 Fix compiler warnings about unused pk11 constants. 2020-04-20 11:40:41 +02:00
Aaron Thompson
d28c7dadbb Remove remaining PKCS#11 DH references.
Missed in 0a73c9f137 and 8efd394c80.
2020-04-20 11:40:41 +02:00
Aaron Thompson
6a6485a531 Remove unnecessary forward declarations. 2020-04-20 11:40:41 +02:00
Aaron Thompson
7744aece03 Finish refactoring pkcs11eddsa_link.c after isc_buffer_allocate change.
Left over after c73e5866c4.
2020-04-20 11:40:41 +02:00
Aaron Thompson
b4a7bfd55e Remove unreachable label in pkcs11eddsa_link.c.
Missed in ae83801e2b.
2020-04-20 11:40:41 +02:00
Aaron Thompson
7fc4f926fb Finish refactoring after the removal of --with-ecdsa and --with-eddsa.
Missed in c3b8130fe8.
2020-04-20 11:40:41 +02:00
Aaron Thompson
48e0c0bc4a Remove old comment.
Missed in 6aae193ded.
2020-04-20 11:40:41 +02:00
Aaron Thompson
bb158e8a4c Finish replacing OP_EC with OP_ECDSA/OP_EDDSA.
Missed in c3b8130fe8.
2020-04-20 11:40:41 +02:00
Aaron Thompson
b217052081 Fix incorrect PKCS11 macro in dnssec-revoke.
Missed in c3b8130fe8.
2020-04-20 11:40:41 +02:00
Mark Andrews
54eba4fca3 Merge branch '1768-move-dns_peer_t-into-peer-c' into 'master'
Resolve "move dns_peer_t into peer.c"

Closes #1768

See merge request isc-projects/bind9!3400
2020-04-20 09:39:36 +00:00
Mark Andrews
eeeaf9dbd4 Move structure declarations from dns/peer.h into peer.c 2020-04-20 08:59:09 +00:00
Mark Andrews
548ec481fb Merge branch '1674-reject-axfr-streams-with-bad-id' into 'master'
Reject AXFR streams with bad message id

Closes #1674

See merge request isc-projects/bind9!3382
2020-04-20 08:58:27 +00:00
Mark Andrews
ba445afb4f Check that bad message id's are caught by named 2020-04-20 18:24:12 +10:00
Mark Andrews
ac45bde2fa Convert to using retry_quiet and nextpart 2020-04-20 18:24:12 +10:00
Mark Andrews
33eee6572a Reject AXFR streams where the message id is not consistent. 2020-04-20 18:24:12 +10:00
Matthijs Mekking
149296a19c Merge branch '1737-coverity-dst_key_gettime' into 'master'
Address Coverity warnings in keymgr.c

Closes #1737

See merge request isc-projects/bind9!3335
2020-04-20 07:42:27 +00:00
Matthijs Mekking
564f9dca35 Address Coverity warnings in keymgr.c
Coverity showed that the return value of `dst_key_gettime` was
unchecked in INITIALIZE_STATE. If DST_TIME_CREATED was not set we
would set the state to be initialized to a weird last changed time.

This would normally not happen because DST_TIME_CREATED is always
set. However, we would rather set the time to now (as the comment
also indicates) not match the creation time.

The comment on INITIALIZE_STATE also needs updating as we no
longer always initialize to HIDDEN.
2020-04-20 09:21:40 +02:00
Michał Kępień
d177585cb8 Merge branch '1753-make-isc-rwlock-implementation-the-default-again' into 'master'
Make ISC rwlock implementation the default again

Closes #1753

See merge request isc-projects/bind9!3375
2020-04-17 06:39:06 +00:00
Michał Kępień
58daa5af1e Add CHANGES entry
5385.	[func]		Make ISC rwlock implementation the default again.
			[GL #1753]
2020-04-17 08:36:24 +02:00
Michał Kępień
0cf1e2bf62 Add a release note 2020-04-17 08:36:24 +02:00
Michał Kępień
17101fd093 Make ISC rwlock implementation the default again
Revert the change from ad03c22e97 as
further testing has shown that with hyper-threading disabled, named with
ISC rwlocks outperforms named with pthread rwlocks in cold cache testing
scenarios.  Since building named with pthread rwlocks might still be a
better choice for some workloads, keep the compile-time option which
enables that.
2020-04-17 08:36:24 +02:00
Michał Kępień
8471206bac Merge branch '1765-create-empty-release-notes-for-for-9-17-2-9-16-9-11' into 'master'
create empty release notes for 9.17.2

Closes #1765

See merge request isc-projects/bind9!3395
2020-04-17 06:30:36 +00:00
Michał Kępień
63f921a537 Add empty relase notes for 9.17.2 2020-04-17 10:10:06 +10:00
Michał Kępień
bb4a7eeba4 Merge branch 'mnowak/abi-tracker-helper-v9_17_1' into 'master'
abi-check: Update BIND_BASELINE_VERSION to v9_17_1

See merge request isc-projects/bind9!3384
2020-04-16 21:21:51 +00:00
Michal Nowak
2234bbe37e abi-check: Update BIND_BASELINE_VERSION to v9_17_1 2020-04-16 21:21:24 +00:00
Michał Kępień
69c6a26ee3 Merge branch 'v9_17_1-release' into 'master'
Merge 9.17.1 release branch

See merge request isc-projects/bind9!3392
2020-04-16 21:05:31 +00:00
Tinderbox User
7c7c5577f5 regen master 2020-04-16 23:03:55 +02:00
Tinderbox User
bf2020a171 prep 9.17.1 2020-04-16 23:03:54 +02:00
Ondřej Surý
c691f1f27d Merge branch '1763-improve-isc_buffer-API-documentation' into 'master'
Fix/improve some comments in buffer.h.

Closes #1763

See merge request isc-projects/bind9!3388
2020-04-16 13:57:54 +00:00
Aaron Thompson
850d8ae019 Fix/improve some comments in buffer.h.
isc_buffer_dup now cannot fail as a result of c73e5866c4.
2020-04-16 15:57:33 +02:00
Matthijs Mekking
5a26673d49 Merge branch '1709-dnssec-policy-inlinesigning' into 'master'
Resolve "dnssec-policy implicitly enables inline-signing"

Closes #1709

See merge request isc-projects/bind9!3362
2020-04-16 13:01:35 +00:00
Matthijs Mekking
acae6cf438 Update changes 2020-04-16 14:24:25 +02:00
Matthijs Mekking
e3aa12fc0a Add kasp tests dyn update zone
Add two tests that checks that dynamic zones
can be updated and will be signed appropriately.
One zone covers an update with freeze/thaw, the
other covers an update through nsupdate.
2020-04-16 14:22:47 +02:00
Matthijs Mekking
644f0d958a dnssec-policy: to sign inline or not
When dnssec-policy was introduced, it implicitly set inline-signing.
But DNSSEC maintenance required either inline-signing to be enabled,
or a dynamic zone.  In other words, not in all cases you want to
DNSSEC maintain your zone with inline-signing.

Change the behavior and determine whether inline-signing is
required: if the zone is dynamic, don't use inline-signing,
otherwise implicitly set it.

You can also explicitly set inline-signing to yes with dnssec-policy,
the restriction that both inline-signing and dnssec-policy cannot
be set at the same time is now lifted.

However, 'inline-signing no;' on a non-dynamic zone with a
dnssec-policy is not possible.
2020-04-16 14:22:47 +02:00
Matthijs Mekking
1055575cfe Merge branch 'matthijs-fix-digdelv-yamlget' into 'master'
Fix digdelv test

See merge request isc-projects/bind9!3383
2020-04-16 12:16:40 +00:00
Matthijs Mekking
464d0417d1 Fix digdelv test
The yamlget.py file was changed in !3311 as part of making the
python code pylint and flake8 compliant.  This omitted setting
'item' to 'item[key]' which caused the digdelv yaml tests to fail.

Also, the pretty printing is not really necessary, so remove
the "if key not in item; print error" logic.
2020-04-16 11:50:33 +02:00
Matthijs Mekking
2e7bfad2e9 Merge branch 'matthijs-dnssec-keys-trust-anchors-leftovers' into 'master'
Replace dnssec-keys leftovers with trust-anchors

See merge request isc-projects/bind9!3363
2020-04-16 08:49:46 +00:00
Matthijs Mekking
4b5711fd3b Replace leftover DNSSEC-KEYS with TRUST-ANCHORS
Change 5332 renamed "dnssec-keys" configuration statement to the
more descriptive "trust-anchors".  Not all occurrences in the
documentation had been updated.
2020-04-16 08:10:08 +02:00
Ondřej Surý
fd0021061d Merge branch '1755-tune-the-windows-build-so-we-can-use-wx-equivalent-of-werror' into 'master'
Resolve "Tune the Windows build, so we can use /WX (equivalent of -Werror)"

Closes #1755

See merge request isc-projects/bind9!3369
2020-04-16 05:54:34 +00:00
Ondřej Surý
9b0e85cbd5 Don't escape spaces in CONFIGARGS, use double backslash with all whitespace 2020-04-15 14:56:35 +02:00
Ondřej Surý
e3076c4caa Align the irs_getnameinfo() declaration and definition on Windows 2020-04-15 14:03:40 +02:00
Ondřej Surý
b6c2012d93 Disable MSB8028 warning
All our MSVS Project files share the same intermediate directory.  We
know that this doesn't cause any problems, so we can just disable the
detection in the project files.

Example of the warning:

  warning MSB8028: The intermediate directory (.\Release\) contains files shared from another project (dnssectool.vcxproj).  This can lead to incorrect clean and rebuild behavior.
2020-04-15 13:37:12 +02:00
Ondřej Surý
4ffe725585 Fix the discrepancy between cfg_pluginlist_foreach declaration and definition
There was a missing indirection for the pluginlist_cb_t *callback in the
declaration of the cfg_pluginlist_foreach function.  Reported by MSVC as:

  lib\isccfg\parser.c(4057): warning C4028: formal parameter 4 different from declaration
2020-04-15 12:50:28 +02:00
Ondřej Surý
60c632ab91 Workaround MSVC warning C4477
Due to a way the stdatomic.h shim is implemented on Windows, the MSVC
always things that the outside type is the largest - atomic_(u)int_fast64_t.
This can lead to false positives as this one:

  lib\dns\adb.c(3678): warning C4477: 'fprintf' : format string '%u' requires an argument of type 'unsigned int', but variadic argument 2 has type 'unsigned __int64'

We workaround the issue by loading the value in a scoped local variable
with correct type first.
2020-04-15 12:47:42 +02:00
Ondřej Surý
063e05491b Disable C4090 MSVC warning
MSVC documentation states: "This warning can be caused when a pointer to
a const or volatile item is assigned to a pointer not declared as
pointing to const or volatile."

Unfortunately, this happens when we dynamically allocate and deallocate
block of atomic variables using isc_mem_get and isc_mem_put.

Couple of examples:

  lib\isc\hp.c(134): warning C4090: 'function': different 'volatile' qualifiers [C:\builds\isc-projects\bind9\lib\isc\win32\libisc.vcxproj]
  lib\isc\hp.c(144): warning C4090: 'function': different 'volatile' qualifiers [C:\builds\isc-projects\bind9\lib\isc\win32\libisc.vcxproj]
  lib\isc\stats.c(55): warning C4090: 'function': different 'volatile' qualifiers [C:\builds\isc-projects\bind9\lib\isc\win32\libisc.vcxproj]
  lib\isc\stats.c(87): warning C4090: 'function': different 'volatile' qualifiers [C:\builds\isc-projects\bind9\lib\isc\win32\libisc.vcxproj]
2020-04-15 12:47:42 +02:00
Ondřej Surý
54168d55c0 Fix invalid cast in win32 stdatomic.h shim
The InterlockedOr8() and InterlockedAnd8() first argument was cast
to (atomic_int_fast8_t) instead of (atomic_int_fast8_t *), this was
reported by MSVC as:

  warning C4024: '_InterlockedOr8': different types for formal and actual parameter 1
  warning C4024: '_InterlockedAnd8': different types for formal and actual parameter 1
2020-04-15 12:47:42 +02:00
Ondřej Surý
70318943fe Remove the Windows build job dependency on autoreconf job 2020-04-15 12:47:42 +02:00
Ondřej Surý
b1f66d1e13 Disable MSVC C4133 when using stdatomic.h win32 shim 2020-04-15 12:45:05 +02:00
Ondřej Surý
6f3c201ff4 append_file() should return void as it doesn't return anything and we don't check for return value 2020-04-15 12:45:05 +02:00
Ondřej Surý
948a23e6bb Don't return from void function 2020-04-15 12:45:05 +02:00
Ondřej Surý
789d253e3d Set WarningLevel to Level1 for Release, treat warnings as errors
Our vcxproj files set the WarningLevel to Level3, which is too verbose
for a code that needs to be portable.  That basically leads to ignoring
all the errors that MSVC produces.  This commits downgrades the
WarningLevel to Level1 and enables treating warnings as errors for
Release builds.  For the Debug builds the WarningLevel got upgraded to
Level4, and treating warnings as errors is explicitly disabled.

We should eventually make the code clean of all MSVC warnings, but it's
a long way to go for Level4, so it's more reasonable to start at Level1.

For reference[1], these are the warning levels as described by MSVC
documentation:

  * /W0 suppresses all warnings. It's equivalent to /w.
  * /W1 displays level 1 (severe) warnings. /W1 is the default setting
    in the command-line compiler.
  * /W2 displays level 1 and level 2 (significant) warnings.
  * /W3 displays level 1, level 2, and level 3 (production quality)
    warnings. /W3 is the default setting in the IDE.
  * /W4 displays level 1, level 2, and level 3 warnings, and all level 4
    (informational) warnings that aren't off by default. We recommend
    that you use this option to provide lint-like warnings. For a new
    project, it may be best to use /W4 in all compilations. This option
    helps ensure the fewest possible hard-to-find code defects.
  * /Wall displays all warnings displayed by /W4 and all other warnings
    that /W4 doesn't include — for example, warnings that are off by
    default.
  * /WX treats all compiler warnings as errors. For a new project, it
    may be best to use /WX in all compilations; resolving all warnings
    ensures the fewest possible hard-to-find code defects.

1. https://docs.microsoft.com/en-us/cpp/build/reference/compiler-option-warning-level?view=vs-2019
2020-04-15 12:45:05 +02:00
Michał Kępień
4f2b379967 Merge branch 'michal/fix-srcid-on-windows' into 'master'
Fix "srcid" on Windows

See merge request isc-projects/bind9!3364
2020-04-15 09:41:25 +00:00
Michał Kępień
05e13e7caf Fix "srcid" on Windows
Windows BIND releases produced by GitLab CI are built from Git
repositories, not from release tarballs, which means the "srcid" file is
not present in the top source directory when MSBuild is invoked.  This
causes the Git commit hash for such builds to be set to "unset_id".
Enable win32utils/Configure to try determining the commit hash for a
build by invoking Git on the build host if the "srcid" file is not
present (which is what its Unix counterpart does).
2020-04-15 11:38:40 +02:00
Ondřej Surý
8a24be074a Merge branch 'ondrej/add-missing-time.h-on-win32' into 'master'
Add missing time.h header in windows isc/time.h for missing prototypes

See merge request isc-projects/bind9!3368
2020-04-15 08:17:59 +00:00
Ondřej Surý
b9f68d098b Add missing time.h header in windows isc/time.h for missing prototypes
The win32 isc/time.h was missing <time.h> header leading to:

    lib\isc\win32\include\isc\time.h(29): warning C4013: 'gmtime_s'
    undefined; assuming extern returning int (compiling source file
    ..\app.c) [lib\isc\win32\libisc.vcxproj]

    lib\isc\win32\include\isc\time.h(39): warning C4013: 'localtime_s'
    undefined; assuming extern returning int (compiling source file
    ..\app.c) [lib\isc\win32\libisc.vcxproj]
2020-04-15 09:14:28 +02:00
Ondřej Surý
c87ce5a410 Merge branch 'ondrej/add-python-static-analysis-to-gitlab-ci' into 'master'
Add python static analysis to GitLab CI

See merge request isc-projects/bind9!3311
2020-04-15 05:29:06 +00:00
Ondřej Surý
1e4ff9d485 Make the python code pylint and flake8 compliant 2020-04-14 10:41:34 +02:00
Ondřej Surý
ee534592e3 Add pylint and flake8 tests to GitLab CI
Our python code didn't adhere to any coding standard.  In this commit, we add
flame8 (https://pypi.org/project/flake8/), and pylint (https://www.pylint.org/).

There's couple of exceptions:

- ans.py scripts are not checked, nor fixed as part of this MR
- pylint's missing-*-docstring and duplicate-code checks have
  been disabled via .pylintrc

Both exceptions should be removed in due time.
2020-04-14 10:41:34 +02:00
Michał Kępień
37eb17dd71 Merge branch 'michal/misc-doc-fixes' into 'master'
Miscellaneous documentation fixes

See merge request isc-projects/bind9!3357
2020-04-09 05:49:58 +00:00
Stephen Morris
623b6c94c0 Tweak release notes for BIND 9.17.1 2020-04-08 22:12:57 +02:00
Michał Kępień
dfe4009c30 Tweak CHANGES for BIND 9.17.1 2020-04-08 22:12:57 +02:00
Ondřej Surý
69e3ec9cb1 Merge branch 'bug/master/libisc-link' into 'master'
Link all dependent libraries to libisc

See merge request isc-projects/bind9!3323
2020-04-08 15:02:59 +00:00
Petr Menšík
4cc7d2412f Link all required libraries to libisc
It would fail to link -lisc without additional libraries, which should
not be required.
2020-04-08 14:40:15 +00:00
Ondřej Surý
5686298fd2 Merge branch 'ondrej/changes-notes-v9_16' into 'master'
Add missing CHANGES notes from v9_16 branch

See merge request isc-projects/bind9!3356
2020-04-08 13:10:34 +00:00
Ondřej Surý
2ef1149519 Add missing CHANGES notes from v9_16 branch 2020-04-08 15:07:56 +02:00
Ondřej Surý
78166f9c2d Merge branch 'ondrej/placeholder-it' into 'master'
CHANGES notes 5379. should have been placeholder

See merge request isc-projects/bind9!3355
2020-04-08 12:52:07 +00:00
Ondřej Surý
bb6b3ea468 CHANGES notes 5379. should have been placeholder 2020-04-08 14:48:55 +02:00
Ondřej Surý
9c6533855e Merge branch 'ondrej/missing-changes-v9_11' into 'master'
Add missing CHANGES notes from v9_11 branch

See merge request isc-projects/bind9!3352
2020-04-08 12:44:26 +00:00
Ondřej Surý
434929b53d Add missing CHANGES notes from v9_11 branch 2020-04-08 14:42:46 +02:00
Michał Kępień
2786ef413f Merge branch '1742-work-around-an-msvc-bug' into 'master'
Work around an MSVC bug

Closes #1742

See merge request isc-projects/bind9!3347
2020-04-08 12:29:10 +00:00
Michał Kępień
4c4f5cccaa Work around an MSVC bug
The assembly code generated by MSVC for at least some signed comparisons
involving atomic variables incorrectly uses unsigned conditional jumps
instead of signed ones.  In particular, the checks in isc_log_wouldlog()
are affected in a way which breaks logging on Windows and thus also all
system tests involving a named instance.  Work around the issue by
assigning the values returned by atomic_load_acquire() calls in
isc_log_wouldlog() to local variables before performing comparisons.
2020-04-08 14:27:33 +02:00
Ondřej Surý
43e11807fc Merge branch 'ondrej/arch-ppc64le-v9_11-placeholder-in-master' into 'master'
Add placeholder

See merge request isc-projects/bind9!3348
2020-04-08 12:14:57 +00:00
Ondřej Surý
5c48788abd Add placeholder for !3295 2020-04-08 14:14:07 +02:00
Ondřej Surý
20f70f24ee Merge branch '1574-confidential-issue-rebinding-protection-fail-in-forwarding-mode-master' into 'master'
Resolve "DNS rebinding protection is ineffective when BIND is configured as a forwarding DNS server"

Closes #1574

See merge request isc-projects/bind9!3342
2020-04-08 07:42:13 +00:00
Ondřej Surý
157f2da837 Add release notes 2020-04-08 09:37:58 +02:00
Ondřej Surý
f15653454e Add CHANGES 2020-04-08 09:37:55 +02:00
Diego Fronza
eb7a664274 Add test for the proposed fix
This test asserts that option "deny-answer-aliases" works correctly
when forwarding requests.

As a matter of example, the behavior expected for a forwarder BIND
instance, having an option such as deny-answer-aliases { "domain"; }
is that when forwarding a request for *.anything-but-domain, it is
expected that it will return SERVFAIL if any answer received has a CNAME
for "*.domain".

(cherry picked from commit 9bdb960a16a69997b08746e698b6b02c8dc6c795)
2020-04-08 09:37:33 +02:00
Diego Fronza
cf7b0de1eb Fixed rebinding protection bug when using forwarder setups
BIND wasn't honoring option "deny-answer-aliases" when configured to
forward queries.

Before the fix it was possible for nameservers listed in "forwarders"
option to return CNAME answers pointing to unrelated domains of the
original query, which could be used as a vector for rebinding attacks.

The fix ensures that BIND apply filters even if configured as a forwarder
instance.

(cherry picked from commit af6a4de3d5ad6c1967173facf366e6c86b3ffc28)
2020-04-08 09:37:33 +02:00
Matthijs Mekking
f762ee6621 Merge branch '1669-kasp-test-fails-on-windows' into 'master'
Fix kasp timing issue on Windows

Closes #1669

See merge request isc-projects/bind9!3337
2020-04-08 07:25:56 +00:00
Matthijs Mekking
04e6711029 Increase migrate.kasp DNSKEY TTL
Increate the DNSKEY TTL of the migrate.kasp zone for the following
reason:  The key states are initialized depending on the timing
metadata. If a key is present long enough in the zone it will be
initialized to OMNIPRESENT.  Long enough here is the time when it
was published (when the setup script was run) plus DNSKEY TTL.
Otherwise it is set to RUMOURED, or to HIDDEN if no timing metadata
is set or the time is still in the future.

Since the TTL is "only" 5 minutes, the DNSKEY state may be
initialized to OMNIPRESENT if the test is slow, but we expect it
to be in RUMOURED state.  If we increase the TTL to a couple of
hours it is very unlikely that it will be initialized to something
else than RUMOURED.
2020-04-07 15:51:43 +02:00
Matthijs Mekking
8d3c0156f4 Fix ns6 template zonefile
The template zone file for server ns6 should have the ns6 domain
name, not ns3.
2020-04-07 15:34:13 +02:00
Matthijs Mekking
87c05fa62f Remove kasp Windows prereq check
Now that the timing issue is fixed, we can enable the kasp test
again on Windows.
2020-04-07 13:59:34 +02:00
Matthijs Mekking
62a97570b8 Fix kasp timing issue on Windows
This fixes another intermittent failure in the kasp system test.
It does not happen often, except for in the Windows platform tests
where it takes a long time to run the tests.

In the "kasp" system test, there is an "rndc reconfig" call which
triggers a new rekey event.  check_next_key_event() verifies the time
remaining from the moment "rndc reconfig" is called until the next key
event.  However, the next key event time is calculated from the key
times provided during key creation (i.e. during test setup).  Given
this, if "rndc reconfig" is called a significant amount of time after
the test is started, some check_next_key_event() checks will fail.

Fix by calculating the time passed since the start of the test and
when 'rndc reconfig' happens.  Substract this time from the
calculated next key event.

This only needs to be done after an "rndc reconfig" on zones where
the keymgr needs to wait for a period of time (for example for keys
to become OMNIPRESENT, or HIDDEN). This is on step 2 and step 5 of
the algorithm rollover.  In step 2 there is a waiting period before
the DNSKEY is OMNIPRESENT, in step 5 there is a waiting period
before the DNSKEY is HIDDEN.

In step 1 new keys are created, in step 3 and 4 key states just
entered OMNIPRESENT, and in step 6 we no longer care because the
key lifetime is unlimited and we default to checking once per hour.

Regardless of our indifference about the next key event after step 6,
change some of the key timings in the setup script to better
reflect reality: DNSKEY is in HIDDEN after step 5, DS times have
changed when the new DS became active.
2020-04-07 13:59:34 +02:00
Mark Andrews
58a5e6fba7 Merge branch '1715-kasp-system-test-timing-issue-with-view-zones-2' into 'master'
Resolve "kasp system test timing issue with view zones"

Closes #1715

See merge request isc-projects/bind9!3334
2020-04-06 09:29:05 +00:00
Mark Andrews
78746cfabd Wait for zone to be signed 2020-04-06 08:50:37 +00:00
Mark Andrews
73d426812d Merge branch '1715-kasp-system-test-timing-issue-with-view-zones' into 'master'
Resolve "kasp system test timing issue with view zones"

See merge request isc-projects/bind9!3333
2020-04-06 08:41:36 +00:00
Mark Andrews
5a4ab3360d Wait for DNSKEY records to be signed 2020-04-06 13:51:47 +10:00
Ondřej Surý
bb87613015 Merge branch '1087-fix-the-nonmatching-statcounter-increments-decrements' into 'master'
Fix the some of the underflowing statistics

See merge request isc-projects/bind9!3299
2020-04-03 18:19:17 +00:00
Ondřej Surý
22aaeb5150 Add CHANGES 2020-04-03 19:42:20 +02:00
Ondřej Surý
78886d4bed Fix the statistic counter underflow in ns_client_t
In case of normal fetch, the .recursionquota is attached and
ns_statscounter_recursclients is incremented when the fetch is created.  Then
the .recursionquota is detached and the counter decremented in the
fetch_callback().

In case of prefetch or rpzfetch, the quota is attached, but the counter is not
incremented.  When we reach the soft-quota, the function returns early but don't
detach from the quota, and it gets destroyed during the ns_client_endrequest(),
so no memory was leaked.

But because the ns_statscounter_recursclients is only incremented during the
normal fetch the counter would be incorrectly decremented on two occassions:

1) When we reached the softquota, because the quota was not properly detached
2) When the prefetch or rpzfetch was cancelled mid-flight and the callback
   function was never called.
2020-04-03 19:41:46 +02:00
Ondřej Surý
26842ac25c Remove the extra decstats on STATID_ACTIVE for children sockets 2020-04-03 19:41:46 +02:00
Witold Kręcicki
4ffd4cd4f6 Fix the memory ordering for the isc stats to be acquire-release 2020-04-03 19:41:46 +02:00
Matthijs Mekking
663047ac8b Merge branch '1179-dnssec-stats-oom-kill' into 'master'
Resolve "OOM issue after upgrade from 9.14.3 to 9.14.4"

Closes #1179

See merge request isc-projects/bind9!3304
2020-04-03 07:59:11 +00:00
Matthijs Mekking
386890a161 Update release notes 2020-04-03 09:27:15 +02:00
Matthijs Mekking
c1723b2535 Replace hard coded value with constant 2020-04-03 09:27:15 +02:00
Matthijs Mekking
1596d3b498 Merge if blocks in statschannel.c 2020-04-03 09:27:15 +02:00
Matthijs Mekking
44b49955e1 Replace sign operation bool with enum 2020-04-03 09:27:15 +02:00
Matthijs Mekking
b2028e26da Embed algorithm in key tag counter
Key tags are not unique across algorithms.
2020-04-03 09:27:15 +02:00
Matthijs Mekking
eb6a8b47d7 Group the keyid with the counters
Rather than group key ids together, group key id with its
corresponding counters. This should make growing / shrinking easier
than having keyids then counters.
2020-04-03 09:27:15 +02:00
Matthijs Mekking
31e8b2b13c Add test for many keys
Add a statschannel test case for DNSSEC sign metrics that has more
keys than there are allocated stats counters for.  This will produce
gibberish, but at least it should not crash.
2020-04-03 09:27:15 +02:00
Matthijs Mekking
705810d577 Redesign dnssec sign statistics
The first attempt to add DNSSEC sign statistics was naive: for each
zone we allocated 64K counters, twice.  In reality each zone has at
most four keys, so the new approach only has room for four keys per
zone. If after a rollover more keys have signed the zone, existing
keys are rotated out.

The DNSSEC sign statistics has three counters per key, so twelve
counters per zone. First counter is actually a key id, so it is
clear what key contributed to the metrics.  The second counter
tracks the number of generated signatures, and the third tracks
how many of those are refreshes.

This means that in the zone structure we no longer need two separate
references to DNSSEC sign metrics: both the resign and refresh stats
are kept in a single dns_stats structure.

Incrementing dnssecsignstats:

Whenever a dnssecsignstat is incremented, we look up the key id
to see if we already are counting metrics for this key.  If so,
we update the corresponding operation counter (resign or
refresh).

If the key is new, store the value in a new counter and increment
corresponding counter.

If all slots are full, we rotate the keys and overwrite the last
slot with the new key.

Dumping dnssecsignstats:

Dumping dnssecsignstats is no longer a simple wrapper around
isc_stats_dump, but uses the same principle.  The difference is that
rather than dumping the index (key tag) and counter, we have to look
up the corresponding counter.
2020-04-03 09:27:11 +02:00
Matthijs Mekking
157eb5cd30 Merge branch '1706-dnssec-policy-migration' into 'master'
Resolve "Changing from auto-dnssec maintain to dnssec-policy x immediately deletes existing keys"

Closes #1706

See merge request isc-projects/bind9!3322
2020-04-03 06:54:46 +00:00
Matthijs Mekking
551acb44f4 Test migration to dnssec-policy, change algorithm
Add a test to ensure migration from 'auto-dnssec maintain;' to
dnssec-policy works even if the algorithm is changed.  The existing
keys should not be removed immediately, but their goal should be
changed to become hidden, and the new keys with the different
algorithm should be introduced immediately.
2020-04-03 08:29:22 +02:00
Matthijs Mekking
2389fcb4dc Only initialize goal on active keys
If we initialize goals on all keys, superfluous keys that match
the policy all desire to be active.  For example, there are six
keys available for a policy that needs just two, we only want to
set the goal state to OMNIPRESENT on two keys, not six.
2020-04-03 08:29:22 +02:00
Matthijs Mekking
f47e697da3 Update documentation with !1706 fix 2020-04-03 08:29:22 +02:00
Matthijs Mekking
7f43520893 Test migration to dnssec-policy, retire old keys
Migrating from 'auto-dnssec maintain;' to dnssec-policy did not
work properly, mainly because the legacy keys were initialized
badly.  Earlier commit deals with migration where existing keys
match the policy.  This commit deals with migration where existing
keys do not match the policy.  In that case, named must not
immediately delete the existing keys, but gracefully roll to the
dnssec-policy.

However, named did remove the existing keys immediately.  This is
because the legacy key states were initialized badly.  Because
those keys had their states initialized to HIDDEN or RUMOURED, the
keymgr decides that they can be removed (because only when the key
has its states in OMNIPRESENT it can be used safely).

The original thought to initialize key states to HIDDEN (and
RUMOURED to deal with existing keys) was to ensure that those keys
will go through the required propagation time before the keymgr
decides they can be used safely.  However, those keys are already
in the zone for a long time and making the key states represent
otherwise is dangerous: keys may be pulled out of the zone while
in fact they are required to establish the chain of trust.

Fix initializing key states for existing keys by looking more closely
at the time metadata.  Add TTL and propagation delays to the time
metadata and see if the DNSSEC records have been propagated.
Initialize the state to OMNIPRESENT if so, otherwise initialize to
RUMOURED.  If the time metadata is in the future, or does not exist,
keep initializing the state to HIDDEN.

The added test makes sure that new keys matching the policy are
introduced, but existing keys are kept in the zone until the new
keys have been propagated.
2020-04-03 08:29:22 +02:00
Matthijs Mekking
a224754d59 Tweak kasp system test
A few kasp system test tweaks to improve test failure debugging and
deal with tests related to migration to dnssec-policy.

1. When clearing a key, set lifetime to "none".  If "none", skip
   expect no lifetime set in the state file.  Legacy keys that
   are migrated but don't match the dnssec-policy will not have a
   lifetime.

2. The kasp system test prints which key id and file it is checking.
   Log explicitly if we are checking the id or a file.

3. Add quotes around "ID" when setting the key id, for consistency.

4. Fix a typo (non -> none).

5. Print which key ids are found, this way it is easier to see what
   KEY[1-4] failed to match one of the key files.
2020-04-03 08:29:22 +02:00
Matthijs Mekking
6801899134 Fix and test migration to dnssec-policy
Migrating from 'auto-dnssec maintain;' to dnssec-policy did not
work properly, mainly because the legacy keys were initialized
badly. Several adjustments in the keymgr are required to get it right:

- Set published time on keys when we calculate prepublication time.
  This is not strictly necessary, but it is weird to have an active
  key without the published time set.

- Initalize key states also before matching keys. Determine the
  target state by looking at existing time metadata: If the time
  data is set and is in the past, it is a hint that the key and
  its corresponding records have been published in the zone already,
  and the state is initialized to RUMOURED. Otherwise, initialize it
  as HIDDEN. This fixes migration to dnssec-policy from existing
  keys.

- Initialize key goal on keys that match key policy to OMNIPRESENT.
  These may be existing legacy keys that are being migrated.

- A key that has its goal to OMNIPRESENT *or* an active key can
  match a kasp key.  The code was changed with CHANGE 5354 that
  was a bugfix to prevent creating new KSK keys for zones in the
  initial stage of signing.  However, this caused problems for
  restarts when rollovers are in progress, because an outroducing
  key can still be an active key.

The test for this introduces a new KEY property 'legacy'.  This is
used to skip tests related to .state files.
2020-04-03 08:29:22 +02:00
Ondřej Surý
49b42e7fcc Merge branch '1717-rwlock-contention-in-isc_log_wouldlog-api-performance-impact' into 'master'
Reduce rwlock contention in isc_log_wouldlog()

Closes #1717

See merge request isc-projects/bind9!3321
2020-04-03 05:01:33 +00:00
Ondřej Surý
3a24eacbb6 Reduce rwlock contention in isc_log_wouldlog()
The rwlock introduced to protect the .logconfig member of isc_log_t
structure caused a significant performance drop because of the rwlock
contention.  It was also found, that the debug_level member of said
structure was not protected from concurrent read/writes.

The .dynamic and .highest_level members of isc_logconfig_t structure
were actually just cached values pulled from the assigned channels.

We introduced an even higher cache level for .dynamic and .highest_level
members directly into the isc_log_t structure, so we don't have to
access the .logconfig member in the isc_log_wouldlog() function.
2020-04-02 11:23:16 +02:00
Evan Hunt
8e74974ce1 Merge branch '1447-incremental-rpz-update' into 'master'
incrementally clean up old RPZ records during updates

Closes #1447

See merge request isc-projects/bind9!3318
2020-04-01 03:38:31 +00:00
Evan Hunt
899f9440c0 CHANGES and release note 2020-03-31 19:41:41 -07:00
Evan Hunt
32da119ed8 incrementally clean up old RPZ records during updates
After an RPZ zone is updated via zone transfer, the RPZ summary
database is updated, inserting the newly added names in the policy
zone and deleting the newly removed ones. The first part of this
was quantized so it would not run too long and starve other tasks
during large updates, but the second part was not quantized, so
that an update in which a large number of records were deleted
could cause named to become briefly unresponsive.
2020-03-31 19:41:41 -07:00
Mark Andrews
0c350fbcb7 Merge branch 'marka-empty-release-notes' into 'master'
add empty release notes for 9.17.1

See merge request isc-projects/bind9!3313
2020-03-31 03:31:38 +00:00
Mark Andrews
503e2dff64 add empty release notes for 9.17.1 2020-03-31 14:10:49 +11:00
Witold Krecicki
d02a58adc0 Merge branch '1700-proper-tcp-resuming' into 'master'
Deactivate the handle before sending the async close callback.

Closes #1700

See merge request isc-projects/bind9!3303
2020-03-30 10:27:01 +00:00
Witold Kręcicki
01c4c3301e Deactivate the handle before sending the async close callback.
We could have a race between handle closing and processing async
callback. Deactivate the handle before issuing the callback - we
have the socket referenced anyway so it's not a problem.
2020-03-30 10:26:05 +02:00
Witold Krecicki
2df610a882 Merge branch 'wpk/quota-callback' into 'master'
isc_quota_attach_cb - quota attach function with a callback.

See merge request isc-projects/bind9!3280
2020-03-30 08:17:31 +00:00
Witold Kręcicki
d151a10f30 Add a quota attach function with a callback, some code cleanups.
We introduce a isc_quota_attach_cb function - if ISC_R_QUOTA is returned
at the time the function is called, then a callback will be called when
there's quota available (with quota already attached). The callbacks are
organized as a LIFO queue in the quota structure.
It's needed for TCP client quota -  with old networking code we had one
single place where tcp clients quota was processed so we could resume
accepting when the we had spare slots, but it's gone with netmgr - now
we need to notify the listener/accepter that there's quota available so
that it can resume accepting.

Remove unused isc_quota_force() function.

The isc_quote_reserve and isc_quota_release were used only internally
from the quota.c and the tests.  We should not expose API we are not
using.
2020-03-30 07:43:10 +00:00
Mark Andrews
5826c85a22 Merge branch '1678-bind-fails-to-build-with-mysql-support-against-mysql8-mysql-connector-8' into 'master'
Resolve "BIND fails to build with MYSQL support against mysql8/mysql-connector-8"

Closes #1678

See merge request isc-projects/bind9!3235
2020-03-26 22:03:11 +00:00
Ondřej Surý
715b7a7cec Use compound literals in mysql_options() call
Makes use of compound literals instead of using extra my_bool
variable just to hold "true/1" value.
2020-03-26 20:36:43 +00:00
Mark Andrews
c6d5d5c88f Typedef my_bool if missing.
ORACLE MySQL 8.0 has dropped the my_bool type, so we need to reinstate
it back when compiling with that version or higher.  MariaDB is still
keeping the my_bool type.  The numbering between the two (MariaDB 5.x
jumped to MariaDB 10.x) doesn't make the life of the developer easy.
2020-03-26 20:36:43 +00:00
Mark Andrews
7af9883b48 remove unused variable 2020-03-26 20:36:43 +00:00
Michał Kępień
3377bc4b02 Merge branch 'michal/misc-gitlab-ci-yml-cleanups' into 'master'
Miscellaneous .gitlab-ci.yml cleanups

See merge request isc-projects/bind9!3298
2020-03-26 10:40:13 +00:00
Michał Kępień
3d121ede6c Remove unused YAML anchors
Some YAML anchors defined in .gitlab-ci.yml are not subsequently used.
Remove them to prevent confusion.
2020-03-26 11:03:52 +01:00
Michał Kępień
3d264dbe81 Do not install compiledb in cppcheck job
compiledb is already included in the Docker image used by the cppcheck
job.  Do not attempt installing it again.
2020-03-26 11:03:52 +01:00
Michał Kępień
0c898084cd Include compiler name in all build/test job names
Most build/test job names already contain a "clang", "gcc", or "msvc"
prefix which indicates the compiler used for a given job.  Apply that
naming convention to all build/test job names.
2020-03-26 11:03:52 +01:00
Michał Kępień
84463f33bf Refactor TSAN unit test job definitions
Multiple YAML keys have identical values for both TSAN unit test job
definitions.  Extract these common keys to a YAML anchor and use it in
TSAN unit test job definitions to reduce code duplication.
2020-03-26 11:03:52 +01:00
Michał Kępień
6ebce9425e Run "kyua report-html" for TSAN unit test jobs
Definitions of jobs running unit tests under TSAN contain an
"after_script" YAML key.  Since the "unit_test_job" anchor is included
in those job definitions before "after_script" is defined, the
job-specific value of that key overrides the one defined in the included
anchor.  This prevents "kyua report-html" from being run for TSAN unit
test jobs.  Moving the invocation of "kyua report-html" to the "script"
key in the "unit_test_job" anchor is not acceptable as it would cause
the exit code of that command to determine the result of all unit test
jobs and we need that to be the exit code of "make unit".  Instead, add
"kyua report-html" invocations to the "after_script" key of TSAN unit
test job definitions to address the problem without affecting other job
definitions.
2020-03-26 11:03:52 +01:00
Michał Kępień
a9aa295f1f Refactor TSAN system test job definitions
Multiple YAML keys have identical values for both TSAN system test job
definitions.  Extract these common keys to a YAML anchor and use it in
TSAN system test job definitions to reduce code duplication.
2020-03-26 11:03:52 +01:00
Michał Kępień
8ef01c7b50 Drop "before_script" key from TSAN job definitions
Both "system_test_job" and "unit_test_job" YAML anchors contain a
"before_script" key.  TSAN job definitions first specify their own value
of the "before_script" key and then include the aforementioned YAML
anchors, which results in the value of the "before_script" key being
overridden with the value specified by the included anchor.  Given this,
remove "before_script" definitions specific to TSAN jobs as they serve
no practical purpose.
2020-03-26 11:03:52 +01:00
Michał Kępień
6325c0993a Define TSAN options in a global variable
All assignments for the TSAN_OPTIONS variable are identical across the
entire .gitlab-ci.yml file.  Define a global TSAN_OPTIONS_COMMON
variable and use it in job definitions to reduce code duplication.
2020-03-26 11:03:52 +01:00
Ondřej Surý
4167eba3c3 Merge branch '1679-fix-the-typecase-to-isc_stdtime_get' into 'master'
Correct the typecast of .tv_sec in isc_stdtime_get()

Closes #1679

See merge request isc-projects/bind9!3294
2020-03-25 21:31:34 +00:00
Ondřej Surý
7c8179c503 Correct the typecast of .tv_sec in isc_stdtime_get() 2020-03-25 22:08:50 +01:00
Ondřej Surý
03727c1462 Merge branch '1679-fix-the-tv_nsec_check' into 'master'
Fix the tv_nsec check in isc_stdtime_get()

Closes #1679

See merge request isc-projects/bind9!3292
2020-03-25 19:28:59 +00:00
Ondřej Surý
0d06a62dd1 Fix the tv_nsec check in isc_stdtime_get() 2020-03-25 19:06:50 +01:00
Ondřej Surý
4154677f2e Merge branch 'ondrej/no-clang-on-debian-sid' into 'master'
Rewrite .gitlab-ci.yml to have 'base_image' and other GitLab CI improvements

See merge request isc-projects/bind9!3279
2020-03-25 17:05:27 +00:00
Ondřej Surý
281531d82b Replace clang:stretch:amd64 build with clang:buster:amd64 build (+ add missing system test) 2020-03-25 18:04:24 +01:00
Ondřej Surý
ec72d1100d Replace bear with compiledb and drop MAKE_COMMAND because we don't need it 2020-03-25 18:04:24 +01:00
Ondřej Surý
5f5721aa11 Adjust the GitLab CI jobs to match the new images
The custom builds (oot, asan, tsan) were mostly built using Debian sid
amd64 image.  The problem was that this image broke too easily, because
it's Debian "unstable" after all.

This commit introduces "base_image" that should be most stable with
extra bits on top (clang, coccinelle, cppcheck, ...).  Currently, that
would be Debian buster amd64.

Other changes introduced by this commit:

* Change the default clang version to 10
* Run both ASAN and TSAN with both gcc and clang compilers
* Remove Clang Debian stretch i386 job
2020-03-25 18:04:24 +01:00
Ondřej Surý
d07c3d6c8c Merge branch 'ondrej/scan-build-10-fixes' into 'master'
Fix new warnings reported by scan-build from LLVM/Clang 10

See merge request isc-projects/bind9!3285
2020-03-25 17:02:55 +00:00
Ondřej Surý
ddd0d356e5 Fix 'Dereference of null pointer' from scan-build-10
These are mostly false positives, the clang-analyzer FAQ[1] specifies
why and how to fix it:

> The reason the analyzer often thinks that a pointer can be null is
> because the preceding code checked compared it against null. So if you
> are absolutely sure that it cannot be null, remove the preceding check
> and, preferably, add an assertion as well.

The 4 warnings reported are:

dnssec-cds.c:781:4: warning: Access to field 'base' results in a dereference of a null pointer (loaded from variable 'buf')
                        isc_buffer_availableregion(buf, &r);
                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/builds/isc-projects/bind9/lib/isc/include/isc/buffer.h:996:36: note: expanded from macro 'isc_buffer_availableregion'
                                   ^
/builds/isc-projects/bind9/lib/isc/include/isc/buffer.h:821:16: note: expanded from macro 'ISC__BUFFER_AVAILABLEREGION'
                (_r)->base = isc_buffer_used(_b);              \
                             ^~~~~~~~~~~~~~~~~~~
/builds/isc-projects/bind9/lib/isc/include/isc/buffer.h:152:29: note: expanded from macro 'isc_buffer_used'
        ((void *)((unsigned char *)(b)->base + (b)->used)) /*d*/
                                   ^~~~~~~~~
1 warning generated.

--

byname_test.c:308:34: warning: Access to field 'fwdtable' results in a dereference of a null pointer (loaded from variable 'view')
                RUNTIME_CHECK(dns_fwdtable_add(view->fwdtable, dns_rootname,
                                               ^~~~~~~~~~~~~~
/builds/isc-projects/bind9/lib/isc/include/isc/util.h:318:52: note: expanded from macro 'RUNTIME_CHECK'
                                                   ^~~~
/builds/isc-projects/bind9/lib/isc/include/isc/error.h:50:21: note: expanded from macro 'ISC_ERROR_RUNTIMECHECK'
        ((void)(ISC_LIKELY(cond) ||  \
                           ^~~~
/builds/isc-projects/bind9/lib/isc/include/isc/likely.h:23:43: note: expanded from macro 'ISC_LIKELY'
                                            ^
1 warning generated.

--

./rndc.c:255:6: warning: Dereference of null pointer (loaded from variable 'host')
        if (*host == '/') {
            ^~~~~
1 warning generated.

--

./main.c:1254:9: warning: Access to field 'sctx' results in a dereference of a null pointer (loaded from variable 'named_g_server')
        sctx = named_g_server->sctx;
               ^~~~~~~~~~~~~~~~~~~~
1 warning generated.

References:
1. https://clang-analyzer.llvm.org/faq.html#null_pointer
2020-03-25 17:33:22 +01:00
Ondřej Surý
262f087bcf Fix 'Dead nested assignment's from scan-build-10
The 3 warnings reported are:

os.c:872:7: warning: Although the value stored to 'ptr' is used in the enclosing expression, the value is never actually read from 'ptr'
        if ((ptr = strtok_r(command, " \t", &last)) == NULL) {
             ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.

--

rpz.c:1117:10: warning: Although the value stored to 'zbits' is used in the enclosing expression, the value is never actually read from 'zbits'
        return (zbits &= x);
                ^        ~
1 warning generated.

--

openssleddsa_link.c:532:10: warning: Although the value stored to 'err' is used in the enclosing expression, the value is never actually read from 'err'
        while ((err = ERR_get_error()) != 0) {
                ^     ~~~~~~~~~~~~~~~
1 warning generated.
2020-03-25 17:33:07 +01:00
Witold Krecicki
ec9f80cabc Merge branch 'wpk/tcpdns-refactoring' into 'master'
netmgr refactoring: use generic functions when operating on sockets.

See merge request isc-projects/bind9!3269
2020-03-24 20:57:21 +00:00
Witold Kręcicki
5fedd21e16 netmgr refactoring: use generic functions when operating on sockets.
tcpdns used transport-specific functions to operate on the outer socket.
Use generic ones instead, and select the proper call in netmgr.c.
Make the missing functions (e.g. isc_nm_read) generic and add type-specific
calls (isc__nm_tcp_read). This is the preparation for netmgr TLS layer.
2020-03-24 20:31:43 +00:00
Ondřej Surý
aed3927592 Merge branch 'ondrej/remove-debian-jessie-from-gitlab-ci' into 'master'
Remove Debian 8 ("jessie") from the GitLab CI

See merge request isc-projects/bind9!3281
2020-03-24 13:50:41 +00:00
Ondřej Surý
75f46cc3d1 Remove Debian 8 ("Jessie") from the GitLab CI
There are several reason why remove Debian 8 from the CI:

* Debian 8 ("jessie") has been superseded by Debian 9 ("stretch").
* Regular security support updates have been discontinued as of
  June 17th, 2018.
* Jessie LTS is supported from 17th June 2018 to June 30, 2020.

In other words, it's no longer officially supported by Debian security
team, but by the volunteer/paid contributor composed LTS team.  And the
release will be discontinued in three months from now.  We can use the
freed CI resources to bring new platforms or just to make the jobs run a
bit faster.
2020-03-24 14:24:47 +01:00
Michał Kępień
84a2ed67a1 Merge branch 'michal/update-release-checklist' into 'master'
Update release checklist (BIND_BASELINE_VERSION)

See merge request isc-projects/bind9!3278
2020-03-24 08:56:20 +00:00
Michał Kępień
b145071260 Update release checklist (BIND_BASELINE_VERSION)
The reference BIND version used in the ABI check CI job is not
determined automatically - it needs to be updated after each BIND
release.  Reflect that fact in the release checklist to make sure the
ABI check CI job is always comparing current code with the latest BIND
release on a given branch.
2020-03-24 07:36:24 +01:00
Mark Andrews
7da215f38b Merge branch '1698-converting-isc_log-to-rwlock-broke-windows' into 'master'
Resolve "Converting isc_log to RWLOCK broke Windows"

Closes #1698

See merge request isc-projects/bind9!3276
2020-03-24 04:22:43 +00:00
Mark Andrews
b7dbfd14d8 Used to the correct unlock type (read) 2020-03-24 14:50:31 +11:00
Michal Nowak
2d74d88b47 Merge branch 'mnowak/abi-tracker-helper-v9.17.0' into 'master'
Bump BIND baseline version for abi-check

See merge request isc-projects/bind9!3202
2020-03-20 12:08:23 +00:00
Michal Nowak
3730d59bf9 Bump BIND baseline version for abi-check 2020-03-20 13:06:57 +01:00
Matthijs Mekking
5efc35f517 Merge branch 'v9_17_0-release' into 'master'
Apply 9.17.0 release branch

See merge request isc-projects/bind9!3262
2020-03-20 10:22:12 +00:00
Tinderbox User
4b3b2e5dc7 Fix README related to --with-tuning 2020-03-20 10:51:32 +01:00
Tinderbox User
a972cf4360 regen master 2020-03-20 10:51:32 +01:00
Tinderbox User
50cf0e6ef8 Fix resonse typo in release notes 2020-03-20 10:51:32 +01:00
Tinderbox User
e73565ae0a regen master 2020-03-20 10:51:32 +01:00
Tinderbox User
678b8d27d6 prep 9.17.0
The files configure.ac and version are already up to date.

Updated CHANGES with 9.17.0 release line.

Fixed CHANGES by adding GitLab reference to entry 5357 and fix
grammar mistakes.

Add missing /util/check-make-install.in to .gitattributes.

The lib/*/api are already updated to match the new ranges.

I listed two new features under BIND 9.17 features that to me
seemed noteworthy.

The release notes look good to me.
2020-03-20 10:51:32 +01:00
Michal Nowak
2fafcc2c2d Merge branch 'mnowak/unit-test-debugging-enhancements' into 'master'
Enhance unit test debugging

See merge request isc-projects/bind9!2990
2020-03-20 09:40:16 +00:00
Michal Nowak
8fad74e0e5 Enhance unit test debugging
When unit test fails, core file is created. Kyua's 'debug' command can
run GDB on it and provide backtrace. Unfortunately Kyua is picky about
location of these core files we opt to use custom Kyua fork and copy
core files from Kyua working directory to source tree and make it
available in GitLab.
2020-03-20 10:37:59 +01:00
Ondřej Surý
eb26fdf701 Merge branch '4-fix-the-last-three-system-tests-parallel-run' into 'master'
Convert the last three system tests (ecdsa, eddsa and tkey) to use dynamic ports

See merge request isc-projects/bind9!3257
2020-03-19 17:23:53 +00:00
Ondřej Surý
cfbb46201f Fix the tkey system test to allow parallel run
The tkey test was not adapted to dynamic ports, so we had to run it in
sequence.  This commit adds support for dynamic ports, and also makes
all the scripts shellcheck clean.
2020-03-19 17:31:31 +01:00
Ondřej Surý
4124a89972 Fix the eddsa system test to allow parallel run
The eddsa test was not adapted to dynamic ports, so we had to run it in
sequence.  This commit adds support for dynamic ports, and also makes
all the scripts shellcheck clean.
2020-03-19 17:31:31 +01:00
Ondřej Surý
1f1ecdecc9 Fix the ecdsa system test to allow parallel run
The ecdsa test was not adapted to dynamic ports, so we had to run it in
sequence.  This commit adds support for dynamic ports, and also makes
all the scripts shellcheck clean.
2020-03-19 17:31:31 +01:00
Ondřej Surý
bde35220cd Merge branch '1679-remove-workaround-for-systems-with-broken-gettimeofday-system-calls' into 'master'
Remove Solaris 2.8 broken gettimeofday() workaround

Closes #1679

See merge request isc-projects/bind9!3238
2020-03-19 08:34:49 +00:00
Ondřej Surý
e691b89a9a Use clock_gettime() instead of gettimeofday() for isc_stdtime function
This also removes Solaris 2.8 broken gettimeofday() workaround
2020-03-18 16:02:24 +01:00
Ondřej Surý
af26de6370 Merge branch '4-gitlab-ci.yml-improvement' into 'master'
Improve GitLab CI configuration

See merge request isc-projects/bind9!3254
2020-03-18 11:51:59 +00:00
Ondřej Surý
de1a637a69 Rename MAKE environment variable to MAKE_COMMAND
The environment variable MAKE has been replaced with MAKE_COMMAND,
because overriding MAKE variable also changed the definition of the MAKE
inside the Makefiles, and we want only a single wrapper around the whole
build process.

Previously, setting `MAKE` to `bear make` meant that `bear make` would
be run at every nested make invocation, which messed up the upcoming
automake transition as compile_commands.json would be generated in every
subdirectory instead of just having one central file at the top of the
build tree.
2020-03-18 12:51:08 +01:00
Ondřej Surý
99f9e2c53e Remove cppcheck arm64 job
All *:sid:amd64 jobs were errorneously copied to *:sid:arm64 including
the extra cppcheck run.  Remove the extra definitions from arm64 jobs.
2020-03-18 12:51:08 +01:00
Ondřej Surý
66ba808c1b Replace dependencies+needs with needs+artifacts in GitLabCI config
All jobs now use solely the newer needs configuration to declare
dependencies between jobs:

    needs:
      - job: <foo>
        artifacts: true

instead of combination of dependencies and needs which is deprecated.
This change completely unbundles the stages (alas the stages still needs
to stay because the job graph has to stay acyclic between the stages).
2020-03-18 12:51:08 +01:00
Ondřej Surý
d7348a2b96 Merge branch '1675-logfileconfig-system-test-crashes-occasionally-rwlock' into 'master'
Use isc_rwlock to lock .logconfig member of isc_log_t

Closes #1675

See merge request isc-projects/bind9!3229
2020-03-18 11:50:39 +00:00
Ondřej Surý
4d58856ff7 Use isc_rwlock to lock .logconfig member of isc_log_t
In isc_log_woudlog() the .logconfig member of isc_log_t structure was
accessed unlocked on the merit that there could be just a race when
.logconfig would be NULL, so the message would not be logged.  This
turned not to be true, as there's also data race deeper.  The accessed
isc_logconfig_t object could be in the middle of destruction, so the
pointer would be still non-NULL, but the structure members could point
to a chunk of memory no longer belonging to the object.  Since we are
only accessing integer types (the log level), this would never lead to
a crash, it leads to memory access to memory area no longer belonging to
the object and this a) wrong, b) raises a red flag in thread-safety tools.
2020-03-18 11:52:14 +01:00
Ondřej Surý
ed2ee2dffa Merge branch 'marka-memget-cannot-fail-logging' into 'master'
Cleanup logging API now that isc_mem_get cannot fail.

See merge request isc-projects/bind9!3252
2020-03-18 10:34:28 +00:00
Mark Andrews
0b793166d0 Refactor the isc_log API so it cannot fail on memory failures
The isc_mem API now crashes on memory allocation failure, and this is
the next commit in series to cleanup the code that could fail before,
but cannot fail now, e.g. isc_result_t return type has been changed to
void for the isc_log API functions that could only return ISC_R_SUCCESS.
2020-03-18 09:05:59 +01:00
Evan Hunt
e6deefd03f Merge branch 'each-lgtm-fixes' into 'master'
fix LGTM warnings

See merge request isc-projects/bind9!3200
2020-03-17 22:18:10 +00:00
Ondřej Surý
08f4c7d6c0 Add C11 localtime_r and gmtime_r shims for Windows
On Windows, C11 localtime_r() and gmtime_r() functions are not
available.  While localtime() and gmtime() functions are already thread
safe because they use Thread Local Storage, it's quite ugly to #ifdef
around every localtime_r() and gmtime_r() usage to make the usage also
thread-safe on POSIX platforms.

The commit adds wrappers around Windows localtime_s() and gmtime_s()
functions.

NOTE: The implementation of localtime_s and gmtime_s in Microsoft CRT
are incompatible with the C standard since it has reversed parameter
order and errno_t return type.
2020-03-17 13:28:15 -07:00
Evan Hunt
ec95b84e8d silence a warning about unsafe snprintf() call 2020-03-17 13:28:15 -07:00
Evan Hunt
fc5ae3192b clean up dead code
removed an if statement that always evaluated to false
2020-03-17 13:28:15 -07:00
Evan Hunt
5703f70427 replace unsafe ctime() and gmtime() function calls
This silences LGTM warnings that these functions are not thread-safe.
2020-03-17 13:28:15 -07:00
Evan Hunt
735be3b816 remove or comment empty conditional branches
some empty conditional branches which contained a semicolon were
"fixed" by clang-format to contain nothing. add comments to prevent this.
2020-03-17 13:28:15 -07:00
Evan Hunt
8915e4722d Merge branch '1684-timer-test-build' into 'master'
fix a pointer-to-int cast error

Closes #1684

See merge request isc-projects/bind9!3246
2020-03-17 20:10:02 +00:00
Evan Hunt
6b76646037 fix a pointer-to-int cast error 2020-03-17 13:00:29 -07:00
Ondřej Surý
58cc273b19 Merge branch '1672-stop-leaking-external-headers-and-symbols-to-the-public-api-isc/md.h' into 'master'
Make isc_md API to not leak OpenSSL symbols

Closes #1672

See merge request isc-projects/bind9!3218
2020-03-17 15:00:56 +00:00
Ondřej Surý
4e114f8ed6 Stop leaking OpenSSL types and defines in the isc/md.h
The <isc/md.h> header directly included <openssl/evp.h> header which
enforced all users of the libisc library to explicitly list the include
path to OpenSSL and link with -lcrypto.  By hiding the specific
implementation into the private namespace, we no longer enforce this.
In the long run, this might also allow us to switch cryptographic
library implementation without affecting the downstream users.

While making the isc_md_type_t type opaque, the API using the data type
was changed to use the pointer to isc_md_type_t instead of using the
type directly.
2020-03-17 09:11:13 +01:00
Mark Andrews
6052e254b9 Merge branch '1682-dighost-c-idn_output_filter-has-off-by-one-error' into 'master'
Resolve "dighost.c: idn_output_filter has off by one error"

Closes #1682

See merge request isc-projects/bind9!3243
2020-03-17 04:43:46 +00:00
Mark Andrews
af67acc0d0 address off by one error in idn_output_filter 2020-03-17 13:56:30 +11:00
Diego dos Santos Fronza
da64d42cd6 Merge branch '1138-from-bugs-43718-extend-nsip-wait-recurse-or-add-nsdname-wait-recurse' into 'master'
Resolve "From Bugs (#43718) : extend nsip-wait-recurse or add nsdname-wait-recurse"

Closes #1138

See merge request isc-projects/bind9!3134
2020-03-16 18:50:53 +00:00
Diego Fronza
267e2c4772 Add CHANGES and release note 2020-03-16 15:20:12 -03:00
Diego Fronza
4e8f8da661 Added nsdname-wait-recurse documentation to ARM 2020-03-16 15:18:46 -03:00
Evan Hunt
2822b01636 incidental fix: dnsrps test was failing
the test for logging of invalid prefixes doesn't work when running
with dnsrps; disable it in that case.
2020-03-16 15:18:46 -03:00
Diego Fronza
fe10111521 Added test for nsdname-wait-recurse option 2020-03-16 15:18:46 -03:00
Diego Fronza
c786c578d7 Added RPZ configuration option "nsdname-wait-recurse"
This new option was added to fill a gap in RPZ configuration
options.

It was possible to instruct BIND wheter NSIP rewritting rules would
apply or not, as long as the required data was already in cache or not,
respectively, by means of the option nsip-wait-recurse.

A value of yes (default) could incur a little processing cost, since
BIND would need to recurse to find NS addresses in case they were not in
the cache.

This behavior could be changed by setting nsip-wait-recurse value to no,
in which case BIND would promptly return some error code if the NS IP addresses
data were not in cache, then BIND would start a recursive query
in background, so future similar requests would have the required data
(NS IPs) in cache, allowing BIND to apply NSIP rules accordingly.

A similar feature wasn't available for NSDNAME triggers, so this commit
adds the option nsdname-wait-recurse to fill this gap, as it was
expected by couple BIND users.
2020-03-16 15:18:46 -03:00
Michał Kępień
be0dc3db3f Merge branch 'michal/update-gitlab-ci-to-freebsd-12.1' into 'master'
Update GitLab CI to FreeBSD 12.1

See merge request isc-projects/bind9!3180
2020-03-16 10:33:31 +00:00
Michał Kępień
80618b5378 Move FreeBSD CI jobs to libvirt-based executors
To get rid of the currently used FreeBSD-specific executor, move FreeBSD
CI jobs to libvirt-based executors.  Make the necessary tag and variable
adjustments.
2020-03-16 11:32:46 +01:00
Michał Kępień
4c68b56246 Update GitLab CI to FreeBSD 12.1
Since FreeBSD 12.1 is the current FreeBSD 12.x release, replace FreeBSD
12.0 GitLab CI jobs with their up-to-date counterparts.
2020-03-16 11:32:46 +01:00
Ondřej Surý
a3b89e7547 Merge branch '4-convert-lmdb-check-to-macro' into 'master'
Add AX_LIB_LMDB macro

See merge request isc-projects/bind9!3205
2020-03-16 09:44:49 +00:00
Ondřej Surý
6a475340cf Link with LMDB only where needed 2020-03-16 09:38:15 +01:00
Ondřej Surý
fe85568604 Convert lmdb check to m4 macro 2020-03-16 09:38:15 +01:00
Mark Andrews
020b9f7a73 Merge branch '1681-compile-error-geoip_test-c-maxminddb-h-file-not-found' into 'master'
Resolve "compile error: geoip_test.c - maxminddb.h file not found"

Closes #1681

See merge request isc-projects/bind9!3233
2020-03-16 07:50:16 +00:00
Mark Andrews
81a80274bd Add MAXMINDDB_CFLAGS to CINCLUDES 2020-03-16 16:15:03 +11:00
Mark Andrews
402c0b26f7 Merge branch '1676-address-timing-issue-in-forward-system-test' into 'master'
Resolve "Address timing issue in forward system test."

Closes #1676

See merge request isc-projects/bind9!3221
2020-03-15 23:30:46 +00:00
Mark Andrews
a38a324442 wait for the reply message before checking to avoid false negative.
Waiting for the reply message will ensure that all messages being
looked for exist in the logs at the time of checking.  When the
test was only waiting for the send message there was a race between
grep and the ns1 instance of named logging that it had seen the
request.
2020-03-16 09:50:45 +11:00
Mark Andrews
9660ec80df Merge branch '1655-bind-9-11-5-writes-syntax-errors-to-its-zone-cache' into 'master'
Resolve "BIND 9.11.5 writes syntax errors to its zone cache"

Closes #1655

See merge request isc-projects/bind9!3150
2020-03-13 04:00:26 +00:00
Mark Andrews
c9c59db5b3 Add CHANGES note 2020-03-13 13:40:15 +11:00
Mark Andrews
59498ce17f Quote zone name so that specials are handled 2020-03-13 13:38:56 +11:00
Mark Andrews
91efc587b2 Pass NUL terminated buffer name to cfg_parse_buffer 2020-03-13 13:38:56 +11:00
Mark Andrews
ad030332bd Test reloading of zones with special 2020-03-13 13:38:56 +11:00
Mark Andrews
fed5992b31 Merge branch 'marka-maybe-silence-missing-unlock' into 'master'
Silence missing unlock from Coverity.

See merge request isc-projects/bind9!3185
2020-03-13 02:14:14 +00:00
Mark Andrews
8dd8d48c9f Silence missing unlock from Coverity.
Save 'i' to 'locknum' and use that rather than using
'header->node->locknum' when performing the deferred
unlock as 'header->node->locknum' can theoretically be
different to 'i'.
2020-03-13 12:42:52 +11:00
Mark Andrews
462a46cf50 Merge branch '1652-nslookup-assertion-at-soa_6-c-302-require-rdata-length-0-failed-back-trace' into 'master'
Resolve "nslookup: assertion at soa_6.c:302: REQUIRE(rdata->length != 0) failed, back trace"

Closes #1652

See merge request isc-projects/bind9!3136
2020-03-13 00:44:24 +00:00
Mark Andrews
6593cf0b5a Check that dig/host/nslookup handle a UPDATE response.
Additionally check that "delete $qname SOA" in the update
reponse doesn't trigger a insertion in nslookup.
2020-03-13 10:29:43 +11:00
Mark Andrews
bb7576cc9b Report opcode mismatch 2020-03-13 10:28:18 +11:00
Mark Andrews
4a7b9dba61 turn off best effort processing in host and add the ability to specify the port 2020-03-13 10:28:18 +11:00
Mark Andrews
d1cb30e747 turn off best effort processing in nslookup 2020-03-13 10:28:18 +11:00
Ondřej Surý
386ceaac7b Merge branch '1672-stop-leaking-external-headers-and-symbols-to-the-public-api-isc/hmac.h' into 'master'
Make isc_hmac API to not leak OpenSSL symbols

See merge request isc-projects/bind9!3216
2020-03-12 21:22:46 +00:00
Ondřej Surý
70100c664a Stop leaking OpenSSL types and defines in the isc/hmac.h
The <isc/md.h> header directly included <openssl/hmac.h> header which
enforced all users of the libisc library to explicitly list the include
path to OpenSSL and link with -lcrypto.  By hiding the specific
implementation into the private namespace, we no longer enforce this.
In the long run, this might also allow us to switch cryptographic
library implementation without affecting the downstream users.
2020-03-12 22:22:03 +01:00
Ondřej Surý
b04eda7212 Merge branch '1672-stop-leaking-external-headers-and-symbols-to-the-public-api-isc/safe.h' into 'master'
Make isc_safe API to not leak OpenSSL symbols

See merge request isc-projects/bind9!3215
2020-03-12 19:07:51 +00:00
Ondřej Surý
ab827ab5bf Stop leaking OpenSSL types and defines in the isc/safe.h
The two "functions" that isc/safe.h declared before were actually simple
defines to matching OpenSSL functions.  The downside of the approach was
enforcing all users of the libisc library to explicitly list the include
path to OpenSSL and link with -lcrypto.  By hiding the specific
implementation into the private namespace changing the defines into
simple functions, we no longer enforce this.  In the long run, this
might also allow us to switch cryptographic library implementation
without affecting the downstream users.
2020-03-12 20:07:16 +01:00
Ondřej Surý
c34b9364c0 Merge branch '1673-lib-isc-pk11-c-depend-on-libdns-headers' into 'master'
Use ISC_R_CRYPTOFAILURE instead DST_R_CRYPTOFAILURE in libisc

Closes #1673

See merge request isc-projects/bind9!3220
2020-03-12 19:05:29 +00:00
Ondřej Surý
e67ce7e966 Use ISC_R_CRYPTOFAILURE instead DST_R_CRYPTOFAILURE in libisc
There was a circular libisc dependency on libdns headers for
DST_R_CRYPTOFAILURE return code.  Replace it with ISC_R_CRYPTOFAILURE to
break the loop.
2020-03-12 17:50:29 +01:00
Evan Hunt
bc10d88c25 Merge branch '864-zone-type-table-in-arm-needs-improvement' into 'master'
Resolve "zone type table in ARM needs improvement"

Closes #864

See merge request isc-projects/bind9!1544
2020-03-12 08:48:23 +00:00
Evan Hunt
b10bdb57ac build doc 2020-03-12 01:14:07 -07:00
Evan Hunt
6fb568caae improve readability of bibliogrpahy
Change <biblioentry> and <citetitle> sections to improve the readability
of the bibliography sections. Thanks to Sun Guonian.
2020-03-12 01:14:07 -07:00
Evan Hunt
d9a6fef020 shorten text for mirror zones to prevent overspill 2020-03-12 01:14:07 -07:00
Mark Andrews
9e4a153f3b use relative widths for zone table 2020-03-12 01:14:07 -07:00
Evan Hunt
bf38b4af11 Merge branch 'placeholder' into 'master'
placeholder

See merge request isc-projects/bind9!3214
2020-03-12 07:37:05 +00:00
Evan Hunt
9a8865d674 placeholder 2020-03-12 00:36:23 -07:00
Ondřej Surý
7db8b25b63 Merge branch '4-make-libtool-mandatory' into 'master'
Remove no-libtool and internal symtable configure options

See merge request isc-projects/bind9!3207
2020-03-11 23:07:53 +00:00
Ondřej Surý
e847591867 Improve the backtrace to print symbols when backtrace_symbols() is available
The previous commit removed the code related to the internal symbol
table.  On platforms where available, we can now use backtrace_symbols()
to print more verbose symbols table to the output.

As there's now general availability of backtrace() and
backtrace_symbols() functions (see below), the commit also removes the
usage of glibc internals and the custom stack tracing.

* backtrace(), backtrace_symbols(), and backtrace_symbols_fd() are
  provided in glibc since version 2.1.
* backtrace(), backtrace_symbols(), and backtrace_symbols_fd() first
  appeared in Mac OS X 10.5.
* The backtrace() library of functions first appeared in NetBSD 7.0 and
  FreeBSD 10.0.
2020-03-11 20:32:21 +01:00
Evan Hunt
ad5250ff9c Remove support for internal symbol table
Since we can no longer generate an internal symbol table, there
doesn't seem to be much reason to retain the code that reads it.
2020-03-11 11:13:52 +01:00
Ondřej Surý
1628f5865a Remove configure option to compile without libtool
libtool is a requirement to use automake (see GL #4), so this commit
removes the ability to compile BIND 9 without libtool.
2020-03-11 10:31:51 +01:00
Ondřej Surý
c463808992 Remove the ability to generate internal symbol table
The internal symbol table cannot be generated when libtool is in use,
which is going to be a mandatory in the next commit.
2020-03-11 10:31:42 +01:00
Ondřej Surý
e19117b5a9 Merge branch 'ondrej/fix-clang-format-headers-symlinks' into 'master'
Fix .clang-format.headers symlinks

See merge request isc-projects/bind9!3212
2020-03-11 09:21:07 +00:00
Ondřej Surý
584fd98a0c Fixup the headers formatting 2020-03-11 10:19:32 +01:00
Ondřej Surý
1ca73f606e Fix the deeper symlinks to .clang-format.headers 2020-03-11 10:16:45 +01:00
Michał Kępień
f137baf6be Merge branch 'michal/minor-release-note-tweaks' into 'master'
Minor release note tweaks

See merge request isc-projects/bind9!3210
2020-03-11 08:52:35 +00:00
Michał Kępień
6537aaffdc Reorder release note sections 2020-03-11 09:45:31 +01:00
Michał Kępień
3e6ef80706 Add GitLab identifier to rwlock release note 2020-03-11 09:45:31 +01:00
Michał Kępień
02260826cf Merge branch '1636-add-release-note-about-controlling-source-ports' into 'master'
Add release note about controlling source ports

Closes #1636

See merge request isc-projects/bind9!3192
2020-03-11 08:22:53 +00:00
Michał Kępień
384b413dc5 Add release note about controlling source ports 2020-03-11 09:06:40 +01:00
Michał Kępień
2283d38ac2 Release note wording tweaks 2020-03-11 09:06:40 +01:00
Michał Kępień
f8a8eaba8b Move pthread rwlocks release note to a section 2020-03-11 09:06:40 +01:00
Michał Kępień
182e4a67bc Merge branch 'matthijs-disable-mscv-kasp-system-test' into 'master'
Disable kasp test on Windows

See merge request isc-projects/bind9!3206
2020-03-11 07:18:49 +00:00
Matthijs Mekking
2094e5ed4d Remove leftover set_keydir 2020-03-10 16:04:13 +01:00
Matthijs Mekking
4e610b7f6b Disable kasp test on Windows
The kasp system test is timing critical.  The test passes on all
Linux based machines, but fails frequently on Windows.  The test
takes a lot more time on Windows and at the final checks fail
because the expected next key event is too far off.  For example:

I:kasp:check next key event for zone step2.algorithm-roll.kasp (570)
I:kasp:error: bad next key event time 20909 for zone \
  step2.algorithm-roll.kasp (expect 21600)
I:kasp:failed

This is because the kasp system test calculates the time when the
next key event should occur based on the policy.  This assumes that
named is able to do key management within a minute.  But starting,
named, doing key management for other zones, and reconfiguring takes
much more time on Windows and thus the next key event on Windows is
much shorter than anticipated.

That this happens is a good thing because this means that the
correct next key event is used, but is not so nice for testing, as
it is hard to determine how much time named needed before finishing
the current key event.

Disable the kasp test on Windows now because it is blocking the
release.  We know the cause of these test failures, and it is clear
that this is a fault in the test, not the code.  Therefore we feel
comfortable disabling the test right now and work on a fix while
unblocking the release.
2020-03-10 16:04:13 +01:00
Matthijs Mekking
546acaad0e Merge branch '1476-threadsanitizer-data-race-lib-isc-log-multiple-issues' into 'master'
Resolve "ThreadSanitizer: data race lib/isc/log.c - multiple issues"

Closes #1476

See merge request isc-projects/bind9!2791
2020-03-10 12:11:19 +00:00
Diego Fronza
a200852001 Fixed data race in log.c
A data race was happening while BIND was starting due to
isc_log_wouldlog function accessing lctx->logconfig without a lock.

To prevent that without incurring much costs, that variable was made
atomic.
2020-03-10 11:49:53 +01:00
Michal Nowak
6d252220b0 Merge branch 'mnowak/abi-tracker-helper' into 'master'
Add API Checker

See merge request isc-projects/bind9!3120
2020-03-10 08:47:04 +00:00
Michal Nowak
49bc08e612 Add API Checker
ABI checker tools generate HTML and TXT API compatibility reports of
BIND libraries. Comparison is being done between two bind source trees
which hold built BIND.

In the CI one version is the reference version defined by
BIND_BASELINE_VERSION variable, the latter one is the HEAD of branch
under test.
2020-03-10 09:44:26 +01:00
Evan Hunt
e0430d74ef Merge branch '1664-double-unlock' into 'master'
remove redundant ZONEDB_UNLOCK

Closes #1664

See merge request isc-projects/bind9!3197
2020-03-09 23:47:11 +00:00
Evan Hunt
b54454b7c6 remove redundant ZONEDB_UNLOCK 2020-03-09 14:05:14 -07:00
Ondřej Surý
8de25592ba Merge branch 'ondrej/clang-format-improve-includes' into 'master'
Improve #include block sorting and grouping in clang-format

See merge request isc-projects/bind9!3193
2020-03-09 15:42:24 +00:00
Ondřej Surý
3178974f0c Use the new sorting rules to regroup #include headers 2020-03-09 16:19:22 +01:00
Ondřej Surý
5071c47fbd Improve the #include block sorting
The IncludeCategories was incomplete, it missed pk11/ and dst/ headers
and the rule that put "" header after all <> headers was broken.
2020-03-09 16:19:22 +01:00
Matthijs Mekking
fd18da8cac Merge branch '1653-dnssec-policy-view-race' into 'master'
Resolve "Race condition with dnssec-policy, same zone in different views"

Closes #1653

See merge request isc-projects/bind9!3142
2020-03-09 14:40:59 +00:00
Matthijs Mekking
47e42d5750 Update changes, documentation 2020-03-09 14:48:17 +01:00
Matthijs Mekking
e0bdff7ecd Fix race condition dnssec-policy with views
When configuring the same dnssec-policy for two zones with the same
name but in different views, there is a race condition for who will
run the keymgr first. If running sequential only one set of keys will
be created, if running parallel two set of keys will be created.

Lock the kasp when running looking for keys and running the key
manager. This way, for the same zone in different views only one
keyset will be created.

The dnssec-policy does not implement sharing keys between different
zones.
2020-03-09 14:48:17 +01:00
Michał Kępień
5979032512 Merge branch 'michal/do-not-run-openbsd-system-test-jobs-for-tags' into 'master'
Do not run OpenBSD system test jobs for tags

See merge request isc-projects/bind9!3183
2020-03-09 13:33:59 +00:00
Michał Kępień
7b002cea83 Do not run OpenBSD system test jobs for tags
OpenBSD virtual machines seem to affected particularly badly by other
activity happening on the host.  This causes trouble around release
time: when multiple tags are pushed to the repository, a large number of
jobs is started concurrently on all CI runners.  In extreme cases, this
causes the system test suite to run for about an hour (!) on OpenBSD
VMs, with multiple tests failing.  We investigated the test artifacts
for all such cases in the past and the outcome was always the same: test
failures were caused by extremely slow I/O on the guest.  We tried
various tricks to work around this problem, but nothing helped.

Given the above, stop running OpenBSD system test jobs for pending BIND
releases to prevent the results of these jobs from affecting the
assessment of a given release's readiness for publication.  This change
does not affect OpenBSD build jobs.  OpenBSD system test jobs will still
be run for scheduled and web-requested pipelines, to make sure we catch
any severe issues with test code on that platform sooner or later.
2020-03-09 14:33:04 +01:00
Matthijs Mekking
35b911de93 Merge branch 'matthijs-refactor-kasp-test' into 'master'
Refactor kasp system test

See merge request isc-projects/bind9!3141
2020-03-09 12:22:56 +00:00
Matthijs Mekking
2e4b55de85 Add check calls to kasp zsk-retired test
The test case for zsk-retired was missing the actual checks.  Add
them and fix the set_policy call to expect three keys.
2020-03-09 13:02:23 +01:00
Matthijs Mekking
7e54dd74f9 More consistent spacing and comments
Some comments started with a lowercased letter. Capitalized them to
be more consistent with the rest of the comments.

Add some newlines between `set_*` calls and check calls, also to be
more consistent with the other test cases.
2020-03-09 13:02:23 +01:00
Matthijs Mekking
f500b16f83 Replace key_states 2020-03-09 13:02:23 +01:00
Matthijs Mekking
32e4916c59 Replace key_timings 2020-03-09 13:02:22 +01:00
Matthijs Mekking
628e09a423 Replace key_properties 2020-03-09 13:02:22 +01:00
Matthijs Mekking
8a4787d585 Replace zone_properties 2020-03-09 13:02:22 +01:00
Matthijs Mekking
9aa23bd42a Merge branch '1413-fix-dnssec-test' into 'master'
Fix dnssec test

Closes #1413

See merge request isc-projects/bind9!2956
2020-03-09 11:02:10 +00:00
Matthijs Mekking
aebb2aaa0f Fix dnssec test
There is a failure mode which gets triggered on heavily loaded
systems. A key change is scheduled in 5 seconds to make ZSK2 inactive
and ZSK3 active, but `named` takes more than 5 seconds to progress
from `rndc loadkeys` to the query check. At this time the SOA RRset
is already signed by the new ZSK which is not expected to be active
at that point yet.

Split up the checks to test the case where RRsets are signed
correctly with the offline KSK (maintained the signature) and
the active ZSK.  First run, RRsets should be signed with the still
active ZSK2, second run RRsets should be signed with the new active
ZSK3.
2020-03-09 10:16:55 +01:00
Diego dos Santos Fronza
74e5889537 Merge branch 'fix-glob-windows' into 'master'
Fixed missing list initialization

See merge request isc-projects/bind9!3184
2020-03-06 21:09:58 +00:00
Diego Fronza
6e5b4f7ec8 Fixed missing list initialization
This commit fixes isc_glob function on windows environments.

The file_list_t * object pointed to by pglob->reserved was missing
ISC_LIST_INIT intialization macro.
2020-03-06 16:53:20 -03:00
Matthijs Mekking
a1849cea53 Merge branch 'kasp-test-algoroll' into 'master'
Test dnssec-policy algorithm rollover, fix some bugs

Closes #1626, #1625, and #1624

See merge request isc-projects/bind9!3086
2020-03-06 15:16:19 +00:00
Matthijs Mekking
d16520532f Add additional wait period for algorithm rollover
We may be checking the algorithm steps too fast: the reconfig
command may still be in progress. Make sure the zones are signed
and loaded by digging the NSEC records for these zones.
2020-03-06 15:57:48 +01:00
Matthijs Mekking
53bd81ad19 Make clang-format happy 2020-03-06 15:57:48 +01:00
Matthijs Mekking
6ddfed3de0 update CHANGES 2020-03-06 15:57:48 +01:00
Matthijs Mekking
917cf5f86f Add CSK algorithm rollover test 2020-03-06 15:53:57 +01:00
Matthijs Mekking
3905a03205 [#1624] dnssec-policy change retire unwanted keys
When changing a dnssec-policy, existing keys with properties that no
longer match were not being retired.
2020-03-06 15:53:57 +01:00
Matthijs Mekking
28506159f0 [#1625] Algorithm rollover waited too long
Algorithm rollover waited too long before introducing zone
signatures.  It waited to make sure all signatures were resigned,
but when introducing a new algorithm, all signatures are resigned
immediately.  Only add the sign delay if there is a predecessor key.
2020-03-06 15:53:57 +01:00
Matthijs Mekking
a8542b8cab [#1626] Fix stuck algorithm rollover
Algorithm rollover was stuck on submitting DS because keymgr thought
it would move to an invalid state.  It did not match the current
key because it checked it against the current key in the next state.
Fixed by when checking the current key, check it against the desired
state, not the existing state.
2020-03-06 15:53:57 +01:00
Matthijs Mekking
88ebe9581b Add algorithm rollover test case
Add a test case for algorithm rollover.  This is triggered by
changing the dnssec-policy.  A new nameserver ns6 is introduced
for tests related to dnssec-policy changes.

This requires a slight change in check_next_key_event to only
check the last occurrence.  Also, change the debug log message in
lib/dns/zone.c to deal with checks when no next scheduled key event
exists (and default to loadkeys interval 3600).
2020-03-06 15:53:57 +01:00
Matthijs Mekking
cc2afe853b Remove unneeded step6 zone
The zone 'step6.ksk-doubleksk.autosign' is configured but is not
set up nor tested.  Remove the unneeded configured zone.
2020-03-06 15:53:57 +01:00
Matthijs Mekking
fdb3f6f400 Introduce enable dnssec test case 2020-03-06 15:53:57 +01:00
Matthijs Mekking
00ced2d2e7 Prepare kasp for algorithm rollover test
Algorithm rollover will require four keys so introduce KEY4.
Also it requires to look at key files for multiple algorithms so
change getting key ids to be algorithm rollover agnostic (adjusting
count checks).  The algorithm will be verified in check_key so
relaxing 'get_keyids' is fine.

Replace '${_alg_num}' with '$(key_get KEY[1-4] ALG_NUM)' in checks
to deal with multiple algorithms.
2020-03-06 15:53:57 +01:00
Michał Kępień
526907dc13 Merge branch 'michal/fix-using-sibling-root-libuv-for-windows-builds' into 'master'
Fix using sibling-root libuv for Windows builds

See merge request isc-projects/bind9!3181
2020-03-06 12:36:55 +00:00
Michał Kępień
57b430b8ca Fix using sibling-root libuv for Windows builds
HAVE_UV_IMPORT and other config.h macros must not be set unconditionally
because no existing libuv release exposes uv_import() and/or uv_export()
yet.  Windows builds not passing an explicit path to libuv to
win32utils/Configure are currently broken because of this, so comment
out the offending lines and describe when the aforementioned config.h
macros should be set.
2020-03-06 13:25:45 +01:00
Evan Hunt
078d937ff8 Merge branch '1515-ixfr-size-limit' into 'master'
Send AXFR instead of requested IXFR if the size of the incremental transfer is too large to sensibly IXFR

Closes #1375 and #1515

See merge request isc-projects/bind9!3113
2020-03-06 02:51:18 +00:00
Evan Hunt
0a39181092 CHANGES and release note 2020-03-05 17:20:16 -08:00
Evan Hunt
89615c2ab5 add serial number to "transfer ended" log messages 2020-03-05 17:20:16 -08:00
Evan Hunt
db177d4e7e add a system test for AXFR fallback when max-ixfr-ratio is exceeded
also cleaned up the ixfr system test:

- use retry_quiet when applicable
- use scripts to generate test zones
- improve consistency
2020-03-05 17:20:16 -08:00
Evan Hunt
cb02219b6c check size ratio when responding to IXFR requests 2020-03-05 17:20:16 -08:00
Evan Hunt
98b55eb442 improve calculation of database transfer size
- change name of 'bytes' to 'xfrsize' in dns_db_getsize() parameter list
  and related variables; this is a more accurate representation of what
  the function is doing
- change the size calculations in dns_db_getsize() to more accurately
  represent the space needed for a *XFR message or journal file to contain
  the data in the database. previously we returned the sizes of all
  rdataslabs, including header overhead and offset tables, which
  resulted in the database size being reported as much larger than the
  equivalent *XFR or journal.
- map files caused a particular problem here: the fullname can't be
  determined from the node while a file is being deserialized, because
  the uppernode pointers aren't set yet. so we store "full name length"
  in the dns_rbtnode structure while serializing, and clear it after
  deserialization is complete.
2020-03-05 17:20:16 -08:00
Evan Hunt
52a31a9883 dns_journal_iter_init() can now return the size of the delta
the call initailizing a journal iterator can now optionally return
to the caller the size in bytes of an IXFR message (not including
DNS header overhead, signatures etc) containing the differences from
the beginning to the ending serial number.

this is calculated by scanning the journal transaction headers to
calculate the transfer size. since journal file records contain a length
field that is not included in IXFR messages, we subtract out the length
of those fields from the overall transaction length.

this necessitated adding an "RR count" field to the journal transaction
header, so we know how many length fields to subract. NOTE: this will
make existing journal files stop working!
2020-03-05 17:20:16 -08:00
Evan Hunt
aeef4719e9 add syntax and setter/getter functions to configure max-ixfr-ratio 2020-03-05 17:20:16 -08:00
Evan Hunt
5a23e7abd1 document max-ixfr-ratio 2020-03-05 17:20:16 -08:00
Mark Andrews
e2f521e772 Merge branch '1628-release-process-failed-to-detect-that-header-file-was-not-installed' into 'master'
Resolve "Release process failed to detect that header file was not installed."

Closes #1628

See merge request isc-projects/bind9!3089
2020-03-06 01:04:07 +00:00
Mark Andrews
a278b6bd84 test installed header files 2020-03-06 12:02:57 +11:00
Mark Andrews
5a95f9b0ec Merge branch 'marka-install-missing-header-files' into 'master'
Fix lists of installed header files

See merge request isc-projects/bind9!3173
2020-03-05 23:10:53 +00:00
Michał Kępień
b675d30f09 Fix lists of installed header files 2020-03-05 23:09:51 +00:00
Witold Krecicki
a5e8479153 Merge branch 'wpk/only-use-timer-if-initialized' into 'master'
Only use tcpdns timer if it's initialized.

See merge request isc-projects/bind9!3171
2020-03-05 23:08:02 +00:00
Witold Kręcicki
4b9962d4a3 Only use tcpdns timer if it's initialized. 2020-03-05 23:13:39 +01:00
Mark Andrews
a249bb5b10 Merge branch 'marka-sort-AC_CONFIG_FILES' into 'master'
sort AC_CONFIG_FILES

See merge request isc-projects/bind9!3167
2020-03-05 21:47:02 +00:00
Mark Andrews
fd0d4ba948 sort AC_CONFIG_FILES 2020-03-06 08:17:06 +11:00
Witold Krecicki
5c723402f4 Merge branch '1643-tcp-connections-accounting' into 'master'
Resolve "Problems reported in BIND 9.16.0 after hitting tcp-clients limit"

Closes #1643

See merge request isc-projects/bind9!3163
2020-03-05 20:31:04 +00:00
Witold Kręcicki
d2445310e2 CHANGES note 2020-03-05 18:02:27 +00:00
Witold Kręcicki
ae1499ca19 Fix TCPDNS socket closing issues 2020-03-05 18:02:27 +00:00
Evan Hunt
1383804597 add a test of normal TCP query behavior before and after high-water test 2020-03-05 18:02:27 +00:00
Witold Kręcicki
fc9792eae8 Limit TCP connection quota logging to 1/s 2020-03-05 18:02:27 +00:00
Witold Kręcicki
fc9e2276ca Proper accounting of active TCP connections 2020-03-05 18:02:27 +00:00
Michal Nowak
71b05e3e0f Merge branch 'mnowak/respdiff' into 'master'
Add respdiff test

See merge request isc-projects/bind9!3078
2020-03-05 14:45:46 +00:00
Michal Nowak
04f8b65a8f Add respdiff job
This job leverages respdiff test from the private bind-qa repo.
2020-03-05 10:32:45 +01:00
Witold Krecicki
22f0b633e5 Merge branch '1650-fix-race-in-killoldestclient' into 'master'
Destroy query in killoldestclient under a lock

Closes #1650

See merge request isc-projects/bind9!3146
2020-03-05 09:02:11 +00:00
Witold Kręcicki
df3dbdff81 Destroy query in killoldestquery under a lock.
Fixes a race between ns_client_killoldestquery and ns_client_endrequest -
killoldestquery takes a client from `recursing` list while endrequest
destroys client object, then killoldestquery works on a destroyed client
object. Prevent it by holding reclist lock while cancelling query.
2020-03-05 08:13:50 +00:00
Evan Hunt
4c0591574f Merge branch '1647-addtrustedkey-dnskey' into 'master'
Resolve "delv 9.16.0, failed to add trusted key '.': ran out of space"

Closes #1647

See merge request isc-projects/bind9!3158
2020-03-04 23:41:11 +00:00
Evan Hunt
d805fe821e CHANGES 2020-03-04 09:28:37 -08:00
Evan Hunt
a81ae32d8a add a system test to check that delv loads trust anchors correctly 2020-03-04 08:59:29 -08:00
Tony Finch
689ef89b67 Fix dns_client_addtrustedkey(dns_rdatatype_dnskey)
Use a buffer that is big enough for DNSKEY records as well as DS
records.
2020-03-04 08:59:29 -08:00
Michal Nowak
239e1c5309 Merge branch 'mnowak/pkcs11-test-fix' into 'master'
Fix pkcs11 test

Closes #1496

See merge request isc-projects/bind9!3116
2020-03-04 16:06:31 +00:00
Michal Nowak
85cb3a214f Fix "pkcs11" system test
- Define the SLOT environment variable before starting the test.  This
    variable defaults to 0 and that does not work with SoftHSM 2.

  - The system test expects the PIN environment variable to be set to
    "1234" while bin/tests/prepare-softhsm2.sh sets it to "0000".
    Update bin/tests/prepare-softhsm2.sh so that it sets the PIN to
    "1234".

  - Move contents of bin/tests/system/pkcs11/prereq.sh to
    bin/tests/system/pkcs11/setup.sh as the former was creating a file
    called "supported" that was getting removed by the latter before
    bin/tests/system/pkcs11/tests.sh could access it.

  - Fix typo in "have_ecx".
2020-03-04 16:06:31 +00:00
Witold Krecicki
7509e22725 Merge branch 'wpk-use-pthread-rwlock-by-default' into 'master'
Use pthread rwlocks by default

See merge request isc-projects/bind9!3125
2020-03-04 09:50:56 +00:00
Witold Kręcicki
4ca5c02d0e Add release notes for pthread rwlocks change 2020-03-04 10:28:22 +01:00
Witold Kręcicki
ad03c22e97 Use pthread rwlocks by default 2020-03-04 10:28:22 +01:00
Evan Hunt
bae860d20a Merge branch '1532-nta-validate-except' into 'master'
list "validate-except" entries in "rndc nta -d" and "rndc secroots"

Closes #1532

See merge request isc-projects/bind9!3152
2020-03-04 09:09:53 +00:00
Evan Hunt
7a3fa9f593 list "validate-except" entries in "rndc nta -d" and "rndc secroots"
- no longer exclude these entries when dumping the NTA table
- indicate "validate-except" entries with the keyword "permanent" in
  place of an expiry date
- add a test for this feature, and update other tests to account for
  the presence of extra lines in some rndc outputs
- incidentally removed the unused function dns_ntatable_dump()
- CHANGES, release note
2020-03-04 00:44:32 -08:00
Mark Andrews
13073c95d3 Merge branch '1656-masterformat-system-test-failed-missing-sleep-1' into 'master'
Resolve "masterformat system test failed - missing "sleep 1""

Closes #1656

See merge request isc-projects/bind9!3151
2020-03-04 07:14:48 +00:00
Mark Andrews
0abcface49 properly wait for zone to be loaded 2020-03-04 15:39:08 +11:00
Mark Andrews
5cc912b031 Merge branch 'marka-check-touched' into 'master'
Check that inline master zones that are only touched are correctly reloaded.

Closes #1627

See merge request isc-projects/bind9!3135
2020-03-03 22:06:39 +00:00
Mark Andrews
64474db14e Add CHANGES entry 2020-03-04 08:46:33 +11:00
Mark Andrews
f171347b5f Restart zone maintenance if it had been stalled. 2020-03-04 08:45:34 +11:00
Mark Andrews
50e079d6c3 Check inline master zones that are touched reload correctly. 2020-03-04 08:45:34 +11:00
Ondřej Surý
bb74fdcaf0 Merge branch 'ondrej/fix-notes-9.17.0-xml' into 'master'
fixup the version number in 9.17.0 release notes

See merge request isc-projects/bind9!3145
2020-03-03 14:24:17 +00:00
Ondřej Surý
3357574843 fixup the version number in 9.17.0 release notes 2020-03-03 09:31:34 +01:00
Witold Krecicki
3a21933586 Merge branch 'wpk/socket-destroy-race' into 'master'
Fix a race in isc_socket destruction.

Closes #1651

See merge request isc-projects/bind9!3004
2020-03-03 08:20:44 +00:00
Witold Kręcicki
81ba0fe0e6 Fix a race in isc_socket destruction.
There was a very slim chance of a race between isc_socket_detach and
process_fd: isc_socket_detach decrements references to 0, and before it
calls destroy gets preempted. Second thread calls process_fd, increments
socket references temporarily to 1, and then gets preempted, first thread
then hits assertion in destroy() as the reference counter is now 1 and
not 0.
2020-03-03 08:34:19 +01:00
Mark Andrews
3c15372c2b Merge branch '1627-call-set_resigntime-and-zone_settimer' into 'master'
Call set resigntime and zone settimer

Closes #1627

See merge request isc-projects/bind9!3137
2020-03-03 05:07:58 +00:00
Mark Andrews
23ce0f32e5 add release note entry 2020-03-03 15:37:42 +11:00
Mark Andrews
905549f061 Add CHANGES note 2020-03-03 15:30:52 +11:00
Ondřej Surý
aaaa7e67fa Adjust lock/unlock in zone_rekey() 2020-03-03 15:26:31 +11:00
Mark Andrews
a6626594aa Ensure that resigintime and the zone timer are set 2020-03-03 15:26:27 +11:00
Matthijs Mekking
143d1c9767 Add more zone locks
Add more zone locks around code that touches zone timer setting
in failure modes.
2020-03-03 15:26:27 +11:00
Mark Andrews
7212961849 Always call set_resigntime with the zone lock held 2020-03-03 15:26:27 +11:00
Mark Andrews
5ec57f31b0 Always call zone_settimer()
zone_needdump() could potentially not call zone_settimer() so
explitly call zone_settimer() as zone->resigntime could have
gone backward.
2020-03-03 15:26:27 +11:00
Mark Andrews
5d1611afdc Call set_resigntime() in receive_secure_serial()
With RRSIG records no longer being signed with the full
sig-validity-interval we need to ensure the zone->resigntime
as it may need to be set to a earlier time.
2020-03-03 15:26:27 +11:00
Witold Krecicki
9aa84dabf9 Merge branch 'wpk/perfwork-7-multilocked-badcache' into 'master'
Badcache with multiple locks.

See merge request isc-projects/bind9!3076
2020-03-02 17:18:35 +00:00
Witold Kręcicki
6c8f309745 Workaround for clang static analyzer bug. 2020-03-02 14:12:05 +01:00
Witold Kręcicki
47e5f5564c Badcache with multiple locks.
Previously badcache used one single mutex for everything, which
was causing performance issues. Use one global rwlock for the whole
hashtable and per-bucket mutexes.
2020-03-02 12:13:09 +01:00
Michał Kępień
c309fcabec Merge branch '1640-add-ZLIB_LIBS-to-ISCLIBS' into 'master'
Add ZLIB_LIBS to ISCLIBS

Closes #1640

See merge request isc-projects/bind9!3117
2020-02-28 14:30:04 +00:00
Michał Kępień
fc967ba092 Add ZLIB_LIBS to ISCLIBS
When --with-zlib is passed to ./configure (or when the latter
autodetects zlib's presence), libisc uses certain zlib functions and
thus libisc's users should be linked against zlib in that case.  Adjust
Makefile variables appropriately to prevent shared build failures caused
by underlinking.
2020-02-28 15:22:29 +01:00
Witold Krecicki
74030a590f Merge branch 'wpk/perfwork-3-small-nits' into 'master'
Perfwork 3/6 - Various small nits and tunables

See merge request isc-projects/bind9!3067
2020-02-28 08:28:31 +00:00
Evan Hunt
0b76d8a490 comments 2020-02-28 08:46:16 +01:00
Witold Kręcicki
4b6a064972 Don't define NS_CLIENT_TRACE by default 2020-02-28 08:46:16 +01:00
Witold Kręcicki
4791263def Increase inactivehandles and inactivereqs size for better reuse. 2020-02-28 08:46:16 +01:00
Witold Kręcicki
0344684385 Increase nodelock count for both cache and regular db. 2020-02-28 08:46:16 +01:00
Witold Kręcicki
0d80266f7e Use RESOLVER_NTASKS_PERCPU - 32 for regular tuning, 8 for small 2020-02-28 08:46:16 +01:00
Witold Kręcicki
517e6eccdf use SO_INCOMING_CPU for UDP sockets 2020-02-28 08:46:16 +01:00
Witold Kręcicki
8c6c07286f Remove some stale fields from ns_client_t; make sendbuf allocated on heap 2020-02-28 08:46:16 +01:00
Witold Kręcicki
fe584c01cc Don't update LRU if the node was recently used.
Updating LRU requires write-locking the node, which causes contention.
Update LRU only if time difference is large enough.
2020-02-28 08:46:16 +01:00
Witold Kręcicki
a658f7976c We don't need to fill udp local address every time since we are bound to it. 2020-02-28 08:46:16 +01:00
Witold Kręcicki
938b61405b Don't check if the client is on recursing list (requires locking) if it's not RECURSING 2020-02-28 08:46:16 +01:00
Witold Kręcicki
eb874608c1 Use the original threadid when sending a UDP packet to decrease probability of context switching 2020-02-28 08:46:16 +01:00
Mark Andrews
c324230c6f Merge branch '1638-rrsig-soa-and-re-signing' into 'master'
Resolve "RRSIG(SOA) and re-signing."

Closes #1638

See merge request isc-projects/bind9!3114
2020-02-27 22:48:48 +00:00
Mark Andrews
88c828cb9f capture named-journalprint output 2020-02-27 22:30:14 +00:00
Mark Andrews
a24fd55836 sort RRSIG(SOA) to be last of RRSIGs with a common re-resign time 2020-02-27 22:30:14 +00:00
Mark Andrews
660dc3eba7 use the full sig-validity-interval for RRSIG(SOA) 2020-02-27 22:30:14 +00:00
Mark Andrews
563aff110e Merge branch 'marka-coverity-stop-taint' into 'master'
Simplify hash computation to prevent pointer being classed as tainted.

See merge request isc-projects/bind9!3081
2020-02-27 20:01:04 +00:00
Mark Andrews
8c983a7ebd Simplify hash computation to prevent pointer being classed as tainted.
mem.c:add_trace_entry() -> isc_hash_function() -> isc_siphash24()

129        for (; in != end; in += 8) {

	6. byte_swapping: Performing a byte swapping operation on
	in implies that it came from an external source, and is
	therefore tainted.

130                uint64_t m = U8TO64_LE(in);
2020-02-27 19:41:36 +00:00
Witold Krecicki
ebfb0f7392 Merge branch 'wpk/perfwork-5-isc-result-rwlock' into 'master'
Perfwork 5/6 - Use isc_rwlock for isc_result tables

See merge request isc-projects/bind9!3069
2020-02-27 09:48:11 +00:00
Witold Kręcicki
00f2146265 Use isc_rwlock for isc_result tables 2020-02-27 07:58:48 +00:00
Evan Hunt
d434ec89ce Merge branch 'each-speedup-serve-stale-test' into 'master'
Speed up serve-stale test

See merge request isc-projects/bind9!3090
2020-02-27 06:57:56 +00:00
Evan Hunt
195d25b222 send bursts of queries in parallel to reduce test runtime
sending each group of queries simultaneously, and then checking the
output after the last one finishes, reduces the runtime of the
serve-stale test by about six minutes.
2020-02-26 22:28:33 -08:00
Evan Hunt
027601cd3e stop testing 'serve-stale yes' and 'serve-fail no' alternate syntax
"yes" and "no" are permissible synonyms for "on" and "off", which
use exactly the same code paths. making sure they work isn't a good
use of 80 seconds of test time.
2020-02-26 22:28:33 -08:00
Evan Hunt
770bf4980f use "on|off" in rndc -h output to match the man page 2020-02-26 22:28:33 -08:00
Witold Krecicki
027f445c66 Merge branch '1623-assertion-failure-ns-client-endrequest' into 'master'
Don't issue ns_client_endrequest on a NS_CLIENTSTATE_READY client.

Closes #1623

See merge request isc-projects/bind9!3077
2020-02-26 12:35:19 +00:00
Witold Kręcicki
b0888ff039 Don't issue ns_client_endrequest on a NS_CLIENTSTATE_READY client.
Fix a potential assertion failure on shutdown in ns__client_endrequest.
Scenario:
1. We are shutting down, interface->clientmgr is gone.
2. We receive a packet, it gets through ns__client_request
3. mgr == NULL, return
4. isc_nmhandle_detach calls ns_client_reset_cb
5. ns_client_reset_cb calls ns_client_endrequest
6. INSIST(client->state == NS_CLIENTSTATE_WORKING ||
          client->state == NS_CLIENTSTATE_RECURSING) is not met
   - we haven't started processing this packet so
   client->state == NS_CLIENTSTATE_READY.
As a solution - don't do anything in ns_client_reset_cb if the client
is still in READY state.
2020-02-26 12:15:01 +00:00
Witold Krecicki
6d67e06665 Merge branch 'wpk/perfwork-4-compressctx-arena' into 'master'
Perfwork 4/6 - add an arena to compressctx

See merge request isc-projects/bind9!3068
2020-02-26 08:17:28 +00:00
Witold Kręcicki
3a3b5f557a Add an arena to compressctx 2020-02-26 07:57:44 +00:00
Evan Hunt
9e7c37ba13 Merge branch 'each-cosmetic-fixes' into 'master'
minor cosmetic fixes

See merge request isc-projects/bind9!3085
2020-02-25 19:05:53 +00:00
Evan Hunt
beda680f90 minor cosmetic fixes
- the configuration summary reported zlib compression was not
  supported even when it was.
- when bind.keys.h was regenerated it violated clang-format style.
2020-02-25 18:24:41 +00:00
Matthijs Mekking
9a53720502 Merge branch '103-include-multiple-files' into 'master'
Resolve "[RT#43439 'include' a whole directory when creating BIND zone file"

Closes #103

See merge request isc-projects/bind9!2296
2020-02-25 12:17:33 +00:00
Matthijs Mekking
5cc33084af Make clang-format happy 2020-02-25 09:07:45 +01:00
Diego Fronza
3275e7844b Update copyrights 2020-02-24 13:53:32 -03:00
Matthijs Mekking
44caa64f39 Add test for checkconf glob include 2020-02-24 13:48:48 -03:00
Diego Fronza
f67ef86048 Update configure to handle glob.h 2020-02-24 13:46:42 -03:00
Diego Fronza
9b4e28e155 Added a isc_glob() function that wraps glob() calls for POSIX systems
and implement a custom glob() function on Windows systems.
2020-02-24 13:46:39 -03:00
Diego Fronza
f97ba7a7c2 Added test to verify that both include glob-expression and include
non-glob-expression works.
2020-02-24 13:37:55 -03:00
Diego dos Santos Fronza
a50ab3df86 Added tests for include directive + glob expressions. 2020-02-24 13:37:51 -03:00
Diego dos Santos Fronza
fa3fbf62e8 Allowing include directive to use glob expressions, e.g. include
"/opt/named.conf/*.conf".
2020-02-24 13:35:20 -03:00
Michał Kępień
e5eac7f117 Merge branch 'michal/misc-9.17-preparations' into 'master'
Miscellaneous BIND 9.17 preparations

See merge request isc-projects/bind9!3108
2020-02-24 10:03:07 +00:00
Evan Hunt
89ff6cabf9 Rebuild documentation 2020-02-23 20:48:55 -08:00
Michał Kępień
b273ed8a63 Bump version to 9.17.0 2020-02-24 10:56:47 +01:00
Michał Kępień
9f34e0d5af Bump library API versions for BIND 9.17 2020-02-24 10:56:47 +01:00
Michał Kępień
5b7a34803f Add libuv information to win32utils/build.txt 2020-02-24 10:56:47 +01:00
Michał Kępień
9ad9c98021 Fix broken link in configure.ac 2020-02-24 10:56:47 +01:00
Michał Kępień
ca9e0113e7 Update PLATFORMS for BIND 9.17 2020-02-24 10:56:47 +01:00
Michał Kępień
ad8d44ed67 Update README and HISTORY for BIND 9.17 2020-02-24 10:56:47 +01:00
Michał Kępień
9ab9f0dde7 Update release notes for BIND 9.17.0 2020-02-24 10:56:47 +01:00
Evan Hunt
dafa8a3309 Merge branch '1632-spelling-take2' into 'master'
some Fossies-reported spelling errors were accidentally left unfixed

Closes #1632

See merge request isc-projects/bind9!3110
2020-02-21 22:14:32 +00:00
Evan Hunt
a2aa29ed4f some Fossies-reported spelling errors were accidentally left unfixed 2020-02-21 14:12:42 -08:00
Evan Hunt
2296df45d5 Merge branch 'each-dlz-build' into 'master'
fix build errors in DLZ modules

See merge request isc-projects/bind9!3092
2020-02-21 17:19:56 +00:00
Evan Hunt
a06620fe59 fix build errors in DLZ modules 2020-02-21 09:18:58 -08:00
Michał Kępień
bfa193ed97 Merge branch 'michal/clean-up-with-tuning-large-remnants' into 'master'
Clean up --with-tuning=large remnants

See merge request isc-projects/bind9!3071
2020-02-21 12:43:01 +00:00
Michał Kępień
a5fc3a6364 Clean up --with-tuning=large remnants
The change introduced by commit be159f5565
was not fully complete.  Adjust ./configure summary so that it reflects
the new way the --with-tuning switch works, fixing the Autoconf variable
used for determining the value of that switch.  Fix win32utils/Configure
so that it behaves the same way as its Unix counterpart.
2020-02-21 12:51:49 +01:00
Mark Andrews
86405d3bc1 Merge branch 'marka-fix-signature-test' into 'master'
Fix code to generate the test signatues.

See merge request isc-projects/bind9!3102
2020-02-21 06:36:34 +00:00
Mark Andrews
3a8c8a2a31 Fix code to generate the test signatues.
* ctx needs to be destroyed before it is regenerated.
* emit the name of the signature to be replaced.
* cleanup memory before asserting so post longjump doesn't detect a
  memory leak.
* comment code.
2020-02-20 22:28:58 -08:00
Evan Hunt
4ff87af38c Merge branch '1632-spelling' into 'master'
fix spelling errors reported by Fossies.

Closes #1632

See merge request isc-projects/bind9!3101
2020-02-21 06:28:09 +00:00
Mark Andrews
40fc5809cd update signatures 2020-02-21 15:05:08 +11:00
Evan Hunt
ba0313e649 fix spelling errors reported by Fossies. 2020-02-21 15:05:08 +11:00
Diego dos Santos Fronza
c13adf225e Merge branch '1279-named-compilezone-should-be-able-to-take-input-from-stdin' into 'master'
Resolve "named-compilezone should be able to take input from STDIN"

Closes #1279

See merge request isc-projects/bind9!2552
2020-02-20 15:26:51 +00:00
Diego Fronza
a3453c257b Added system test
Added a system test which ensures that named-checkzone works when
taking input data from stdin.
2020-02-20 11:19:13 -03:00
Diego Fronza
63c88f4a04 Enable named-checkzone and named-compilezone to take input from stdin
If a filename (the last argument) is not provided for named-checkzone or
named-compilezone, or if it is a single dash "-" character,
zone data will be read from stdin.

Example of invocation:
cat /etc/zone_name.db | named-compilezone -f text -F raw \
    -o zone_name.raw zone_name
2020-02-20 11:19:13 -03:00
Michał Kępień
121e9ddf97 Merge branch 'michal/make-a-sed-script-in-doc-arm-makefile.in-portable' into 'master'
Make a sed script in doc/arm/Makefile.in portable

See merge request isc-projects/bind9!3058
2020-02-20 11:26:33 +00:00
Michał Kępień
b25e6b51f6 Make a sed script in doc/arm/Makefile.in portable
BSD sed does not recognize \s as a whitespace matching token.  Make the
sed script in doc/arm/Makefile.in which ensures GitLab identifiers are
not split across lines portable by replacing \s with [[:space:]].
2020-02-20 12:23:36 +01:00
Michał Kępień
cc62ae9aaa Merge branch 'michal/increase-lifetime-of-docs-sid-amd64-artifacts' into 'master'
Increase lifetime of docs:sid:amd64 artifacts

See merge request isc-projects/bind9!3088
2020-02-20 10:55:19 +00:00
Michał Kępień
9751ba5a75 Increase lifetime of docs:sid:amd64 artifacts
Artifacts generated by the docs:sid:amd64 job need to be retained longer
than for other jobs as they are used for building bind.isc.org contents.
If these artifacts are removed too quickly, pipelines in the pages/bind
GitLab project start failing, preventing content updates from being
published.  Increase lifetime of the relevant job artifacts to prevent
this from happening.
2020-02-20 11:51:58 +01:00
Michał Kępień
192c7c29f9 Merge branch 'michal/fix-lib-isc-tests-socket_test-hangs' into 'master'
Fix lib/isc/tests/socket_test hangs

See merge request isc-projects/bind9!3072
2020-02-20 10:47:25 +00:00
Witold Krecicki
0fe149b2fa Fix lib/isc/tests/socket_test hangs 2020-02-20 11:39:15 +01:00
Witold Krecicki
dcb38db695 Merge branch 'wpk/perfork-2-libuv-tuning' into 'master'
Perfwork 2/6 - libuv tuning - support for uv_{recv/send}mmsg, use of libuv-provided uv_export/import

See merge request isc-projects/bind9!3066
2020-02-18 12:08:16 +00:00
Witold Kręcicki
093af1a609 Use libuv-provided uv_{export,import} if available.
We were using our own versions of isc_uv_{export,import} functions
for multithreaded TCP listeners. Upcoming libuv version will
contain proper uv_{export,import} functions - use them if they're
available.
2020-02-18 12:17:55 +01:00
Witold Kręcicki
a0d36d7601 Make nm->recvbuf larger and heap allocated, to allow uv_recvmmsg usage.
Upcoming version of libuv will suport uv_recvmmsg and uv_sendmmsg. To
use uv_recvmmsg we need to provide a larger buffer and be able to
properly free it.
2020-02-18 12:17:55 +01:00
Witold Krecicki
b9c660a023 Merge branch 'wpk/perfwork-1-client-mctxpool-taskpool' into 'master'
Perfwork 1/6 - Use thread-sharded mctxpool and taskpool in ns_client

See merge request isc-projects/bind9!3065
2020-02-18 11:13:07 +00:00
Witold Kręcicki
952f7b503d Use thread-friendly mctxpool and taskpool in ns_client.
Make ns_client mctxpool more thread-friendly by sharding it by
netmgr threadid, use task pool also sharded by thread id to avoid
lock contention.
2020-02-18 10:31:13 +01:00
Witold Kręcicki
23bd04d2f1 Make isc_task_pause/isc_task_unpause thread safe.
isc_task_pause/unpause were inherently thread-unsafe - a task
could be paused only once by one thread, if the task was running
while we paused it it led to races. Fix it by making sure that
the task will pause if requested to, and by using a 'pause reference
counter' to count task pause requests - a task will be unpaused
iff all threads unpause it.

Don't remove from queue when pausing task - we lock the queue lock
(expensive), while it's unlikely that the task will be running -
and we'll remove it anyway in dispatcher
2020-02-18 09:22:04 +00:00
Evan Hunt
b9a2b4cb74 Merge branch 'each-tweak-penalty' into 'master'
adjust the clang-format penalties to reduce string breaking

See merge request isc-projects/bind9!3079
2020-02-17 22:41:54 +00:00
Evan Hunt
0002377dca adjust the clang-format penalties to reduce string breaking
this corrects some style glitches such as:
```
        long_function_call(arg, arg2, arg3, arg4, arg5, "str"
                                                        "ing");
```
...by adjusting the penalties for breaking strings and call
parameter lists.
2020-02-17 14:23:58 -08:00
Ondřej Surý
e4671ef2fa Merge branch 'ondrej/fix-crash-on-arm64-from-weak-cmpxchg' into 'master'
Fix crash on arm64 from using atomic_compare_exchange_weak outside of the loop

See merge request isc-projects/bind9!3042
2020-02-16 17:41:30 +00:00
Ondřej Surý
4ff887db2c Add arm64 to GitLab CI 2020-02-16 18:09:19 +01:00
Ondřej Surý
4cf275ba8a Replace non-loop usage of atomic_compare_exchange_weak with strong variant
While testing BIND 9 on arm64 8+ core machine, it was discovered that
the weak variants in fact does spuriously fail, we haven't observed that
on other architectures.

This commit replaces all non-loop usage of atomic_compare_exchange_weak
with atomic_compare_exchange_strong.
2020-02-16 18:09:19 +01:00
Diego Fronza
fa68a0d869 Added atomic_compare_exchange_strong_acq_rel macro
It is much better to read than:
atomic_compare_exchange_strong_explicit() with 5 arguments.
2020-02-16 18:09:19 +01:00
Ondřej Surý
5e1202d1c9 Merge branch 'ondrej/clang-format-fixups' into 'master'
clang-format fixups

See merge request isc-projects/bind9!3073
2020-02-16 16:45:34 +00:00
Ondřej Surý
3832e3ecc9 Fixup the missing clang-format bits 2020-02-16 17:34:24 +01:00
Ondřej Surý
cbb127eb43 Switch to clang-format-10 that's more accessible on more platforms 2020-02-16 17:34:05 +01:00
Diego dos Santos Fronza
718ec80ed3 Merge branch '1472-threadsanitizer-lock-order-inversion-potential-deadlock-dns_resolver_createfetch-vs' into 'master'
Resolve "ThreadSanitizer: lock-order-inversion (potential deadlock) - dns_resolver_createfetch vs. dns_resolver_prime"

Closes #1472

See merge request isc-projects/bind9!3020
2020-02-14 18:21:12 +00:00
Diego Fronza
45543da802 Fixed disposing of resolver->references in destroy() function 2020-02-14 14:28:31 -03:00
Diego Fronza
e7b36924e2 Fixed potential-lock-inversion
This commit simplifies a bit the lock management within dns_resolver_prime()
and prime_done() functions by means of turning resolver's attribute
"priming" into an atomic_bool and by creating only one dependent object on the
lock "primelock", namely the "primefetch" attribute.

By having the attribute "priming" as an atomic type, it save us from having to
use a lock just to test if priming is on or off for the given resolver context
object, within "dns_resolver_prime" function.

The "primelock" lock is still necessary, since dns_resolver_prime() function
internally calls dns_resolver_createfetch(), and whenever this function
succeeds it registers an event in the task manager which could be called by
another thread, namely the "prime_done" function, and this function is
responsible for disposing the "primefetch" attribute in the resolver object,
also for resetting "priming" attribute to false.

It is important that the invariant "priming == false AND primefetch == NULL"
remains constant, so that any thread calling "dns_resolver_prime" knows for sure
that if the "priming" attribute is false, "primefetch" attribute should also be
NULL, so a new fetch context could be created to fulfill this purpose, and
assigned to "primefetch" attribute under the lock protection.

To honor the explanation above, dns_resolver_prime is implemented as follow:
	1. Atomically checks the attribute "priming" for the given resolver context.
	2. If "priming" is false, assumes that "primefetch" is NULL (this is
           ensured by the "prime_done" implementation), acquire "primelock"
	   lock and create a new fetch context, update "primefetch" pointer to
	   point to the newly allocated fetch context.
	3. If "priming" is true, assumes that the job is already in progress,
	   no locks are acquired, nothing else to do.

To keep the previous invariant consistent, "prime_done" is implemented as follow:
	1. Acquire "primefetch" lock.
	2. Keep a reference to the current "primefetch" object;
	3. Reset "primefetch" attribute to NULL.
	4. Release "primefetch" lock.
	5. Atomically update "priming" attribute to false.
	6. Destroy the "primefetch" object by using the temporary reference.

This ensures that if "priming" is false, "primefetch" was already reset to NULL.

It doesn't make any difference in having the "priming" attribute not protected
by a lock, since the visible state of this variable would depend on the calling
order of the functions "dns_resolver_prime" and "prime_done".

As an example, suppose that instead of using an atomic for the "priming" attribute
we employed a lock to protect it.
Now suppose that "prime_done" function is called by Thread A, it is then preempted
before acquiring the lock, thus not reseting "priming" to false.
In parallel to that suppose that a Thread B is scheduled and that it calls
"dns_resolver_prime()", it then acquires the lock and check that "priming" is true,
thus it will consider that this resolver object is already priming and it won't do
any more job.
Conversely if the lock order was acquired in the other direction, Thread B would check
that "priming" is false (since prime_done acquired the lock first and set "priming" to false)
and it would initiate a priming fetch for this resolver.

An atomic variable wouldn't change this behavior, since it would behave exactly the
same, depending on the function call order, with the exception that it would avoid
having to use a lock.

There should be no side effects resulting from this change, since the previous
implementation employed use of the more general resolver's "lock" mutex, which
is used in far more contexts, but in the specifics of the "dns_resolver_prime"
and "prime_done" it was only used to protect "primefetch" and "priming" attributes,
which are not used in any of the other critical sections protected by the same lock,
thus having zero dependency on those variables.
2020-02-14 14:28:31 -03:00
Diego Fronza
c210413a8a Added atomic_compare_exchange_strong_acq_rel macro
It is much better to read than:
atomic_compare_exchange_strong_explicit() with 5 arguments.
2020-02-14 11:41:36 -03:00
Ondřej Surý
a04cdde45d Merge branch '46-enforce-clang-format-rules' into 'master'
Start enforcing the clang-format rules on changed files

Closes #46

See merge request isc-projects/bind9!3063
2020-02-14 08:45:45 +00:00
Ondřej Surý
60d29f695b Don't enforce copyrights on .clang-format 2020-02-14 09:43:13 +01:00
Ondřej Surý
5777c44ad0 Reformat using the new rules 2020-02-14 09:31:05 +01:00
Ondřej Surý
654927c871 Add separate .clang-format files for headers 2020-02-14 09:31:05 +01:00
Ondřej Surý
618947c63b Switch AlwaysBreakAfterReturnType from TopLevelDefinitions to All
The AlwaysBreakAfterReturnType: TopLevelDefinitions was unwrapping
the declarations of the functions in the header files.
2020-02-14 09:07:46 +01:00
Ondřej Surý
d2b5853b8e Start enforcing the clang-format rules on changed files 2020-02-14 09:07:46 +01:00
Ondřej Surý
d3b49b6675 Merge branch 'each-style-tweak' into 'master'
adjust clang-format options to get closer to ISC style

See merge request isc-projects/bind9!3061
2020-02-14 05:35:17 +00:00
Evan Hunt
e851ed0bb5 apply the modified style 2020-02-13 15:05:06 -08:00
Evan Hunt
0255a97473 revise .clang-format and add a C formatting script in util
- add util/cformat.sh, which runs clang-format on all C files with
  the default .clang-format, and on all header files with a slightly
  modified version.
- use correct bracing after multi-line control statements
- stop aligning variable declarations to avoid problems with pointer
  alignment, but retain aligned declarations in header files so that
  struct definitions look cleaner.
- static function prototypes in C files can skip the line break after
  the return type, but function prototypes in header files still have
  the line break.
- don't break-before-brace in function definitions. ISC style calls
  for braces on the same line when function parameters fit on a single
  line, and a line break if they don't, but clang-format doesn't yet
  support that distinction. one-line function definitions are about
  four times more common than multi-line, so let's use the option that
  deviates less.
2020-02-13 15:04:36 -08:00
Ondřej Surý
67b68e06ad Merge branch '46-add-curly-braces' into 'master'
Add curly braces using uncrustify and then reformat with clang-format back

Closes #46

See merge request isc-projects/bind9!3057
2020-02-13 21:28:07 +00:00
Ondřej Surý
056e133c4c Use clang-tidy to add curly braces around one-line statements
The command used to reformat the files in this commit was:

./util/run-clang-tidy \
	-clang-tidy-binary clang-tidy-11
	-clang-apply-replacements-binary clang-apply-replacements-11 \
	-checks=-*,readability-braces-around-statements \
	-j 9 \
	-fix \
	-format \
	-style=file \
	-quiet
clang-format -i --style=format $(git ls-files '*.c' '*.h')
uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h')
clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 22:07:21 +01:00
Ondřej Surý
d14bb71319 Add copy of run-clang-tidy that can fixup the filepaths 2020-02-13 22:06:05 +01:00
Ondřej Surý
36c6105e4f Use coccinelle to add braces to nested single line statement
Both clang-tidy and uncrustify chokes on statement like this:

for (...)
	if (...)
		break;

This commit uses a very simple semantic patch (below) to add braces around such
statements.

Semantic patch used:

@@
statement S;
expression E;
@@

while (...)
- if (E) S
+ { if (E) { S } }

@@
statement S;
expression E;
@@

for (...;...;...)
- if (E) S
+ { if (E) { S } }

@@
statement S;
expression E;
@@

if (...)
- if (E) S
+ { if (E) { S } }
2020-02-13 21:58:55 +01:00
Michal Nowak
c823ed4f07 Merge branch 'mnowak/coverity-disable-web-tag' into 'master'
Run Coverity Scan only when specific variables are present

See merge request isc-projects/bind9!3050
2020-02-12 14:44:56 +00:00
Michal Nowak
eec29e3477 Run Coverity Scan only when specific variables are present
Submissions to Coverity Scan should be limited to those originated from
release branches and only from a specific schedule which holds
COVERITY_SCAN_PROJECT_NAME and COVERITY_SCAN_TOKEN variables.
2020-02-12 14:44:55 +00:00
Ondřej Surý
7099e79a9b Merge branch '46-just-use-clang-format-to-reformat-sources' into 'master'
Reformat source code with clang-format

Closes #46

See merge request isc-projects/bind9!2156
2020-02-12 14:33:32 +00:00
Ondřej Surý
df6c1f76ad Remove tkey_test (which is no-op anyway) 2020-02-12 15:04:17 +01:00
Ondřej Surý
11341c7688 Update the definition files for Windows 2020-02-12 15:04:17 +01:00
Ondřej Surý
f50b1e0685 Use clang-format to reformat the source files 2020-02-12 15:04:17 +01:00
Ondřej Surý
4c3b063ef8 Import Linux kernel .clang-format with small modifications 2020-02-12 14:01:08 +01:00
3133 changed files with 127535 additions and 170162 deletions

View File

@@ -11,7 +11,6 @@ BraceWrapping:
AfterFunction: false # should also be MultiLine, but not yet supported
AfterExternBlock: false
BeforeElse: false
BeforeWhile: false
IndentBraces: false
SplitEmptyFunction: true
AllowShortIfStatementsOnASingleLine: false
@@ -20,7 +19,6 @@ AlwaysBreakAfterReturnType: All
Cpp11BracedListStyle: false
ColumnLimit: 80
AlignAfterOpenBracket: Align
AlignConsecutiveBitFields: true
AlignConsecutiveDeclarations: false
AlignConsecutiveMacros: true
AlignTrailingComments: true
@@ -64,7 +62,6 @@ IncludeCategories:
Priority: 1
- Regex: '.*'
Priority: 0
IndentExternBlock: NoIndent
KeepEmptyLinesAtTheStartOfBlocks: false
MaxEmptyLinesToKeep: 1
PenaltyBreakAssignment: 30

View File

@@ -11,7 +11,6 @@ BraceWrapping:
AfterFunction: false # should also be MultiLine, but not yet supported
AfterExternBlock: false
BeforeElse: false
BeforeWhile: false
IndentBraces: false
SplitEmptyFunction: true
AllowShortIfStatementsOnASingleLine: false
@@ -20,7 +19,6 @@ AlwaysBreakAfterReturnType: All
Cpp11BracedListStyle: false
ColumnLimit: 80
AlignAfterOpenBracket: Align
AlignConsecutiveBitFields: true
AlignConsecutiveDeclarations: true
AlignConsecutiveMacros: true
AlignTrailingComments: true
@@ -52,7 +50,6 @@ IncludeCategories:
Priority: 1
- Regex: '".*"'
Priority: 9
IndentExternBlock: NoIndent
KeepEmptyLinesAtTheStartOfBlocks: false
MaxEmptyLinesToKeep: 1
PenaltyBreakAssignment: 30

View File

@@ -106,9 +106,6 @@
(list
"--enable=all"
"--suppress=missingIncludeSystem"
"--suppress=nullPointerRedundantCheck"
(concat "--suppressions-list=" (expand-file-name
(concat directory-of-current-dir-locals-file "util/suppressions.txt")))
(concat "-include=" (expand-file-name
(concat directory-of-current-dir-locals-file "config.h")))
)

2
.gitattributes vendored
View File

@@ -1,8 +1,6 @@
*.sln.in eol=crlf
*.vcxproj.* eol=crlf
/fuzz/dns_rdata_fromwire_text.in/input-* -text
.gitignore export-ignore
/conftools export-ignore
/doc/design export-ignore

5
.gitignore vendored
View File

@@ -4,15 +4,16 @@
*.gcno
*.la
*.lo
*.log
*.o
*.orig
*.plist/ # ccc-analyzer store its results in .plist directories
*.rej
*.so
*.trs
*_test
*.ipch # vscode/intellisense precompiled header
*~
__pycache__/
.ccache/
.cproject
.deps/
@@ -52,6 +53,7 @@ __pycache__/
/stamp-h1
/test-driver
Makefile
Makefile.in
ans.run
gen.dSYM/
kyua.log
@@ -63,3 +65,4 @@ timestamp
/cppcheck.results
/tsan
/util/check-make-install
/INSTALL

File diff suppressed because it is too large Load Diff

View File

@@ -59,6 +59,7 @@
- [ ] ***(QA)*** Ensure all new tags are annotated and signed.
- [ ] ***(SwEng)*** Push tags for the published releases to the public repository.
- [ ] ***(SwEng)*** Merge the automatically prepared `prep 9.X.Y` commit which updates `version` and documentation on the release branch into the relevant maintenance branch (`v9_X`).
- [ ] ***(QA)*** For each maintained branch, update the `BIND_BASELINE_VERSION` variable for the `abi-check:sid:amd64` job in `.gitlab-ci.yml` to the latest published BIND version tag for a given branch.
[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.

35
.lgtm.yml Normal file
View File

@@ -0,0 +1,35 @@
extraction:
cpp:
prepare:
packages:
- "libxml2-dev"
- "libjson-c-dev"
- "libssl-dev"
- "zlib1g-dev"
- "libcmocka-dev"
- "pkg-config"
- "libcap2-dev"
- "libedit-dev"
- "libidn2-dev"
- "libmaxminddb-dev"
- "libuv1-dev"
configure:
command:
- "autoreconf -fi"
- "CFLAGS=\"-Og -g\" ./configure --enable-developer"
path_classifiers:
test:
- "lib/*/tests/"
- "bin/tests/"
docs:
- "**/*.xml"
- "**/*.docbook"
- "**/*.html"
- "**/*.1"
- "**/*.5"
- "**/*.8"
queries:
- exclude: libltdl/
- exclude: fuzz/
- exclude: "bin/tests/system/*/ans*/*.py"
- exclude: cpp/use-of-goto

View File

@@ -4,5 +4,3 @@ disable=
C0115, # missing-class-docstring
C0116, # missing-function-docstring
R0801, # duplicate-code
C0103, # invalid-name
C0415,# import-outside-toplevel

53
AUTHORS Normal file
View File

@@ -0,0 +1,53 @@
Mark Andrews
Andreas Gustafsson
Evan Hunt
Brian Wellington
Bob Halley
David Lawrence
Michael Graff
Michael Sawyer
Ondřej Surý
James Brister
Tatuya JINMEI 神明達哉
Francis Dupont
Michał Kępień
Danny Mayer
Mukund Sivaraman
Jeremy C. Reed
William King
Stephen Morris
Witold Kręcicki
Curtis Blackburn
Scott Mann
Rob Austein
Jim Reid
Eric Luce
Olafur Gudmundsson
Stephen Jacob
Damien Neil
Tony Finch
Jakob Schlyter
Petr Menšík
Vernon Schryver
Matt Nelson
Shane Kerr
Paul Ebersman
Ray Bellis
Shawn Routhier
Ben Cottrell
Tomas Hozza
johnd
Bill Parker
李昶
Kevin Chen
Jonathan Casey
Mary Stahl
Mathieu Arnold
David Hankins
Paul Hoffman
Paul Vixie
Brian Conry
Anay Panvalkar
colleen
Robert Edmonds
João Damas

765
CHANGES
View File

@@ -1,738 +1,31 @@
--- 9.16.15 released ---
5621. [bug] Due to a backporting mistake in change 5609, named
binaries built against a Kerberos/GSSAPI library whose
header files did not define the GSS_SPNEGO_MECHANISM
preprocessor macro were not able to start if their
configuration included the "tkey-gssapi-credential"
option. This has been fixed. [GL #2634]
5620. [bug] If zone journal files written by BIND 9.16.11 or earlier
were present when BIND was upgraded, the zone file for
that zone could have been inadvertently rewritten with
the current zone contents. This caused the original zone
file structure (e.g. comments, $INCLUDE directives) to
be lost, although the zone data itself was preserved.
This has been fixed. [GL #2623]
--- 9.16.14 released ---
5617. [security] A specially crafted GSS-TSIG query could cause a buffer
overflow in the ISC implementation of SPNEGO.
(CVE-2021-25216) [GL #2604]
5616. [security] named crashed when a DNAME record placed in the ANSWER
section during DNAME chasing turned out to be the final
answer to a client query. (CVE-2021-25215) [GL #2540]
5615. [security] Insufficient IXFR checks could result in named serving a
zone without an SOA record at the apex, leading to a
RUNTIME_CHECK assertion failure when the zone was
subsequently refreshed. This has been fixed by adding an
owner name check for all SOA records which are included
in a zone transfer. (CVE-2021-25214) [GL #2467]
5614. [bug] Ensure all resources are properly cleaned up when a call
to gss_accept_sec_context() fails. [GL #2620]
5613. [bug] It was possible to write an invalid transaction header
in the journal file for a managed-keys database after
upgrading. This has been fixed. Invalid headers in
existing journal files are detected and named is able
to recover from them. [GL #2600]
5611. [func] Set "stale-answer-client-timeout" to "off" by default.
[GL #2608]
5610. [bug] Prevent a crash which could happen when a lookup
triggered by "stale-answer-client-timeout" was attempted
right after recursion for a client query finished.
[GL #2594]
5609. [func] The ISC implementation of SPNEGO was removed from BIND 9
source code. It was no longer necessary as all major
contemporary Kerberos/GSSAPI libraries include support
for SPNEGO. [GL #2607]
5608. [bug] When sending queries over TCP, dig now properly handles
"+tries=1 +retry=0" by not retrying the connection when
the remote server closes the connection prematurely.
[GL #2490]
5607. [bug] As "rndc dnssec -checkds" and "rndc dnssec -rollover"
commands may affect the next scheduled key event,
reconfiguration of zone keys is now triggered after
receiving either of these commands to prevent
unnecessary key rollover delays. [GL #2488]
5606. [bug] CDS/CDNSKEY DELETE records are now removed when a zone
transitions from a secure to an insecure state.
named-checkzone also no longer reports an error when
such records are found in an unsigned zone. [GL #2517]
5605. [bug] "dig -u" now uses the CLOCK_REALTIME clock source for
more accurate time reporting. [GL #2592]
5603. [bug] Fix a memory leak that occurred when named failed to
bind a UDP socket to a network interface. [GL #2575]
5602. [bug] Fix TCPDNS and TLSDNS timers in Network Manager. This
makes the "tcp-initial-timeout" and "tcp-idle-timeout"
options work correctly again. [GL #2583]
5601. [bug] Zones using KASP could not be thawed after they were
frozen using "rndc freeze". This has been fixed.
[GL #2523]
--- 9.16.13 released ---
5597. [bug] When serve-stale was enabled and starting the recursive
resolution process for a query failed, a named instance
could crash if it was configured as both a recursive and
authoritative server. This problem was introduced by
change 5573 and has now been fixed. [GL #2565]
5595. [cleanup] Public header files for BIND 9 libraries no longer
directly include third-party library headers. This
prevents the need to include paths to third-party header
files in CFLAGS whenever BIND 9 public header files are
used, which could cause build-time issues on hosts with
older versions of BIND 9 installed. [GL #2357]
5594. [bug] Building with --enable-dnsrps --enable-dnsrps-dl failed.
[GL #2298]
5593. [bug] Journal files written by older versions of named can now
be read when loading zones, so that journal
incompatibility does not cause problems on upgrade.
Outdated journals are updated to the new format after
loading. [GL #2505]
5592. [bug] Prevent hazard pointer table overflows on machines with
many cores, by allowing the thread IDs (serving as
indices into hazard pointer tables) of finished threads
to be reused by those created later. [GL #2396]
5591. [bug] Fix a crash that occurred when
"stale-answer-client-timeout" was triggered without any
(stale) data available in the cache to answer the query.
[GL #2503]
5590. [bug] NSEC3 records were not immediately created for dynamic
zones using NSEC3 with "dnssec-policy", resulting in
such zones going bogus. Add code to process the
NSEC3PARAM queue at zone load time so that NSEC3 records
for such zones are created immediately. [GL #2498]
5588. [func] Add a new "purge-keys" option for "dnssec-policy". This
option determines the period of time for which key files
are retained after they become obsolete. [GL #2408]
5586. [bug] An invalid direction field in a LOC record resulted in
an INSIST failure when a zone file containing such a
record was loaded. [GL #2499]
5584. [bug] No longer set the IP_DONTFRAG option on UDP sockets, to
prevent dropping outgoing packets exceeding
"max-udp-size". [GL #2466]
5582. [bug] BIND 9 failed to build when static OpenSSL libraries
were used and the pkg-config files for libssl and/or
libcrypto were unavailable. This has been fixed by
ensuring that the correct linking order for libssl and
libcrypto is always used. [GL #2402]
5581. [bug] Fix a memory leak that occurred when inline-signed zones
were added to the configuration, followed by a
reconfiguration of named. [GL #2041]
5580. [test] The system test framework no longer differentiates
between SKIPPED and UNTESTED system test results. Any
system test which is not run is now marked as SKIPPED.
[GL !4517]
5573. [func] When serve-stale is enabled and stale data is available,
named now returns stale answers upon encountering any
unexpected error in the query resolution process.
However, the "stale-refresh-time" window is still only
started upon a timeout. [GL #2434]
5564. [cleanup] Network manager's TLSDNS module was refactored to use
libuv and libssl directly instead of a stack of TCP/TLS
sockets. [GL #2335]
--- 9.16.12 released ---
5578. [protocol] Make "check-names" accept A records below "_spf",
"_spf_rate", and "_spf_verify" labels in order to cater
for the "exists" SPF mechanism specified in RFC 7208
section 5.7 and appendix D.1. [GL #2377]
5577. [bug] Fix the "three is a crowd" key rollover bug in KASP by
correctly implementing Equation (2) of the "Flexible and
Robust Key Rollover" paper. [GL #2375]
5575. [bug] When migrating to KASP, BIND 9 considered keys with the
"Inactive" and/or "Delete" timing metadata to be
possible active keys. This has been fixed. [GL #2406]
5572. [bug] Address potential double free in generatexml().
[GL #2420]
5571. [bug] named failed to start when its configuration included a
zone with a non-builtin "allow-update" ACL attached.
[GL #2413]
5570. [bug] Improve performance of the DNSSEC verification code by
reducing the number of repeated calls to
dns_dnssec_keyfromrdata(). [GL #2073]
5569. [bug] Emit useful error message when "rndc retransfer" is
applied to a zone of inappropriate type. [GL #2342]
5568. [bug] Fixed a crash in "dnssec-keyfromlabel" when using ECDSA
keys. [GL #2178]
5567. [bug] Dig now reports unknown dash options while pre-parsing
the options. This prevents "-multi" instead of "+multi"
from reporting memory usage before ending option parsing
with "Invalid option: -lti". [GL #2403]
5566. [func] Add "stale-answer-client-timeout" option, which is the
amount of time a recursive resolver waits before
attempting to answer the query using stale data from
cache. [GL #2247]
5565. [func] The SONAMEs for BIND 9 libraries now include the current
BIND 9 version number, in an effort to tightly couple
internal libraries with a specific release. [GL #2387]
5562. [security] Fix off-by-one bug in ISC SPNEGO implementation.
(CVE-2020-8625) [GL #2354]
5561. [bug] KASP incorrectly set signature validity to the value of
the DNSKEY signature validity. This is now fixed.
[GL #2383]
5560. [func] The default value of "max-stale-ttl" has been changed
from 12 hours to 1 day and the default value of
"stale-answer-ttl" has been changed from 1 second to 30
seconds, following RFC 8767 recommendations. [GL #2248]
5456. [func] Added "primaries" as a synonym for "masters" in
named.conf, and "primary-only" as a synonym for
"master-only" in the parameters to "notify", to bring
terminology up-to-date with RFC 8499. [GL #1948]
5362. [func] Limit the size of IXFR responses so that AXFR will
be used instead if it would be smaller. This is
controlled by the "max-ixfr-ratio" option, which
is a percentage representing the ratio of IXFR size
to the size of the entire zone. This value cannot
exceed 100%, which is the default. [GL #1515]
--- 9.16.11 released ---
5559. [bug] The --with-maxminddb=PATH form of the build-time option
enabling support for libmaxminddb was not working
correctly. This has been fixed. [GL #2366]
5557. [bug] Prevent RBTDB instances from being destroyed by multiple
threads at the same time. [GL #2317]
5556. [bug] Further tweak newline printing in dnssec-signzone and
dnssec-verify. [GL #2359]
5555. [bug] server->reload_status was not properly initialized.
[GL #2361]
5554. [bug] dnssec-signzone and dnssec-verify were missing newlines
between log messages. [GL #2359]
5553. [bug] When reconfiguring named, removing "auto-dnssec" did not
turn off DNSSEC maintenance. [GL #2341]
5552. [func] When switching to "dnssec-policy none;", named now
permits a safe transition to insecure mode and publishes
the CDS and CDNSKEY DELETE records, as described in RFC
8078. [GL #1750]
5551. [bug] named no longer attempts to assign threads to CPUs
outside the CPU affinity set. Thanks to Ole Bjørn
Hessen. [GL #2245]
5550. [func] dnssec-signzone and named now log a warning when falling
back to the "increment" SOA serial method. [GL #2058]
5545. [func] OS support for load-balanced sockets is no longer
required to receive incoming queries in multiple netmgr
threads. [GL #2137]
5543. [bug] Fix UDP performance issues caused by making netmgr
callbacks asynchronous-only. [GL #2320]
5542. [bug] Refactor netmgr. [GL #1920] [GL #2034] [GL #2061]
[GL #2194] [GL #2221] [GL #2266] [GL #2283] [GL #2318]
[GL #2321]
--- 9.16.10 released ---
5544. [func] Restore the default value of "nocookie-udp-size" to 4096
bytes. [GL #2250]
5541. [func] Adjust the "max-recursion-queries" default from 75 to
100. [GL #2305]
5540. [port] Fix building with native PKCS#11 support for AEP Keyper.
[GL #2315]
5539. [bug] Tighten handling of missing DNS COOKIE responses over
UDP by falling back to TCP. [GL #2275]
5538. [func] Add NSEC3 support to KASP. A new option for
"dnssec-policy", "nsec3param", can be used to set the
desired NSEC3 parameters. NSEC3 salt collisions are
automatically prevented during resalting. Salt
generation is now logged with zone context. [GL #1620]
5534. [bug] The CNAME synthesized from a DNAME was incorrectly
followed when the QTYPE was CNAME or ANY. [GL #2280]
--- 9.16.9 released ---
5533. [func] Add the "stale-refresh-time" option, a time window that
starts after a failed lookup, during which a stale RRset
is served directly from cache before a new attempt to
refresh it is made. [GL #2066]
5530. [bug] dnstap did not capture responses to forwarded UPDATE
requests. [GL #2252]
5527. [bug] A NULL pointer dereference occurred when creating an NTA
recheck query failed. [GL #2244]
5525. [bug] Change 5503 inadvertently broke cross-compilation by
replacing a call to AC_LINK_IFELSE() with a call to
AC_RUN_IFELSE() in configure.ac. This has been fixed,
making cross-compilation possible again. [GL #2237]
5523. [bug] The initial lookup in a zone transitioning to/from a
signed state could fail if the DNSKEY RRset was not
found. [GL #2236]
5522. [bug] Fixed a race/NULL dereference in TCPDNS send. [GL #2227]
5520. [bug] Fixed a number of shutdown races, reference counting
errors, and spurious log messages that could occur
in the network manager. [GL #2221]
5518. [bug] Stub zones now work correctly with primary servers using
"minimal-responses yes". [GL #1736]
5517. [bug] Do not treat UV_EOF as a TCP4RecvErr or a TCP6RecvErr.
[GL #2208]
--- 9.16.8 released ---
5516. [func] The default EDNS buffer size has been changed from 4096
to 1232 bytes. [GL #2183]
5515. [func] Add 'rndc dnssec -rollover' command to trigger a manual
rollover for a specific key. [GL #1749]
5514. [bug] Fix KASP expected key size for Ed25519 and Ed448.
[GL #2171]
5513. [doc] The ARM section describing the "rrset-order" statement
was rewritten to make it unambiguous and up-to-date with
the source code. [GL #2139]
5512. [bug] "rrset-order" rules using "order none" were causing
named to crash despite named-checkconf treating them as
valid. [GL #2139]
5511. [bug] 'dig -u +yaml' failed to display timestamps to the
microsecond. [GL #2190]
5510. [bug] Implement the attach/detach semantics for dns_message_t
to fix a data race in accessing an already-destroyed
fctx->rmessage. [GL #2124]
5509. [bug] filter-aaaa: named crashed upon shutdown if it was in
the process of recursing for A RRsets. [GL #1040]
5508. [func] Added new parameter "-expired" for "rndc dumpdb" that
also prints expired RRsets (awaiting cleanup) to the
dump file. [GL #1870]
5507. [bug] Named could compute incorrect SIG(0) responses.
[GL #2109]
5506. [bug] Properly handle failed sysconf() calls, so we don't
report invalid memory size. [GL #2166]
5505. [bug] Updating contents of a mixed-case RPZ could cause some
rules to be ignored. [GL #2169]
5503. [bug] Cleaned up reference counting of network manager
handles, now using isc_nmhandle_attach() and _detach()
instead of _ref() and _unref(). [GL #2122]
--- 9.16.7 released ---
5501. [func] Log CDS/CDNSKEY publication. [GL #1748]
5500. [bug] Fix (non-)publication of CDS and CDNSKEY records.
[GL #2103]
5499. [func] Add '-P ds' and '-D ds' arguments to dnssec-settime.
[GL #1748]
5497. [bug] 'dig +bufsize=0' failed to disable EDNS. [GL #2054]
5496. [bug] Address a TSAN report by ensuring each rate limiter
object holds a reference to its task. [GL #2081]
5495. [bug] With query minimization enabled, named failed to
resolve ip6.arpa. names that had extra labels to the
left of the IPv6 part. [GL #1847]
5494. [bug] Silence the EPROTO syslog message on older systems.
[GL #1928]
5493. [bug] Fix off-by-one error when calculating new hash table
size. [GL #2104]
5492. [bug] Tighten LOC parsing to reject a period (".") and/or "m"
as a value. Fix handling of negative altitudes which are
not whole meters. [GL #2074]
5491. [bug] rbtversion->glue_table_size could be read without the
appropriate lock being held. [GL #2080]
5489. [bug] Named erroneously accepted certain invalid resource
records that were incorrectly processed after
subsequently being written to disk and loaded back, as
the wire format differed. Such records include: CERT,
IPSECKEY, NSEC3, NSEC3PARAM, NXT, SIG, TLSA, WKS, and
X25. [GL !3953]
5488. [bug] NTA code needed to have a weak reference on its
associated view to prevent the latter from being deleted
while NTA tests were being performed. [GL #2067]
5486. [func] Add 'rndc dnssec -checkds' command, which signals to
named that the DS record for a given zone or key has
been updated in the parent zone. [GL #1613]
--- 9.16.6 released ---
5484. [func] Expire zero TTL records quickly rather than using them
for stale answers. [GL #1829]
5483. [func] A new configuration option "stale-cache-enable" has been
introduced to enable or disable keeping stale answers in
cache. [GL #1712]
5482. [bug] If the Duplicate Address Detection (DAD) mechanism had
not yet finished after adding a new IPv6 address to the
system, BIND 9 would fail to bind to IPv6 addresses in a
tentative state. [GL #2038]
5481. [security] "update-policy" rules of type "subdomain" were
incorrectly treated as "zonesub" rules, which allowed
keys used in "subdomain" rules to update names outside
of the specified subdomains. The problem was fixed by
making sure "subdomain" rules are again processed as
described in the ARM. (CVE-2020-8624) [GL #2055]
5480. [security] When BIND 9 was compiled with native PKCS#11 support, it
was possible to trigger an assertion failure in code
determining the number of bits in the PKCS#11 RSA public
key with a specially crafted packet. (CVE-2020-8623)
[GL #2037]
5479. [security] named could crash in certain query resolution scenarios
where QNAME minimization and forwarding were both
enabled. (CVE-2020-8621) [GL #1997]
5478. [security] It was possible to trigger an assertion failure by
sending a specially crafted large TCP DNS message.
(CVE-2020-8620) [GL #1996]
5477. [bug] The idle timeout for connected TCP sockets, which was
previously set to a high fixed value, is now derived
from the client query processing timeout configured for
a resolver. [GL #2024]
5476. [security] It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
(CVE-2020-8622) [GL #2028]
5475. [bug] Wildcard RPZ passthru rules could incorrectly be
overridden by other rules that were loaded from RPZ
zones which appeared later in the "response-policy"
statement. This has been fixed. [GL #1619]
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
when it should have. [GL !3880]
5473. [func] The RBT hash table implementation has been changed
to use a faster hash function (HalfSipHash2-4) and
Fibonacci hashing for better distribution. Setting
"max-cache-size" now preallocates a fixed-size hash
table so that rehashing does not cause resolution
brownouts while the hash table is grown. [GL #1775]
5471. [bug] The introduction of KASP support inadvertently caused
the second field of "sig-validity-interval" to always be
calculated in hours, even in cases when it should have
been calculated in days. This has been fixed. (Thanks to
Tony Finch.) [GL !3735]
5469. [port] On illumos, a constant called SEC is already defined in
<sys/time.h>, which conflicts with an identically named
constant in libbind9. This conflict has been resolved.
[GL #1993]
5468. [bug] Addressed potential double unlock in process_fd().
[GL #2005]
5466. [bug] Addressed an error in recursive clients stats reporting.
[GL #1719]
5465. [func] Added fallback to built-in trust-anchors, managed-keys,
or trusted-keys if the bindkeys-file (bind.keys) cannot
be parsed. [GL #1235]
5464. [bug] Requesting more than 128 files to be saved when rolling
dnstap log files caused a buffer overflow. This has been
fixed. [GL #1989]
5462. [bug] Move LMDB locking from LMDB itself to named. [GL #1976]
5461. [bug] The STALE rdataset header attribute was updated while
the write lock was not being held, leading to incorrect
statistics. The header attributes are now converted to
use atomic operations. [GL #1475]
--- 9.16.5 released ---
5458. [bug] Prevent a theoretically possible NULL dereference caused
by a data race between zone_maintenance() and
dns_zone_setview_helper(). [GL #1627]
5455. [bug] named could crash when cleaning dead nodes in
lib/dns/rbtdb.c that were being reused. [GL #1968]
5454. [bug] Address a startup crash that occurred when the server
was under load and the root zone had not yet been
loaded. [GL #1862]
5453. [bug] named crashed on shutdown when a new rndc connection was
received during shutdown. [GL #1747]
5452. [bug] The "blackhole" ACL was accidentally disabled for client
queries. [GL #1936]
5451. [func] Add 'rndc dnssec -status' command. [GL #1612]
5449. [bug] Fix a socket shutdown race in netmgr udp. [GL #1938]
5448. [bug] Fix a race condition in isc__nm_tcpdns_send().
[GL #1937]
5447. [bug] IPv6 addresses ending in "::" could break YAML
parsing. A "0" is now appended to such addresses
in YAML output from dig, mdig, delv, and dnstap-read.
[GL #1952]
5446. [bug] The validator could fail to accept a properly signed
RRset if an unsupported algorithm appeared earlier in
the DNSKEY RRset than a supported algorithm. It could
also stop if it detected a malformed public key.
[GL #1689]
5444. [bug] 'rndc dnstap -roll <value>' did not limit the number of
saved files to <value>. [GL !3728]
5443. [bug] The "primary" and "secondary" keywords, when used
as parameters for "check-names", were not
processed correctly and were being ignored. [GL #1949]
5441. [bug] ${LMDB_CFLAGS} was missing from make/includes.in.
[GL #1955]
5440. [test] Properly handle missing kyua. [GL #1950]
5439. [bug] The DS RRset returned by dns_keynode_dsset() was used in
a non-thread-safe manner. [GL #1926]
--- 9.16.4 released ---
5438. [bug] Fix a race in TCP accepting code. [GL #1930]
5437. [bug] Fix a data race in lib/dns/resolver.c:log_formerr().
[GL #1808]
5436. [security] It was possible to trigger an INSIST when determining
whether a record would fit into a TCP message buffer.
(CVE-2020-8618) [GL #1850]
5435. [tests] Add RFC 4592 responses examples to the wildcard system
test. [GL #1718]
5434. [security] It was possible to trigger an INSIST in
lib/dns/rbtdb.c:new_reference() with a particular zone
content and query patterns. (CVE-2020-8619) [GL #1111]
[GL #1718]
5431. [func] Reject DS records at the zone apex when loading
master files. Log but otherwise ignore attempts to
add DS records at the zone apex via UPDATE. [GL #1798]
5430. [doc] Update docs - with netmgr, a separate listening socket
is created for each IPv6 interface (just as with IPv4).
[GL #1782]
5428. [bug] Clean up GSSAPI resources in nsupdate only after taskmgr
has been destroyed. Thanks to Petr Menšík. [GL !3316]
5426. [bug] Don't abort() when setting SO_INCOMING_CPU on the socket
fails. [GL #1911]
5425. [func] The default value of "max-stale-ttl" has been changed
from 1 week to 12 hours. [GL #1877]
5424. [bug] With KASP, when creating a successor key, the "goal"
state of the current active key (predecessor) was not
changed and thus never removed from the zone. [GL #1846]
5423. [bug] Fix a bug in keymgr_key_has_successor(): it incorrectly
returned true if any other key in the keyring had a
successor. [GL #1845]
5422. [bug] When using dnssec-policy, print correct key timing
metadata. [GL #1843]
5421. [bug] Fix a race that could cause named to crash when looking
up the nodename of an RBT node if the tree was modified.
[GL #1857]
5420. [bug] Add missing isc_{mutex,conditional}_destroy() calls
that caused a memory leak on FreeBSD. [GL #1893]
5418. [bug] delv failed to parse deprecated trusted-keys-style
trust anchors. [GL #1860]
5416. [bug] Fix a lock order inversion in lib/isc/unix/socket.c.
[GL #1859]
5415. [test] Address race in dnssec system test that led to
test failures. [GL #1852]
5414. [test] Adjust time allowed for journal truncation to occur
in nsupdate system test to avoid test failure.
[GL #1855]
5413. [test] Address race in autosign system test that led to
test failures. [GL #1852]
5412. [bug] 'provide-ixfr no;' failed to return up-to-date responses
when the serial was greater than or equal to the
current serial. [GL #1714]
5411. [cleanup] TCP accept code has been refactored to use a single
accept() and pass the accepted socket to child threads
for processing. [GL !3320]
5409. [performance] When looking up NSEC3 data in a zone database, skip the
check for empty non-terminal nodes; the NSEC3 tree does
not have any. [GL #1834]
5408. [protocol] Print Extended DNS Errors if present in OPT record.
[GL #1835]
5407. [func] Zone timers are now exported via statistics channel.
Thanks to Paul Frieden, Verizon Media. [GL #1232]
5405. [bug] 'named-checkconf -p' could include spurious text in
server-addresses statements due to an uninitialized DSCP
value. [GL #1812]
--- 9.16.3 released ---
5404. [bug] 'named-checkconf -z' could incorrectly indicate
success if errors were found in one view but not in a
subsequent one. [GL #1807]
5403. [func] Do not set UDP receive/send buffer sizes - use system
defaults. [GL #1713]
5402. [bug] On FreeBSD, use SO_REUSEPORT_LB instead of SO_REUSEPORT.
Enable use of SO_REUSEADDR on all platforms which
support it. [GL !3365]
5401. [bug] The number of input queues allocated during dnstap
initialization was too low, which could prevent some
dnstap data from being logged. [GL #1795]
5400. [func] Add engine support to OpenSSL EdDSA implementation.
[GL #1763]
5399. [func] Add engine support to OpenSSL ECDSA implementation.
[GL #1534]
5398. [bug] Named could fail to restart if a zone with a double
quote (") in its name was added with 'rndc addzone'.
[GL #1695]
5397. [func] Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.
Thanks to Aaron Thompson. [GL !3326]
5396. [func] When necessary (i.e. in libuv >= 1.37), use the
UV_UDP_RECVMMSG flag to enable recvmmsg() support in
libuv. [GL #1797]
5395. [security] Further limit the number of queries that can be
triggered from a request. Root and TLD servers
are no longer exempt from max-recursion-queries.
Fetches for missing name server address records
are limited to 4 for any domain. (CVE-2020-8616)
[GL #1388]
5394. [cleanup] Named formerly attempted to change the effective UID and
GID in named_os_openfile(), which could trigger a
spurious log message if they were already set to the
desired values. This has been fixed. [GL #1042]
[GL #1090]
5392. [bug] It was possible for named to crash during shutdown
or reconfiguration if an RPZ zone was still being
updated. [GL #1779]
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
5391. [func] The BIND 9 build system has been changed to use the
usual stack of autoconf+automake+libtool. [GL #4]
5389. [bug] Finish PKCS#11 code cleanup, fix a couple of smaller
5390. [placeholder]
5389. [bug] Finish the PKCS#11 code cleanup, fix couple of smaller
bugs and use PKCS#11 v3.0 EdDSA macros and constants.
Thanks to Aaron Thompson. [GL !3391]
5387. [func] Warn about AXFR streams with inconsistent message IDs.
[GL #1674]
5388. [func] Reject AXFR streams where the message id is not
consistent. [GL #1674]
5386. [cleanup] Address Coverity warnings in lib/dns/keymgr.c.
[GL #1737]
5387. [placeholder]
5386. [cleanup] Address Coverity warnings in keymgr.c [GL #1737]
5385. [func] Make ISC rwlock implementation the default again.
[GL #1753]
5384. [bug] With "dnssec-policy" in effect, "inline-signing" was
implicitly set to "yes". Now "inline-signing" is only
set to "yes" if the zone is not dynamic. [GL #1709]
5384. [bug] With dnssec-policy, inline-signing was implicitly set
to yes. Change and only set inline-signing to yes
if the zone is not dynamic. [GL #1709]
--- 9.16.2 released ---
--- 9.17.1 released ---
5383. [func] Add a quota attach function with a callback and clean up
the isc_quota API. [GL !3280]
@@ -747,9 +40,13 @@
5380. [contrib] Fix building MySQL DLZ modules against MySQL 8
libraries. [GL #1678]
5379. [placeholder]
5378. [bug] Receiving invalid DNS data was triggering an assertion
failure in nslookup. [GL #1652]
5377. [placeholder]
5376. [bug] Fix ineffective DNS rebinding protection when BIND is
configured as a forwarding DNS server. Thanks to Tobias
Klein. [GL #1574]
@@ -784,14 +81,16 @@
Fixed by deactivating the netmgr handle before
scheduling the asynchronous close routine. [GL #1700]
5369. [func] Add the ability to specify whether to wait for
nameserver domain names to be looked up, with a new RPZ
modifying directive 'nsdname-wait-recurse'. [GL #1138]
5368. [bug] Named failed to restart if 'rndc addzone' names
contained special characters (e.g. '/'). [GL #1655]
5367. [bug] Fixed a flaw in the calculation of the zone database
size so that "max-journal-size default" uses the correct
limit. [GL #1661]
5367. [placeholder]
--- 9.16.1 released ---
--- 9.17.0 released ---
5366. [bug] Fix a race condition with the keymgr when the same
zone plus dnssec-policy is configured in multiple
@@ -813,12 +112,24 @@
properties that no longer match were not being retired.
[GL #1624]
5362. [func] Limit the size of IXFR responses so that AXFR will
be used instead if it would be smaller. This is
controlled by the "max-ixfr-ratio" option, which
is a percentage representing the ratio of IXFR size
to the size of the entire zone. This value cannot
exceed 100%, which is the default. [GL #1515]
5361. [bug] named might not accept new connections after
hitting tcp-clients quota. [GL #1643]
5360. [bug] delv could fail to load trust anchors in DNSKEY
format. [GL #1647]
5359. [func] "rndc nta -d" and "rndc secroots" now include
"validate-except" entries when listing negative
trust anchors. These are indicated by the keyword
"permanent" in place of an expiry date. [GL #1532]
5358. [bug] Inline master zones whose master files were touched
but otherwise unchanged and were subsequently reloaded
may have stopped re-signing. [GL !3135]
@@ -828,8 +139,6 @@
re-signed in time. This was a side effect of 5315.
[GL !3137]
--- 9.16.0 released ---
5356. [func] Update dnssec-policy configuration statements:
- Rename "zone-max-ttl" dnssec-policy option to
"max-zone-ttl" for consistency with the existing
@@ -872,7 +181,7 @@
5349. [bug] Fix a race in task_pause/unpause. [GL #1571]
5348. [bug] dnssec-settime -Psync was not being honoured.
[GL !2925]
[GL !2893]
--- 9.15.8 released ---

View File

@@ -1,79 +0,0 @@
CODE OF CONDUCT
BIND 9 Code of Conduct
Like the technical community as a whole, the BIND 9 team and community is
made up of a mixture of professionals and volunteers from all over the
world, working on every aspect of the mission - including mentorship,
teaching, and connecting people.
Diversity is one of our huge strengths, but it can also lead to
communication issues and unhappiness. To that end, we have a few ground
rules that we ask people to adhere to. This code applies equally to the
core development team, open source contributors and those seeking help and
guidance.
This isn't an exhaustive list of things that you can't do. Rather, take it
in the spirit in which it's intended - a guide to make it easier to enrich
all of us and the technical communities in which we participate.
This code of conduct applies to all spaces managed by the BIND 9 project
or Internet Systems Consortium. This includes chat, the mailing lists, the
issue tracker, and any other fora created by the project team which the
community uses for communication. In addition, violations of this code
outside these spaces may affect a person's ability to participate within
them.
If you believe someone is violating the code of conduct, we ask that you
report it by emailing conduct@isc.org. For more details please see our
Reporting Guidelines.
* Be friendly and patient.
* Be welcoming. We strive to be a community that welcomes and supports
people of all backgrounds and identities. This includes, but is not
limited to members of any race, ethnicity, culture, national origin,
colour, immigration status, social and economic class, educational
level, sex, sexual orientation, gender identity and expression, age,
size, family status, political belief, religion, and mental and
physical ability.
* Be considerate. Your work will be used by other people, and you in
turn will depend on the work of others. Any decision you take will
affect users and colleagues, and you should take those consequences
into account when making decisions. Remember that we're a world-wide
community, so you might not be communicating in someone else's primary
language.
* Be respectful. Not all of us will agree all the time, but disagreement
is no excuse for poor behavior and poor manners. We might all
experience some frustration now and then, but we cannot allow that
frustration to turn into a personal attack. It's important to remember
that a community where people feel uncomfortable or threatened is not
a productive one. Members of the BIND 9 community should be respectful
when dealing with other members as well as with people outside the
BIND 9 community.
* Be careful in the words that you choose. We are a community of
professionals, and we conduct ourselves professionally. Be kind to
others. Do not insult or put down other participants. Harassment and
other exclusionary behavior aren't acceptable. This includes, but is
not limited to:
+ Violent threats or language directed against another person.
+ Discriminatory jokes and language.
+ Posting sexually explicit or violent material.
+ Posting (or threatening to post) other people's personally
identifying information ("doxing").
+ Personal insults, especially those using racist or sexist terms.
+ Unwelcome sexual attention.
+ Advocating for, or encouraging, any of the above behavior.
+ Repeated harassment of others. In general, if someone asks you to
stop, then stop.
* When we disagree, try to understand why. Disagreements, both social
and technical, happen all the time and BIND 9 is no exception. It is
important that we resolve disagreements and differing views
constructively. Remember that we're different. The strength of BIND 9
comes from its varied community, people from a wide range of
backgrounds. Different people have different perspectives on issues.
Being unable to understand why someone holds a viewpoint doesn't mean
that they're wrong. Don't forget that it is human to err and blaming
each other doesn't get us anywhere. Instead, focus on helping to
resolve issues and learning from mistakes.
Original text courtesy of the Django Code of Conduct project.

View File

@@ -7,8 +7,8 @@ people.
Diversity is one of our huge strengths, but it can also lead to communication
issues and unhappiness. To that end, we have a few ground rules that we ask
people to adhere to. This code applies equally to the core development team,
open source contributors and those seeking help and guidance.
people to adhere to. This code applies equally to the core development team, open source contributors and those
seeking help and guidance.
This isn't an exhaustive list of things that you can't do. Rather, take it in
the spirit in which it's intended - a guide to make it easier to enrich all of

View File

@@ -1,189 +0,0 @@
CONTRIBUTING
BIND 9 Source Access and Contributor Guidelines
May 28, 2020
Contents
1. Access to source code
2. Reporting bugs
3. Contributing code
Introduction
Thank you for using BIND 9!
BIND is open source software that implements the Domain Name System (DNS)
protocols for the Internet. It is a reference implementation of those
protocols, but it is also production-grade software, suitable for use in
high-volume and high-reliability applications. It is very widely used DNS
software, providing a robust and stable platform on top of which
organizations can build distributed computing systems with the knowledge
that those systems are fully compliant with published DNS standards.
BIND is and will always remain free and openly available. It can be used
and modified in any way by anyone.
BIND is maintained by Internet Systems Consortium, a public-benefit 501(c)
(3) nonprofit, using a "managed open source" approach: anyone can see the
source, but only ISC employees have commit access. In the past, the source
could only be seen once ISC had published a release; read access to the
source repository was restricted just as commit access was. That has
changed, as ISC now provides a public git repository of the BIND source
tree (see below).
At ISC, we're committed to building communities that are welcoming and
inclusive: environments where people are encouraged to share ideas, treat
each other with respect, and collaborate towards the best solutions. To
reinforce our commitment, ISC has adopted a slightly modified version of
the Django Code of Conduct for the BIND 9 project, as well as for the
conduct of our developers throughout the industry.
Access to source code
Public BIND releases are always available from the ISC FTP site.
A public-access git repository is also available at https://gitlab.isc.org
. This repository contains all public release branches. Upcoming releases
can be viewed in their current state at any time. Short-lived development
branches contain unreviewed work in progress. Commits which address
security vulnerablilities are withheld until after public disclosure.
You can browse the source online via https://gitlab.isc.org/isc-projects/
bind9
To clone the repository, use:
$ git clone https://gitlab.isc.org/isc-projects/bind9.git
Release branch names are of the form v9_X, where X represents the second
number in the BIND 9 version number. So, to check out the BIND 9.12
branch, use:
$ git checkout v9_12
Whenever a branch is ready for publication, a tag is placed of the form
v9_X_Y. The 9.12.0 release, for instance, is tagged as v9_12_0.
The branch in which the next major release is being developed is called
main.
Reporting bugs
Reports of flaws in the BIND package, including software bugs, errors in
the documentation, missing files in the tarball, suggested changes or
requests for new features, etc., can be filed using https://gitlab.isc.org
/isc-projects/bind9/issues.
Due to a large ticket backlog, we are sometimes slow to respond,
especially if a bug is cosmetic or if a feature request is vague or low in
priority, but we try at least to acknowledge legitimate bug reports within
a week.
ISC's GitLab system is publicly readable; however, you must have an
account to create a new issue. You can either register locally or use
credentials from an existing account at GitHub, GitLab, Google, Twitter,
or Facebook.
Reporting possible security issues
If you think you may be seeing a potential security vulnerability in BIND
(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
report it immediately by emailing to security-officer@isc.org. Plain-text
e-mail is not a secure choice for communications concerning undisclosed
security issues so please encrypt your communications to us if possible,
using the ISC Security Officer public key.
Do not discuss undisclosed security vulnerabilities on any public mailing
list. ISC has a long history of handling reported vulnerabilities promptly
and effectively and we respect and acknowledge responsible reporters.
ISC's Security Vulnerability Disclosure Policy is documented at https://
kb.isc.org/docs/aa-00861.
If you have a crash, you may want to consult "What to do if your BIND or
DHCP server has crashed."
Contributing code
BIND is licensed under the Mozilla Public License 2.0. Earlier versions
(BIND 9.10 and earlier) were licensed under the ISC License
ISC does not require an explicit copyright assignment for patch
contributions. However, by submitting a patch to ISC, you implicitly
certify that you are the author of the code, that you intend to relinquish
exclusive copyright, and that you grant permission to publish your work
under the open source license used for the BIND version(s) to which your
patch will be applied.
BIND code
Patches for BIND may be submitted directly via merge requests in ISC's
GitLab source repository for BIND.
Patches can also be submitted as diffs against a specific version of BIND
-- preferably the current top of the main branch. Diffs may be generated
using either git format-patch or git diff.
Those wanting to write code for BIND may be interested in the developer
information page, which includes information about BIND design and coding
practices, including discussion of internal APIs and overall system
architecture.
Every patch submitted is reviewed by ISC engineers following our code
review process before it is merged.
It may take considerable time to review patch submissions, especially if
they don't meet ISC style and quality guidelines. If a patch is a good
idea, we can and will do additional work to bring it up to par, but if
we're busy with other work, it may take us a long time to get to it.
To ensure your patch is acted on as promptly as possible, please:
* Try to adhere to the BIND 9 coding style.
* Run make check to ensure your change hasn't caused any functional
regressions.
* Document your work, both in the patch itself and in the accompanying
email.
* In patches that make non-trivial functional changes, include system
tests if possible; when introducing or substantially altering a
library API, include unit tests. See Testing for more information.
Changes to configure
If you need to make changes to configure, you should not edit it directly;
instead, edit configure.in, then run autoconf. Similarly, instead of
editing config.h.in directly, edit configure.in and run autoheader.
When submitting a patch as a diff, it's fine to omit the configure diffs
to save space. Just send the configure.in diffs and we'll generate the new
configure during the review process.
Documentation
All functional changes should be documented. There are three types of
documentation in the BIND source tree:
* Man pages are kept alongside the source code for the commands they
document, in files ending in .rst: for example, the named man page is
bin/named/named.rst.
* The BIND 9 Administrator Reference Manual is in the .rst files in doc/
arm/; the PDF and HTML versions are automatically generated from the
.rst files.
* API documentation is in the header file describing the API, in
Doxygen-formatted comments.
Patches to improve existing documentation are also very welcome!
Tests
BIND is a large and complex project. We rely heavily on continuous
automated testing and cannot merge new code without adequate test
coverage. Please see the "Testing" section of doc/dev/dev.md for more
information.
Thanks
Thank you for your interest in contributing to the ongoing development of
BIND 9.

View File

@@ -8,8 +8,8 @@
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
## BIND 9 Source Access and Contributor Guidelines
*May 28, 2020*
## BIND Source Access and Contributor Guidelines
*Feb 22, 2018*
### Contents
@@ -19,12 +19,12 @@
### Introduction
Thank you for using BIND 9!
Thank you for using BIND!
BIND is open source software that implements the Domain Name System (DNS)
protocols for the Internet. It is a reference implementation of those
protocols, but it is also production-grade software, suitable for use in
high-volume and high-reliability applications. It is very
high-volume and high-reliability applications. It is by far the most
widely used DNS software, providing a robust and stable platform on top of
which organizations can build distributed computing systems with the
knowledge that those systems are fully compliant with published DNS
@@ -33,34 +33,35 @@ standards.
BIND is and will always remain free and openly available. It can be
used and modified in any way by anyone.
BIND is maintained by [Internet Systems Consortium](https://www.isc.org),
BIND is maintained by the [Internet Systems Consortium](https://www.isc.org),
a public-benefit 501(c)(3) nonprofit, using a "managed open source" approach:
anyone can see the source, but only ISC employees have commit access.
In the past, the source could only be seen once ISC had published
a release; read access to the source repository was restricted just
as commit access was. That has changed, as ISC now provides a
public git repository of the BIND source tree (see below).
Until recently, the source could only be seen once ISC had published
a release: read access to the source repository was restricted just
as commit access was. That's now changing, with the opening of a
public git mirror to the BIND source tree (see below).
At ISC, we're committed to
building communities that are welcoming and inclusive: environments where people
At [Internet Systems Consortium](https://www.isc.org), we're committed to
building communities that are welcoming and inclusive; environments where people
are encouraged to share ideas, treat each other with respect, and collaborate
towards the best solutions. To reinforce our commitment, ISC
has adopted a slightly modified version of the Django
[Code of Conduct](https://gitlab.isc.org/isc-projects/bind9/-/blob/main/CODE_OF_CONDUCT.md)
for the BIND 9 project, as well as for the conduct of our developers throughout
the industry.
towards the best solutions. To reinforce our commitment, the [Internet Systems
Consortium](https://www.isc.org) has adopted the Contributor Covenant version
1.4 as our Code of Conduct for BIND 9 project, as well as for the conduct of our
developers throughout the industry.
### <a name="access"></a>Access to source code
Public BIND releases are always available from the
[ISC FTP site](ftp://ftp.isc.org/isc/bind9).
A public-access git repository is also available at
[https://gitlab.isc.org](https://gitlab.isc.org). This repository
contains all public release branches. Upcoming releases can be viewed in
their current state at any time. Short-lived development branches
contain unreviewed work in progress. Commits which address security
vulnerablilities are withheld until after public disclosure.
A public-access GIT repository is also available at
[https://gitlab.isc.org](https://gitlab.isc.org).
This repository is a mirror, updated several times per day, of the
source repository maintained by ISC. It contains all the public release
branches; upcoming releases can be viewed in their current state at any
time. It does *not* contain development branches or unreviewed work in
progress. Commits which address security vulnerablilities are withheld
until after public disclosure.
You can browse the source online via
[https://gitlab.isc.org/isc-projects/bind9](https://gitlab.isc.org/isc-projects/bind9)
@@ -75,58 +76,55 @@ branch, use:
> $ git checkout v9_12
Whenever a branch is ready for publication, a tag is placed of the
Whenever a branch is ready for publication, a tag will be placed of the
form `v9_X_Y`. The 9.12.0 release, for instance, is tagged as `v9_12_0`.
The branch in which the next major release is being developed is called
`main`.
`master`.
### <a name="bugs"></a>Reporting bugs
Reports of flaws in the BIND package, including software bugs, errors
in the documentation, missing files in the tarball, suggested changes
or requests for new features, etc., can be filed using
or requests for new features, etc, can be filed using
[https://gitlab.isc.org/isc-projects/bind9/issues](https://gitlab.isc.org/isc-projects/bind9/issues).
Due to a large ticket backlog, we are sometimes slow to respond,
especially if a bug is cosmetic or if a feature request is vague or
low in priority, but we try at least to acknowledge legitimate
low in priority, but we will try at least to acknowledge legitimate
bug reports within a week.
ISC's GitLab system is publicly readable; however, you must have
an account to create a new issue. You can either register locally or
ISC's ticketing system is publicly readable; however, you must have
an account to file a new issue. You can either register locally or
use credentials from an existing account at GitHub, GitLab, Google,
Twitter, or Facebook.
### Reporting possible security issues
If you think you may be seeing a potential security vulnerability in BIND
(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
report it immediately by emailing to security-officer@isc.org. Plain-text
e-mail is not a secure choice for communications concerning undisclosed
security issues so please encrypt your communications to us if possible,
using the [ISC Security Officer public key](https://www.isc.org/pgpkey/).
using the [ISC Security Officer public key](https://www.isc.org/downloads/software-support-policy/openpgp-key/).
Do not discuss undisclosed security vulnerabilities on any public mailing list.
ISC has a long history of handling reported vulnerabilities promptly and
effectively and we respect and acknowledge responsible reporters.
ISC's Security Vulnerability Disclosure Policy is documented at
[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
ISC's Security Vulnerability Disclosure Policy is documented at [https://kb.isc.org/article/AA-00861/0](https://kb.isc.org/article/AA-00861/0).
If you have a crash, you may want to consult
["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
[What to do if your BIND or DHCP server has crashed.](https://kb.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html)
### <a name="contrib"></a>Contributing code
BIND is licensed under the
[Mozilla Public License 2.0](https://www.mozilla.org/en-US/MPL/2.0/).
Earlier versions (BIND 9.10 and earlier) were licensed under the
[ISC License](https://www.isc.org/licenses/)
[Mozilla Public License 2.0](http://www.isc.org/downloads/software-support-policy/isc-license/).
Earier versions (BIND 9.10 and earlier) were licensed under the [ISC License](http://www.isc.org/downloads/software-support-policy/isc-license/)
ISC does not require an explicit copyright assignment for patch
contributions. However, by submitting a patch to ISC, you implicitly
certify that you are the author of the code, that you intend to relinquish
certify that you are the author of the code, that you intend to reliquish
exclusive copyright, and that you grant permission to publish your work
under the open source license used for the BIND version(s) to which your
patch will be applied.
@@ -134,19 +132,20 @@ patch will be applied.
#### <a name="bind"></a>BIND code
Patches for BIND may be submitted directly via merge requests in
[ISC's GitLab](https://gitlab.isc.org/isc-projects/bind9/) source
[ISC's Gitlab](https://gitlab.isc.org/isc-projects/bind9/) source
repository for BIND.
Patches can also be submitted as diffs against a specific version of
BIND -- preferably the current top of the `main` branch. Diffs may
BIND -- preferably the current top of the `master` branch. Diffs may
be generated using either `git format-patch` or `git diff`.
Those wanting to write code for BIND may be interested in the
[developer information](doc/dev/dev.md) page, which includes information
about BIND design and coding practices, including discussion of internal
APIs and overall system architecture.
APIs and overall system architecture. (This is a work in progress, and
still quite preliminary.)
Every patch submitted is reviewed by ISC engineers following our
Every patch submitted will be reviewed by ISC engineers following our
[code review process](doc/dev/dev.md#reviews) before it is merged.
It may take considerable time to review patch submissions, especially if
@@ -157,7 +156,7 @@ we're busy with other work, it may take us a long time to get to it.
To ensure your patch is acted on as promptly as possible, please:
* Try to adhere to the [BIND 9 coding style](doc/dev/style.md).
* Run `make check` to ensure your change hasn't caused any
* Run `make` `check` to ensure your change hasn't caused any
functional regressions.
* Document your work, both in the patch itself and in the
accompanying email.
@@ -183,24 +182,28 @@ All functional changes should be documented. There are three types
of documentation in the BIND source tree:
* Man pages are kept alongside the source code for the commands
they document, in files ending in `.rst`: for example, the
`named` man page is `bin/named/named.rst`.
* The *BIND 9 Administrator Reference Manual* is in the .rst files in
`doc/arm/`; the PDF and HTML versions are automatically generated from
the `.rst` files.
they document, in files ending in `.docbook`; for example, the
`named` man page is `bin/named/named.docbook`.
* The *BIND 9 Administrator Reference Manual* is mostly in
`doc/arm/Bv9ARM-book.xml`, plus a few other XML files that are included
in it.
* API documentation is in the header file describing the API, in
Doxygen-formatted comments.
It is not necessary to edit any documentation files other than these;
all PDF, HTML, and `nroff`-format man page files will be updated
automatically from the `docbook` and `XML` files after merging.
Patches to improve existing documentation are also very welcome!
##### Tests
BIND is a large and complex project. We rely heavily on continuous
automated testing and cannot merge new code without adequate test coverage.
Please see [the "Testing" section of doc/dev/dev.md](doc/dev/dev.md#testing)
Please see [the 'Testing' section of doc/dev/dev.md](doc/dev/dev.md#testing)
for more information.
#### Thanks
Thank you for your interest in contributing to the ongoing development
of BIND 9.
of BIND.

1
COPYING Symbolic link
View File

@@ -0,0 +1 @@
LICENSE

View File

@@ -1,8 +1,8 @@
Copyright (C) 1996-2021 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2020 Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
file, You can obtain one at http://mozilla.org/MPL/2.0/.
-----------------------------------------------------------------------------

1
ChangeLog Symbolic link
View File

@@ -0,0 +1 @@
CHANGES

600
HISTORY
View File

@@ -1,600 +0,0 @@
HISTORY
Functional enhancements from prior major releases of BIND 9
BIND 9.14
BIND 9.14 (a stable branch based on the 9.13 development branch) includes
a number of changes from BIND 9.12 and earlier releases. New features
include:
* A new "plugin" mechanism has been added to allow query functionality
to be extended using dynamically loadable libraries. The "filter-aaaa"
feature has been removed from named and is now implemented as a
plugin.
* Socket and task code has been refactored to improve performance.
* QNAME minimization, as described in RFC 7816, is now supported.
* "Root key sentinel" support, enabling validating resolvers to indicate
via a special query which trust anchors are configured for the root
zone.
* Secondary zones can now be configured as "mirror" zones; their
contents are transferred in as with traditional slave zones, but are
subject to DNSSEC validation and are not treated as authoritative data
when answering. This makes it easier to configure a local copy of the
root zone as described in RFC 7706.
* The "validate-except" option allows configuration of domains below
which DNSSEC validation should not be performed.
* The default value of "dnssec-validation" is now "auto".
* IDNA2008 is now supported when linking with libidn2.
* "named -V" now outputs the default paths for files used by named and
other tools.
In addition, workarounds that were formerly in place to enable resolution
of domains whose authoritative servers did not respond to EDNS queries
have been removed. See https://dnsflagday.net for more details.
Cryptographic support has been modernized. BIND now uses the best
available pseudo-random number generator for the platform on which it's
built. Very old versions of OpenSSL are no longer supported. Cryptography
is now mandatory: building BIND without DNSSEC is no longer supported.
Special code to support certain legacy operating systems has also been
removed; see the file PLATFORMS.md for details of supported platforms. In
addition to OpenSSL, BIND now requires support for IPv6, threads, and
standard atomic operations provided by the C compiler.
BIND 9.12
BIND 9.12 includes a number of changes from BIND 9.11 and earlier
releases. New features include:
* named and related libraries have been substantially refactored for
improved query performance -- particularly on delegation heavy zones
-- and for improved readability, maintainability, and testability.
* Code implementing the name server query processing logic has been
moved into a new libns library, for easier testing and use in tools
other than named.
* Cached, validated NSEC and other records can now be used to synthesize
NXDOMAIN responses.
* The DNS Response Policy Service API (DNSRPS) is now supported.
* Setting 'max-journal-size default' now limits the size of journal
files to twice the size of the zone.
* dnstap-read -x prints a hex dump of the wire format of each logged DNS
message.
* dnstap output files can now be configured to roll automatically when
reaching a given size.
* Log file timestamps can now also be formatted in ISO 8601 (local) or
ISO 8601 (UTC) formats.
* Logging channels and dnstap output files can now be configured to use
a timestamp as the suffix when rolling to a new file.
* 'named-checkconf -l' lists zones found in named.conf.
* Added support for the EDNS Padding and Keepalive options.
* 'new-zones-directory' option sets the location where the configuration
data for zones added by rndc addzone is stored.
* The default key algorithm in rndc-confgen is now hmac-sha256.
* filter-aaaa-on-v4 and filter-aaaa-on-v6 options are now available by
default without a configure option.
* The obsolete isc-hmac-fixup command has been removed.
BIND 9.11
BIND 9.11.0 includes a number of changes from BIND 9.10 and earlier
releases. New features include:
* Added support for Catalog Zones, a new method for provisioning
servers: a list of zones to be served is stored in a DNS zone, along
with their configuration parameters. Changes to the catalog zone are
propagated to slaves via normal AXFR/IXFR, whereupon the zones that
are listed in it are automatically added, deleted or reconfigured.
* Added support for "dnstap", a fast and flexible method of capturing
and logging DNS traffic.
* Added support for "dyndb", a new API for loading zone data from an
external database, developed by Red Hat for the FreeIPA project.
* "fetchlimit" quotas are now compiled in by default. These are for the
use of recursive resolvers that are are under high query load for
domains whose authoritative servers are nonresponsive or are
experiencing a denial of service attack:
+ "fetches-per-server" limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically adjusted
downward if the server is partially or completely non-responsive.
The algorithm used to adjust the quota can be configured via the
"fetch-quota-params" option.
+ "fetches-per-zone" limits the number of simultaneous queries that
can be sent for names within a single domain. (Note: Unlike
"fetches-per-server", this value is not self-tuning.)
+ New stats counters have been added to count queries spilled due to
these quotas.
* Added a new "dnssec-keymgr" key mainenance utility, which can generate
or update keys as needed to ensure that a zone's keys match a defined
DNSSEC policy.
* The experimental "SIT" feature in BIND 9.10 has been renamed "COOKIE"
and is no longer optional. EDNS COOKIE is a mechanism enabling clients
to detect off-path spoofed responses, and servers to detect
spoofed-source queries. Clients that identify themselves using COOKIE
options are not subject to response rate limiting (RRL) and can
receive larger UDP responses.
* SERVFAIL responses can now be cached for a limited time (defaulting to
1 second, with an upper limit of 30). This can reduce the frequency of
retries when a query is persistently failing.
* Added an "nsip-wait-recurse" switch to RPZ. This causes NSIP rules to
be skipped if a name server IP address isn't in the cache yet; the
address will be looked up and the rule will be applied on future
queries.
* Added a Python RNDC module. This allows multiple commands to sent over
a persistent RNDC channel, which saves time.
* The "controls" block in named.conf can now grant read-only "rndc"
access to specified clients or keys. Read-only clients could, for
example, check "rndc status" but could not reconfigure or shut down
the server.
* "rndc" commands can now return arbitrarily large amounts of text to
the caller.
* The zone serial number of a dynamically updatable zone can now be set
via "rndc signing -serial ". This allows inline-signing zones to be
set to a specific serial number.
* The new "rndc nta" command can be used to set a Negative Trust Anchor
(NTA), disabling DNSSEC validation for a specific domain; this can be
used when responses from a domain are known to be failing validation
due to administrative error rather than because of a spoofing attack.
Negative trust anchors are strictly temporary; by default they expire
after one hour, but can be configured to last up to one week.
* "rndc delzone" can now be used on zones that were not originally
created by "rndc addzone".
* "rndc modzone" reconfigures a single zone, without requiring the
entire server to be reconfigured.
* "rndc showzone" displays the current configuration of a zone.
* "rndc managed-keys" can be used to check the status of RFC 5011
managed trust anchors, or to force trust anchors to be refreshed.
* "max-cache-size" can now be set to a percentage of available memory.
The default is 90%.
* Update forwarding performance has been improved by allowing a single
TCP connection to be shared by multiple updates.
* The EDNS Client Subnet (ECS) option is now supported for authoritative
servers; if a query contains an ECS option then ACLs containing
"geoip" or "ecs" elements can match against the the address encoded in
the option. This can be used to select a view for a query, so that
different answers can be provided depending on the client network.
* The EDNS EXPIRE option has been implemented on the client side,
allowing a slave server to set the expiration timer correctly when
transferring zone data from another slave server.
* The key generation and manipulation tools (dnssec-keygen,
dnssec-settime, dnssec-importkey, dnssec-keyfromlabel) now take
"-Psync" and "-Dsync" options to set the publication and deletion
times of CDS and CDNSKEY parent-synchronization records. Both named
and dnssec-signzone can now publish and remove these records at the
scheduled times.
* A new "minimal-any" option reduces the size of UDP responses for query
type ANY by returning a single arbitrarily selected RRset instead of
all RRsets.
* A new "masterfile-style" zone option controls the formatting of text
zone files: When set to "full", a zone file is dumped in
single-line-per-record format.
* "serial-update-method" can now be set to "date". On update, the serial
number will be set to the current date in YYYYMMDDNN format.
* "dnssec-signzone -N date" sets the serial number to YYYYMMDDNN.
* "named -L " causes named to send log messages to the specified file by
default instead of to the system log.
* "dig +ttlunits" prints TTL values with time-unit suffixes: w, d, h, m,
s for weeks, days, hours, minutes, and seconds.
* "dig +unknownformat" prints dig output in RFC 3597 "unknown record"
presentation format.
* "dig +ednsopt" allows dig to set arbitrary EDNS options on requests.
* "dig +ednsflags" allows dig to set yet-to-be-defined EDNS flags on
requests.
* "mdig" is an alternate version of dig which sends multiple pipelined
TCP queries to a server. Instead of waiting for a response after
sending a query, it sends all queries immediately and displays
responses in the order received.
* "serial-query-rate" no longer controls NOTIFY messages. These are
separately controlled by "notify-rate" and "startup-notify-rate".
* "nsupdate" now performs "check-names" processing by default on records
to be added. This can be disabled with "check-names no".
* The statistics channel now supports DEFLATE compression, reducing the
size of the data sent over the network when querying statistics.
* New counters have been added to the statistics channel to track the
sizes of incoming queries and outgoing responses in histogram buckets,
as specified in RSSAC002.
* A new NXDOMAIN redirect method (option "nxdomain-redirect") has been
added, allowing redirection to a specified DNS namespace instead of a
single redirect zone.
* When starting up, named now ensures that no other named process is
already running.
* Files created by named to store information, including "mkeys" and
"nzf" files, are now named after their corresponding views unless the
view name contains characters incompatible with use as a filename. Old
style filenames (based on the hash of the view name) will still work.
BIND 9.10.0
BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
releases. New features include:
* DNS Response-rate limiting (DNS RRL), which blunts the impact of
reflection and amplification attacks, is always compiled in and no
longer requires a compile-time option to enable it.
* An experimental "Source Identity Token" (SIT) EDNS option is now
available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
these are designed to enable clients to detect off-path spoofed
responses, and to enable servers to detect spoofed-source queries.
Servers can be configured to send smaller responses to clients that
have not identified themselves using a SIT option, reducing the
effectiveness of amplification attacks. RRL processing has also been
updated; clients proven to be legitimate via SIT are not subject to
rate limiting. Use "configure --enable-sit" to enable this feature in
BIND.
* A new zone file format, "map", stores zone data in a format that can
be mapped directly into memory, allowing significantly faster zone
loading.
* "delv" (domain entity lookup and validation) is a new tool with
dig-like semantics for looking up DNS data and performing internal
DNSSEC validation. This allows easy validation in environments where
the resolver may not be trustworthy, and assists with troubleshooting
of DNSSEC problems. (NOTE: In previous development releases of BIND
9.10, this utility was called "delve". The spelling has been changed
to avoid confusion with the "delve" utility included with the Xapian
search engine.)
* Improved EDNS(0) processing for better resolver performance and
reliability over slow or lossy connections.
* A new "configure --with-tuning=large" option tunes certain compiled-in
constants and default settings to values better suited to large
servers with abundant memory. This can improve performance on such
servers, but will consume more memory and may degrade performance on
smaller systems.
* Substantial improvement in response-policy zone (RPZ) performance. Up
to 32 response-policy zones can be configured with minimal performance
loss.
* To improve recursive resolver performance, cache records which are
still being requested by clients can now be automatically refreshed
from the authoritative server before they expire, reducing or
eliminating the time window in which no answer is available in the
cache.
* New "rpz-client-ip" triggers and drop policies allowing response
policies based on the IP address of the client.
* ACLs can now be specified based on geographic location using the
MaxMind GeoIP databases. Use "configure --with-geoip" to enable.
* Zone data can now be shared between views, allowing multiple views to
serve the same zones authoritatively without storing multiple copies
in memory.
* New XML schema (version 3) for the statistics channel includes many
new statistics and uses a flattened XML tree for faster parsing. The
older schema is now deprecated.
* A new stylesheet, based on the Google Charts API, displays XML
statistics in charts and graphs on javascript-enabled browsers.
* The statistics channel can now provide data in JSON format as well as
XML.
* New stats counters track TCP and UDP queries received per zone, and
EDNS options received in total.
* The internal and export versions of the BIND libraries (libisc,
libdns, etc) have been unified so that external library clients can
use the same libraries as BIND itself.
* A new compile-time option, "configure --enable-native-pkcs11", allows
BIND 9 cryptography functions to use the PKCS#11 API natively, so that
BIND can drive a cryptographic hardware service module (HSM) directly
instead of using a modified OpenSSL as an intermediary. (Note: This
feature requires an HSM to have a full implementation of the PKCS#11
API; many current HSMs only have partial implementations. The new
"pkcs11-tokens" command can be used to check API completeness. Native
PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
version 2 from the Open DNSSEC project.)
* The new "max-zone-ttl" option enforces maximum TTLs for zones. This
can simplify the process of rolling DNSSEC keys by guaranteeing that
cached signatures will have expired within the specified amount of
time.
* "dig +subnet" sends an EDNS CLIENT-SUBNET option when querying.
* "dig +expire" sends an EDNS EXPIRE option when querying. When this
option is sent with an SOA query to a server that supports it, it will
report the expiry time of a slave zone.
* New "dnssec-coverage" tool to check DNSSEC key coverage for a zone and
report if a lapse in signing coverage has been inadvertently
scheduled.
* Signing algorithm flexibility and other improvements for the "rndc"
control channel.
* "named-checkzone" and "named-compilezone" can now read journal files,
allowing them to process dynamic zones.
* Multiple DLZ databases can now be configured. Individual zones can be
configured to be served from a specific DLZ database. DLZ databases
now serve zones of type "master" and "redirect".
* "rndc zonestatus" reports information about a specified zone.
* "named" now listens on IPv6 as well as IPv4 interfaces by default.
* "named" now preserves the capitalization of names when responding to
queries: for instance, a query for "example.com" may be answered with
"example.COM" if the name was configured that way in the zone file.
Some clients have a bug causing them to depend on the older behavior,
in which the case of the answer always matched the case of the query,
rather than the case of the name configured in the DNS. Such clients
can now be specified in the new "no-case-compress" ACL; this will
restore the older behavior of "named" for those clients only.
* new "dnssec-importkey" command allows the use of offline DNSSEC keys
with automatic DNSKEY management.
* New "named-rrchecker" tool to verify the syntactic correctness of
individual resource records.
* When re-signing a zone, the new "dnssec-signzone -Q" option drops
signatures from keys that are still published but are no longer
active.
* "named-checkconf -px" will print the contents of configuration files
with the shared secrets obscured, making it easier to share
configuration (e.g. when submitting a bug report) without revealing
private information.
* "rndc scan" causes named to re-scan network interfaces for changes in
local addresses.
* On operating systems with support for routing sockets, network
interfaces are re-scanned automatically whenever they change.
* "tsig-keygen" is now available as an alternate command name to use for
"ddns-confgen".
BIND 9.9.0
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
releases. New features include:
* Inline signing, allowing automatic DNSSEC signing of master zones
without modification of the zonefile, or "bump in the wire" signing in
slaves.
* NXDOMAIN redirection.
* New 'rndc flushtree' command clears all data under a given name from
the DNS cache.
* New 'rndc sync' command dumps pending changes in a dynamic zone to
disk without a freeze/thaw cycle.
* New 'rndc signing' command displays or clears signing status records
in 'auto-dnssec' zones.
* NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
signing, eliminating the need to initially sign with NSEC.
* Startup time improvements on large authoritative servers.
* Slave zones are now saved in raw format by default.
* Several improvements to response policy zones (RPZ).
* Improved hardware scalability by using multiple threads to listen for
queries and using finer-grained client locking
* The 'also-notify' option now takes the same syntax as 'masters', so it
can used named masterlists and TSIG keys.
* 'dnssec-signzone -D' writes an output file containing only DNSSEC
data, which can be included by the primary zone file.
* 'dnssec-signzone -R' forces removal of signatures that are not expired
but were created by a key which no longer exists.
* 'dnssec-signzone -X' allows a separate expiration date to be specified
for DNSKEY signatures from other signatures.
* New '-L' option to dnssec-keygen, dnssec-settime, and
dnssec-keyfromlabel sets the default TTL for the key.
* dnssec-dsfromkey now supports reading from standard input, to make it
easier to convert DNSKEY to DS.
* RFC 1918 reverse zones have been added to the empty-zones table per
RFC 6303.
* Dynamic updates can now optionally set the zone's SOA serial number to
the current UNIX time.
* DLZ modules can now retrieve the source IP address of the querying
client.
* 'request-ixfr' option can now be set at the per-zone level.
* 'dig +rrcomments' turns on comments about DNSKEY records, indicating
their key ID, algorithm and function
* Simplified nsupdate syntax and added readline support
BIND 9.8.0
BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
releases. New features include:
* Built-in trust anchor for the root zone, which can be switched on via
"dnssec-validation auto;"
* Support for DNS64.
* Support for response policy zones (RPZ).
* Support for writable DLZ zones.
* Improved ease of configuration of GSS/TSIG for interoperability with
Active Directory
* Support for GOST signing algorithm for DNSSEC.
* Removed RTT Banding from server selection algorithm.
* New "static-stub" zone type.
* Allow configuration of resolver timeouts via "resolver-query-timeout"
option.
* The DLZ "dlopen" driver is now built by default.
* Added a new include file with function typedefs for the DLZ "dlopen"
driver.
* Made "--with-gssapi" default.
* More verbose error reporting from DLZ LDAP.
BIND 9.7.0
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration. New features
include:
* Fully automatic signing of zones by "named".
* Simplified configuration of DNSSEC Lookaside Validation (DLV).
* Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
* New named option "attach-cache" that allows multiple views to share a
single cache.
* DNS rebinding attack prevention.
* New default values for dnssec-keygen parameters.
* Support for RFC 5011 automated trust anchor maintenance
* Smart signing: simplified tools for zone signing and key maintenance.
* The "statistics-channels" option is now available on Windows.
* A new DNSSEC-aware libdns API for use by non-BIND9 applications
* On some platforms, named and other binaries can now print out a stack
backtrace on assertion failure, to aid in debugging.
* A "tools only" installation mode on Windows, which only installs dig,
host, nslookup and nsupdate.
* Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
BIND 9.6.0
* Full NSEC3 support
* Automatic zone re-signing
* New update-policy methods tcp-self and 6to4-self
* The BIND 8 resolver library, libbind, has been removed from the BIND 9
distribution and is now available as a separate download.
* Change the default pid file location from /var/run to /var/run/
{named,lwresd} for improved chroot/setuid support.
BIND 9.5.0
* GSS-TSIG support (RFC 3645).
* DHCID support.
* Experimental http server and statistics support for named via xml.
* More detailed statistics counters including those supported in BIND 8.
* Faster ACL processing.
* Use Doxygen to generate internal documentation.
* Efficient LRU cache-cleaning mechanism.
* NSID support.
BIND 9.4.0
* Implemented "additional section caching (or acache)", an internal
cache framework for additional section content to improve response
performance. Several configuration options were provided to control
the behavior.
* New notify type 'master-only'. Enable notify for master zones only.
* Accept 'notify-source' style syntax for query-source.
* rndc now allows addresses to be set in the server clauses.
* New option "allow-query-cache". This lets "allow-query" be used to
specify the default zone access level rather than having to have every
zone override the global value. "allow-query-cache" can be set at both
the options and view levels. If "allow-query-cache" is not set then
"allow-recursion" is used if set, otherwise "allow-query" is used if
set unless "recursion no;" is set in which case "none;" is used,
otherwise the default (localhost; localnets;) is used.
* rndc: the source address can now be specified.
* ixfr-from-differences now takes master and slave in addition to yes
and no at the options and view levels.
* Allow the journal's name to be changed via named.conf.
* 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
specified zone.
* 'dig +trace' now randomly selects the next servers to try. Report if
there is a bad delegation.
* Improve check-names error messages.
* Make public the function to read a key file, dst_key_read_public().
* dig now returns the byte count for axfr/ixfr.
* allow-update is now settable at the options / view level.
* named-checkconf now checks the logging configuration.
* host now can turn on memory debugging flags with '-m'.
* Don't send notify messages to self.
* Perform sanity checks on NS records which refer to 'in zone' names.
* New zone option "notify-delay". Specify a minimum delay between sets
of NOTIFY messages.
* Extend adjusting TTL warning messages.
* Named and named-checkzone can now both check for non-terminal wildcard
records.
* "rndc freeze/thaw" now freezes/thaws all zones.
* named-checkconf now check acls to verify that they only refer to
existing acls.
* The server syntax has been extended to support a range of servers.
* Report differences between hints and real NS rrset and associated
address records.
* Preserve the case of domain names in rdata during zone transfers.
* Restructured the data locking framework using architecture dependent
atomic operations (when available), improving response performance on
multi-processor machines significantly. x86, x86_64, alpha, powerpc,
and mips are currently supported.
* UNIX domain controls are now supported.
* Add support for additional zone file formats for improving loading
performance. The masterfile-format option in named.conf can be used to
specify a non-default format. A separate command named-compilezone was
provided to generate zone files in the new format. Additionally, the
-I and -O options for dnssec-signzone specify the input and output
formats.
* dnssec-signzone can now randomize signature end times (dnssec-signzone
-j jitter).
* Add support for CH A record.
* Add additional zone data constancy checks. named-checkzone has
extended checking of NS, MX and SRV record and the hosts they
reference. named has extended post zone load checks. New zone options:
check-mx and integrity-check.
* edns-udp-size can now be overridden on a per server basis.
* dig can now specify the EDNS version when making a query.
* Added framework for handling multiple EDNS versions.
* Additional memory debugging support to track size and mctx arguments.
* Detect duplicates of UDP queries we are recursing on and drop them.
New stats category "duplicates".
* "USE INTERNAL MALLOC" is now runtime selectable.
* The lame cache is now done on a <qname,qclass,qtype> basis as some
servers only appear to be lame for certain query types.
* Limit the number of recursive clients that can be waiting for a single
query (<qname,qtype,qclass>) to resolve. New options clients-per-query
and max-clients-per-query.
* dig: report the number of extra bytes still left in the packet after
processing all the records.
* Support for IPSECKEY rdata type.
* Raise the UDP receive buffer size to 32k if it is less than 32k.
* x86 and x86_64 now have separate atomic locking implementations.
* named-checkconf now validates update-policy entries.
* Attempt to make the amount of work performed in a iteration self
tuning. The covers nodes clean from the cache per iteration, nodes
written to disk when rewriting a master file and nodes destroyed per
iteration when destroying a zone or a cache.
* ISC string copy API.
* Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
1918 zones are not yet covered by this but are likely to be in a
future release.
* New options: empty-server, empty-contact, empty-zones-enable and
disable-empty-zone.
* dig now has a '-q queryname' and '+showsearch' options.
* host/nslookup now continue (default)/fail on SERVFAIL.
* dig now warns if 'RA' is not set in the answer when 'RD' was set in
the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
is set unless a server is explicitly set.
* Integrate contributed DLZ code into named.
* Integrate contributed IDN code from JPNIC.
* libbind: corresponds to that from BIND 8.4.7.
BIND 9.3.0
* DNSSEC is now DS based (RFC 3658).
* DNSSEC lookaside validation.
* check-names is now implemented.
* rrset-order is more complete.
* IPv4/IPv6 transition support, dual-stack-servers.
* IXFR deltas can now be generated when loading master files,
ixfr-from-differences.
* It is now possible to specify the size of a journal, max-journal-size.
* It is now possible to define a named set of master servers to be used
in masters clause, masters.
* The advertised EDNS UDP size can now be set, edns-udp-size.
* allow-v6-synthesis has been obsoleted.
* Zones containing MD and MF will now be rejected.
* dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
NOTIMPL. This will have impact on scripts that are looking for
NOTIMPL.
* libbind: corresponds to that from BIND 8.4.5.
BIND 9.2.0
* The size of the cache can now be limited using the "max-cache-size"
option.
* The server can now automatically convert RFC1886-style recursive
lookup requests into RFC2874-style lookups, when enabled using the new
option "allow-v6-synthesis". This allows stub resolvers that support
AAAA records but not A6 record chains or binary labels to perform
lookups in domains that make use of these IPv6 DNS features.
* Performance has been improved.
* The man pages now use the more portable "man" macros rather than the
"mandoc" macros, and are installed by "make install".
* The named.conf parser has been completely rewritten. It now supports
"include" directives in more places such as inside "view" statements,
and it no longer has any reserved words.
* The "rndc status" command is now implemented.
* rndc can now be configured automatically.
* A BIND 8 compatible stub resolver library is now included in lib/bind.
* OpenSSL has been removed from the distribution. This means that to use
DNSSEC, OpenSSL must be installed and the --with-openssl option must
be supplied to configure. This does not apply to the use of TSIG,
which does not require OpenSSL.
* The source distribution now builds on Windows. See win32utils/
readme1.txt and win32utils/win32-build.txt for details.
* This distribution also includes a new lightweight stub resolver
library and associated resolver daemon that fully support forward and
reverse lookups of both IPv4 and IPv6 addresses. This library is
considered experimental and is not a complete replacement for the BIND
8 resolver library. Applications that use the BIND 8 res_* functions
to perform DNS lookups or dynamic updates still need to be linked
against the BIND 8 libraries. For DNS lookups, they can also use the
new "getrrsetbyname()" API.
* BIND 9.2 is capable of acting as an authoritative server for DNSSEC
secured zones. This functionality is believed to be stable and
complete except for lacking support for verifications involving
wildcard records in secure zones.
* When acting as a caching server, BIND 9.2 can be configured to perform
DNSSEC secure resolution on behalf of its clients. This part of the
DNSSEC implementation is still considered experimental. For detailed
information about the state of the DNSSEC implementation, see the file
doc/misc/dnssec.

View File

@@ -10,6 +10,21 @@
-->
### Functional enhancements from prior major releases of BIND 9
#### BIND 9.16
BIND 9.16 (a stable branch based on the 9.15 development branch)
includes a number of changes from BIND 9.14 and earlier releases.
New features include:
* New `dnssec-policy` statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover.
* New network manager based on `libuv`.
* Added support for the new GeoIP2 geolocation API, `libmaxminddb`.
* Improved DNSSEC trust anchor configuration using the `trust-anchors`
statement, permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`.
#### BIND 9.14
BIND 9.14 (a stable branch based on the 9.13 development branch)

View File

@@ -1,4 +0,0 @@
syntax(2)
test_suite('bind9')
include('lib/Kyuafile')

11
Makefile.am Normal file
View File

@@ -0,0 +1,11 @@
include $(top_srcdir)/Makefile.top
SUBDIRS = . libltdl lib bin # doc
BUILT_SOURCES = bind.keys.h
CLEANFILES = bind.keys.h
bind.keys.h: bind.keys Makefile
${PERL} ${top_srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
dist_sysconf_DATA = bind.keys

View File

@@ -1,116 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
top_builddir = @top_builddir@
PANDOC = @PANDOC@
W3M = @W3M@
VERSION=@BIND9_VERSION@
SUBDIRS = make lib fuzz bin doc
TARGETS =
PREREQS = bind.keys.h
MANOBJS = README HISTORY OPTIONS CONTRIBUTING PLATFORMS CODE_OF_CONDUCT
@BIND9_MAKE_RULES@
newrr:
cd lib/dns; ${MAKE} newrr
bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/util/bindkeys.pl
${PERL} ${srcdir}/util/bindkeys.pl < ${top_srcdir}/bind.keys > $@
distclean::
rm -f config.cache config.h config.log config.status TAGS
rm -f libtool configure.lineno
rm -f util/conf.sh docutil/docbook2man-wrapper.sh
# XXX we should clean libtool stuff too. Only do this after we add rules
# to make it.
maintainer-clean::
rm -f configure
rm -f bind.keys.h
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
doc man:: ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: installdirs
${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
uninstall::
rm -f ${DESTDIR}${sysconfdir}/bind.keys
test check:
@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>/dev/null || echo fail`"; then \
echo I: NOTE: The tests were not run because they require that; \
echo I: the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
echo I: as alias addresses on the loopback interface. Please run; \
echo I: \'bin/tests/system/ifconfig.sh up\' as root to configure; \
echo I: them, then rerun the tests. Run make force-test to run the; \
echo I: tests anyway.; \
exit 1; \
fi
${MAKE} test-force
force-test: test-force
test-force:
status=0; \
(cd fuzz && ${MAKE} check) || status=1; \
(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
(test -f ${top_builddir}/unit/unittest.sh && \
$(SHELL) ${top_builddir}/unit/unittest.sh) || status=1; \
exit $$status
README: README.md
${PANDOC} --email-obfuscation=none -s --metadata title="README" -f markdown-smart -t html README.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
HISTORY: HISTORY.md
${PANDOC} --email-obfuscation=none -s --metadata title="HISTORY" -f markdown-smart -t html HISTORY.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
OPTIONS: OPTIONS.md
${PANDOC} --email-obfuscation=none -s --metadata title="OPTIONS" -f markdown-smart -t html OPTIONS.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
CONTRIBUTING: CONTRIBUTING.md
${PANDOC} --email-obfuscation=none -s --metadata title="CONTRIBUTING" -f markdown-smart -t html CONTRIBUTING.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
PLATFORMS: PLATFORMS.md
${PANDOC} --email-obfuscation=none -s --metadata title="PLATFORMS" -f markdown-smart -t html PLATFORMS.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
CODE_OF_CONDUCT: CODE_OF_CONDUCT.md
${PANDOC} --email-obfuscation=none -s --metadata title="CODE OF CONDUCT" -f markdown-smart -t html CODE_OF_CONDUCT.md | \
${W3M} -dump -cols 75 -O ascii -T text/html | \
sed -e '$${/^$$/d;}' > $@
unit::
sh ${top_builddir}/unit/unittest.sh
clean::

10
Makefile.tests Normal file
View File

@@ -0,0 +1,10 @@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
AM_CPPFLAGS += \
$(CMOCKA_CFLAGS) \
-DTESTS=\"$(abs_srcdir)\" \
-DNAMED_PLUGINDIR=\"$(libdir)/named\"
LDADD = \
$(CMOCKA_LIBS)

79
Makefile.top Normal file
View File

@@ -0,0 +1,79 @@
# Hey Emacs, this is -*- makefile-automake -*- file!
# vim: filetype=automake
ACLOCAL_AMFLAGS = -I $(top_srcdir)/m4
AM_CFLAGS = \
$(STD_CFLAGS)
AM_CPPFLAGS = \
$(STD_CPPFLAGS) \
-include $(top_builddir)/config.h \
-I$(srcdir)/include
if HAVE_GSSAPI
AM_CPPFLAGS += \
$(GSSAPI_CFLAGS)
endif
LIBISC_CFLAGS = \
-I$(top_srcdir)/include \
-I$(top_srcdir)/lib/isc/unix/include \
-I$(top_srcdir)/lib/isc/pthreads/include \
-I$(top_srcdir)/lib/isc/include \
-I$(top_builddir)/lib/isc/include
if HAVE_JSON_C
LIBISC_CFLAGS += \
$(JSON_C_CFLAGS)
endif HAVE_JSON_C
if HAVE_LIBXML2
LIBISC_CFLAGS += \
$(LIBXML2_CFLAGS)
endif HAVE_LIBXML2
LIBISC_LIBS = $(top_builddir)/lib/isc/libisc.la
LIBDNS_CFLAGS = \
-I$(top_srcdir)/lib/dns/include \
-I$(top_builddir)/lib/dns/include
LIBDNS_LIBS = \
$(top_builddir)/lib/dns/libdns.la
LIBNS_CFLAGS = \
-I$(top_srcdir)/lib/ns/include
LIBNS_LIBS = \
$(top_builddir)/lib/ns/libns.la
LIBIRS_CFLAGS = \
-I$(top_srcdir)/lib/irs/include
LIBIRS_LIBS = \
$(top_builddir)/lib/irs/libirs.la
LIBISCCFG_CFLAGS = \
-I$(top_srcdir)/lib/isccfg/include
LIBISCCFG_LIBS = \
$(top_builddir)/lib/isccfg/libisccfg.la
LIBISCCC_CFLAGS = \
-I$(top_srcdir)/lib/isccc/include/
LIBISCCC_LIBS = \
$(top_builddir)/lib/isccc/libisccc.la
LIBBIND9_CFLAGS = \
-I$(top_srcdir)/lib/bind9/include
LIBBIND9_LIBS = \
$(top_builddir)/lib/bind9/libbind9.la
LIBLTDL_CFLAGS = \
-I$(top_srcdir)/libltdl
LIBLTDL_LIBS = \
$(top_builddir)/libltdl/libltdlc.la

1
NEWS Symbolic link
View File

@@ -0,0 +1 @@
CHANGES

28
OPTIONS
View File

@@ -1,28 +0,0 @@
OPTIONS
Setting the STD_CDEFINES environment variable before running configure can
be used to enable certain compile-time options that are not explicitly
defined in configure.
Some of these settings are:
Setting Description
Overwrite memory with tag values when allocating
-DISC_MEM_DEFAULTFILL=1 or freeing it; this impairs performance but
makes debugging of memory problems easier.
Don't track memory allocations by file and line
-DISC_MEM_TRACKLINES=0 number; this improves performance but makes
debugging more difficult.
-DISC_FACILITY=LOG_LOCAL0 Change the default syslog facility for named
-DNS_CLIENT_DROPPORT=0 Disable dropping queries from particular
well-known ports:
-DCHECK_SIBLING=0 Don't check sibling glue in named-checkzone
-DCHECK_LOCAL=0 Don't check out-of-zone addresses in
named-checkzone
-DNS_RUN_PID_DIR=0 Create default PID files in ${localstatedir}/run
rather than ${localstatedir}/run/named/
Disable the use of inline functions to implement
-DISC_BUFFER_USEINLINE=0 the isc_buffer API: this reduces performance but
may be useful when debugging
-DISC_HEAP_CHECK Test heap consistency after every heap
operation; used when debugging

View File

@@ -1,99 +0,0 @@
PLATFORMS
Supported platforms
In general, this version of BIND will build and run on any POSIX-compliant
system with a C11-compliant C compiler, BSD-style sockets with
RFC-compliant IPv6 support, POSIX-compliant threads, the libuv
asynchronous I/O library, and the OpenSSL cryptography library.
The following C11 features are used in BIND 9:
* Atomic operations support from the compiler is needed, either in the
form of builtin operations, C11 atomics, or the Interlocked family of
functions on Windows.
* Thread Local Storage support from the compiler is needed, either in
the form of C11 _Thread_local/thread_local, the __thread GCC
extension, or the __declspec(thread) MSVC extension on Windows.
BIND 9.16 requires a fairly recent version of libuv (at least 1.x). For
some of the older systems listed below, you will have to install an
updated libuv package from sources such as EPEL, PPA, or other native
sources for updated packages. The other option is to build and install
libuv from source.
Certain optional BIND features have additional library dependencies. These
include libxml2 and libjson-c for statistics, libmaxminddb for
geolocation, libfstrm and libprotobuf-c for DNSTAP, and libidn2 for
internationalized domain name conversion.
ISC regularly tests BIND on many operating systems and architectures, but
lacks the resources to test all of them. Consequently, ISC is only able to
offer support on a "best effort" basis for some.
Regularly tested platforms
As of Nov 2020, BIND 9.16 is fully supported and regularly tested on the
following systems:
* Debian 9, 10
* Ubuntu LTS 16.04, 20.04
* Fedora 33
* Red Hat Enterprise Linux / CentOS 7, 8
* FreeBSD 11.4, 12.2
* OpenBSD 6.8
* Alpine Linux 3.13
The amd64, i386, armhf and arm64 CPU architectures are all fully
supported.
Best effort
The following are platforms on which BIND is known to build and run. ISC
makes every effort to fix bugs on these platforms, but may be unable to do
so quickly due to lack of hardware, less familiarity on the part of
engineering staff, and other constraints. With the exception of Windows
Server 2016, none of these are tested regularly by ISC.
* Windows Server 2012 R2, 2016 / x64
* Windows 10 / x64
* macOS 10.12+
* Solaris 11
* NetBSD
* Other Linux distributions still supported by their vendors, such as:
+ Ubuntu 19.04+
+ Gentoo
+ Arch Linux
* OpenWRT/LEDE 17.01+
* Other CPU architectures (mips, mipsel, sparc, ...)
Community maintained
These systems may not all have the required dependencies for building BIND
easily available, although it will be possible in many cases to compile
those directly from source. The community and interested parties may wish
to help with maintenance, and we welcome patch contributions, although we
cannot guarantee that we will accept them. All contributions will be
assessed against the risk of adverse effect on officially supported
platforms.
* Platforms past or close to their respective EOL dates, such as:
+ Ubuntu 14.04, 18.10
+ CentOS 6
+ Debian Jessie
+ FreeBSD 10.x
Unsupported platforms
These are platforms on which BIND 9.16 is known not to build or run:
* Platforms without at least OpenSSL 1.0.2
* Windows 10 / x86
* Windows Server 2012 and older
* Solaris 10 and older
* Platforms that don't support IPv6 Advanced Socket API (RFC 3542)
* Platforms that don't support atomic operations (via compiler or
library)
* Linux without NPTL (Native POSIX Thread Library)
* Platforms on which libuv cannot be compiled

View File

@@ -25,7 +25,7 @@ The following C11 features are used in BIND 9:
of C11 `_Thread_local`/`thread_local`, the `__thread` GCC extension, or
the `__declspec(thread)` MSVC extension on Windows.
BIND 9.16 requires a fairly recent version of `libuv` (at least 1.x). For
BIND 9.17 requires a fairly recent version of `libuv` (at least 1.x). For
some of the older systems listed below, you will have to install an updated
`libuv` package from sources such as EPEL, PPA, or other native sources for
updated packages. The other option is to build and install `libuv` from
@@ -42,16 +42,16 @@ offer support on a "best effort" basis for some.
### Regularly tested platforms
As of Nov 2020, BIND 9.16 is fully supported and regularly tested on the
As of Mar 2020, BIND 9.17 is fully supported and regularly tested on the
following systems:
* Debian 9, 10
* Ubuntu LTS 16.04, 20.04
* Fedora 33
* Ubuntu LTS 16.04, 18.04
* Fedora 31
* Red Hat Enterprise Linux / CentOS 7, 8
* FreeBSD 11.4, 12.2
* OpenBSD 6.8
* Alpine Linux 3.13
* FreeBSD 11.3, 12.1
* OpenBSD 6.6
* Alpine Linux
The amd64, i386, armhf and arm64 CPU architectures are all fully supported.
@@ -61,7 +61,7 @@ The following are platforms on which BIND is known to build and run.
ISC makes every effort to fix bugs on these platforms, but may be unable to
do so quickly due to lack of hardware, less familiarity on the part of
engineering staff, and other constraints. With the exception of Windows
Server 2016, none of these are tested regularly by ISC.
Server 2012 R2, none of these are tested regularly by ISC.
* Windows Server 2012 R2, 2016 / x64
* Windows 10 / x64
@@ -93,7 +93,7 @@ platforms.
## Unsupported platforms
These are platforms on which BIND 9.16 is known *not* to build or run:
These are platforms on which BIND 9.17 is known *not* to build or run:
* Platforms without at least OpenSSL 1.0.2
* Windows 10 / x86

381
README
View File

@@ -1,381 +0,0 @@
README
BIND 9
Contents
1. Introduction
2. Reporting bugs and getting help
3. Contributing to BIND
4. BIND 9.16 features
5. Building BIND
6. macOS
7. Dependencies
8. Compile-time options
9. Automated testing
10. Documentation
11. Change log
12. Acknowledgments
Introduction
BIND (Berkeley Internet Name Domain) is a complete, highly portable
implementation of the DNS (Domain Name System) protocol.
The BIND name server, named, is able to serve as an authoritative name
server, recursive resolver, DNS forwarder, or all three simultaneously. It
implements views for split-horizon DNS, automatic DNSSEC zone signing and
key management, catalog zones to facilitate provisioning of zone data
throughout a name server constellation, response policy zones (RPZ) to
protect clients from malicious data, response rate limiting (RRL) and
recursive query limits to reduce distributed denial of service attacks,
and many other advanced DNS features. BIND also includes a suite of
administrative tools, including the dig and delv DNS lookup tools,
nsupdate for dynamic DNS zone updates, rndc for remote name server
administration, and more.
BIND 9 began as a complete re-write of the BIND architecture that was used
in versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a
501(c)(3) public benefit corporation dedicated to providing software and
services in support of the Internet infrastructure, developed BIND 9 and
is responsible for its ongoing maintenance and improvement. BIND is open
source software licensed under the terms of the Mozilla Public License,
version 2.0.
For a summary of features introduced in past major releases of BIND, see
the file HISTORY.
For a detailed list of changes made throughout the history of BIND 9, see
the file CHANGES. See below for details on the CHANGES file format.
For up-to-date versions and release notes, see https://www.isc.org/
download/.
For information about supported platforms, see PLATFORMS.
Reporting bugs and getting help
To report non-security-sensitive bugs or request new features, you may
open an Issue in the BIND 9 project on the ISC GitLab server at https://
gitlab.isc.org/isc-projects/bind9.
Please note that, unless you explicitly mark the newly created Issue as
"confidential", it will be publicly readable. Please do not include any
information in bug reports that you consider to be confidential unless the
issue has been marked as such. In particular, if submitting the contents
of your configuration file in a non-confidential Issue, it is advisable to
obscure key secrets: this can be done automatically by using
named-checkconf -px.
If the bug you are reporting is a potential security issue, such as an
assertion failure or other crash in named, please do NOT use GitLab to
report it. Instead, send mail to security-officer@isc.org using our
OpenPGP key to secure your message. (Information about OpenPGP and links
to our key can be found at https://www.isc.org/pgpkey.) Please do not
discuss the bug on any public mailing list.
For a general overview of ISC security policies, read the Knowledge Base
article at https://kb.isc.org/docs/aa-00861.
Professional support and training for BIND are available from ISC at
https://www.isc.org/support.
To join the BIND Users mailing list, or view the archives, visit https://
lists.isc.org/mailman/listinfo/bind-users.
If you're planning on making changes to the BIND 9 source code, you may
also want to join the BIND Workers mailing list, at https://lists.isc.org/
mailman/listinfo/bind-workers.
Contributing to BIND
ISC maintains a public git repository for BIND; details can be found at
http://www.isc.org/git/.
Information for BIND contributors can be found in the following files: -
General information: CONTRIBUTING.md - Code of Conduct: CODE_OF_CONDUCT.md
- BIND 9 code style: doc/dev/style.md - BIND architecture and developer
guide: doc/dev/dev.md
Patches for BIND may be submitted as merge requests in the ISC GitLab
server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
By default, external contributors don't have ability to fork BIND in the
GitLab server, but if you wish to contribute code to BIND, you may request
permission to do so. Thereafter, you can create git branches and directly
submit requests that they be reviewed and merged.
If you prefer, you may also submit code by opening a GitLab Issue and
including your patch as an attachment, preferably generated by git
format-patch.
BIND 9.16 features
BIND 9.16 is the current stable branch of BIND 9. It includes all changes
from the 9.15 development branch, updating the previous stable branch,
9.14. New features include:
* New dnssec-policy statement to configure a key and signing policy for
zones, enabling automatic key regeneration and rollover.
* New network manager based on libuv.
* Added support for the new GeoIP2 geolocation API, libmaxminddb.
* Improved DNSSEC trust anchor configuration using the trust-anchors
statement, permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for dig, mdig, and delv.
Building BIND
Minimally, BIND requires a UNIX or Linux system with an ANSI C compiler,
basic POSIX support, and a 64-bit integer type. BIND also requires the
libuv asynchronous I/O library, and a cryptography provider library such
as OpenSSL or a hardware service module supporting PKCS#11. On Linux, BIND
requires the libcap library to set process privileges, though this
requirement can be overridden by disabling capability support at compile
time. See Compile-time options below for details on other libraries that
may be required to support optional features.
Successful builds have been observed on many versions of Linux and UNIX,
including RHEL/CentOS, Fedora, Debian, Ubuntu, SLES, openSUSE, Slackware,
Alpine, FreeBSD, NetBSD, OpenBSD, macOS, Solaris, OpenIndiana, OmniOS CE,
HP-UX, and OpenWRT.
BIND is also available for Windows Server 2012 R2 and higher. See
win32utils/build.txt for details on building for Windows systems.
To build on a UNIX or Linux system, use:
$ ./configure
$ make
If you're planning on making changes to the BIND 9 source, you should run
make depend. If you're using Emacs, you might find make tags helpful.
Several environment variables that can be set before running configure
will affect compilation. Significant ones are:
Variable Description
CC The C compiler to use. configure tries to figure out the
right one for supported systems.
C compiler flags. Defaults to include -g and/or -O2 as
CFLAGS supported by the compiler. Please include '-g' if you need
to set CFLAGS.
System header file directories. Can be used to specify
STD_CINCLUDES where add-on thread or IPv6 support is, for example.
Defaults to empty string.
Any additional preprocessor symbols you want defined.
STD_CDEFINES Defaults to empty string. For a list of possible settings,
see the file OPTIONS.
LDFLAGS Linker flags. Defaults to empty string.
BUILD_CC Needed when cross-compiling: the native C compiler to use
when building for the target system.
BUILD_CFLAGS CFLAGS for the target system during cross-compiling.
BUILD_CPPFLAGS CPPFLAGS for the target system during cross-compiling.
BUILD_LDFLAGS LDFLAGS for the target system during cross-compiling.
BUILD_LIBS LIBS for the target system during cross-compiling.
Additional environment variables affecting the build are listed at the end
of the configure help text, which can be obtained by running the command:
$ ./configure --help
macOS
Building on macOS assumes that the "Command Tools for Xcode" is installed.
This can be downloaded from https://developer.apple.com/download/more/ or,
if you have Xcode already installed, you can run xcode-select --install.
(Note that an Apple ID may be required to access the download page.)
Dependencies
Portions of BIND that are written in Python, including dnssec-keymgr,
dnssec-coverage, dnssec-checkds, and some of the system tests, require the
argparse, ply and distutils.core modules to be available. argparse is a
standard module as of Python 2.7 and Python 3.2. ply is available from
https://pypi.python.org/pypi/ply. distutils.core is required for
installation.
Compile-time options
To see a full list of configuration options, run configure --help.
To build shared libraries, specify --with-libtool on the configure command
line.
For the server to support DNSSEC, you need to build it with crypto
support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
installed. If the OpenSSL library is installed in a nonstandard location,
specify the prefix using --with-openssl=<PREFIX> on the configure command
line. To use a PKCS#11 hardware service module for cryptographic
operations, specify the path to the PKCS#11 provider library using
--with-pkcs11=<PREFIX>, and configure BIND with --enable-native-pkcs11.
To support the HTTP statistics channel, the server must be linked with at
least one of the following libraries: libxml2 http://xmlsoft.org or json-c
https://github.com/json-c/json-c. If these are installed at a nonstandard
location, then:
* for libxml2, specify the prefix using --with-libxml2=/prefix,
* for json-c, adjust PKG_CONFIG_PATH.
To support compression on the HTTP statistics channel, the server must be
linked against libzlib. If this is installed in a nonstandard location,
specify the prefix using --with-zlib=/prefix.
To support storing configuration data for runtime-added zones in an LMDB
database, the server must be linked with liblmdb. If this is installed in
a nonstandard location, specify the prefix using with-lmdb=/prefix.
To support MaxMind GeoIP2 location-based ACLs, the server must be linked
with libmaxminddb. This is turned on by default if the library is found;
if the library is installed in a nonstandard location, specify the prefix
using --with-maxminddb=/prefix. GeoIP2 support can be switched off with
--disable-geoip.
For DNSTAP packet logging, you must have installed libfstrm https://
github.com/farsightsec/fstrm and libprotobuf-c https://
developers.google.com/protocol-buffers, and BIND must be configured with
--enable-dnstap.
Certain compiled-in constants and default settings can be decreased to
values better suited to small machines, e.g. OpenWRT boxes, by specifying
--with-tuning=small on the configure command line. This will decrease
memory usage by using smaller structures, but will degrade performance.
On Linux, process capabilities are managed in user space using the libcap
library, which can be installed on most Linux systems via the libcap-dev
or libcap-devel package. Process capability support can also be disabled
by configuring with --disable-linux-caps.
On some platforms it is necessary to explicitly request large file support
to handle files bigger than 2GB. This can be done by using
--enable-largefile on the configure command line.
Support for the "fixed" rrset-order option can be enabled or disabled by
specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
command line. By default, fixed rrset-order is disabled to reduce memory
footprint.
The --enable-querytrace option causes named to log every step of
processing every query. This should only be enabled when debugging,
because it has a significant negative impact on query performance.
make install will install named and the various BIND 9 libraries. By
default, installation is into /usr/local, but this can be changed with the
--prefix option when running configure.
You may specify the option --sysconfdir to set the directory where
configuration files like named.conf go by default, and --localstatedir to
set the default parent directory of run/named.pid. --sysconfdir defaults
to $prefix/etc and --localstatedir defaults to $prefix/var.
Automated testing
A system test suite can be run with make test. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These
IP addresses can be configured by running the command bin/tests/system/
ifconfig.sh up as root.
Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
and will be skipped if these are not available. Some tests require Python
and the dnspython module and will be skipped if these are not available.
See bin/tests/system/README for further details.
Unit tests are implemented using the CMocka unit testing framework. To
build them, use configure --with-cmocka. Execution of tests is done by the
Kyua test execution engine; if the kyua command is available, then unit
tests can be run via make test or make unit.
Documentation
The BIND 9 Administrator Reference Manual is included with the source
distribution, in DocBook XML, HTML, and PDF format, in the doc/arm
directory.
Some of the programs in the BIND 9 distribution have man pages in their
directories. In particular, the command line options of named are
documented in bin/named/named.8.
Frequently (and not-so-frequently) asked questions and their answers can
be found in the ISC Knowledge Base at https://kb.isc.org.
Additional information on various subjects can be found in other README
files throughout the source tree.
Change log
A detailed list of all changes that have been made throughout the
development BIND 9 is included in the file CHANGES, with the most recent
changes listed first. Change notes include tags indicating the category of
the change that was made; these categories are:
Category Description
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
[experimental] Used for new features when the syntax or other aspects of
the design are still in flux and may change
[port] Portability enhancement
[maint] Updates to built-in data such as root server addresses and
keys
[tuning] Changes to built-in configuration defaults and constants to
improve performance
[performance] Other changes to improve server performance
[protocol] Updates to the DNS protocol such as new RR types
[test] Changes to the automatic tests, not affecting server
functionality
[cleanup] Minor corrections and refactoring
[doc] Documentation
[contrib] Changes to the contributed tools and libraries in the
'contrib' subdirectory
Used in the main development branch to reserve change
[placeholder] numbers for use in other branches, e.g., when fixing a bug
that only exists in older releases
In general, [func] and [experimental] tags will only appear in new-feature
releases (i.e., those with version numbers ending in zero). Some new
functionality may be backported to older releases on a case-by-case basis.
All other change types may be applied to all currently-supported releases.
Bug report identifiers
Most notes in the CHANGES file include a reference to a bug report or
issue number. Prior to 2018, these were usually of the form [RT #NNN] and
referred to entries in the "bind9-bugs" RT database, which was not open to
the public. More recent entries use the form [GL #NNN] or, less often, [GL
!NNN], which, respectively, refer to issues or merge requests in the
GitLab database. Most of these are publicly readable, unless they include
information which is confidential or security sensitive.
To look up a GitLab issue by its number, use the URL https://
gitlab.isc.org/isc-projects/bind9/issues/NNN. To look up a merge request,
use https://gitlab.isc.org/isc-projects/bind9/merge_requests/NNN.
In rare cases, an issue or merge request number may be followed with the
letter "P". This indicates that the information is in the private ISC
GitLab instance, which is not visible to the public.
Acknowledgments
* The original development of BIND 9 was underwritten by the following
organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
* This product includes software developed by the OpenSSL Project for
use in the OpenSSL Toolkit. http://www.OpenSSL.org/
* This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com)
* This product includes software written by Tim Hudson
(tjh@cryptsoft.com)

View File

@@ -15,7 +15,7 @@
1. [Introduction](#intro)
1. [Reporting bugs and getting help](#help)
1. [Contributing to BIND](#contrib)
1. [BIND 9.16 features](#features)
1. [BIND 9.17 features](#features)
1. [Building BIND](#build)
1. [macOS](#macos)
1. [Dependencies](#dependencies)
@@ -125,20 +125,15 @@ If you prefer, you may also submit code by opening a
including your patch as an attachment, preferably generated by
`git format-patch`.
### <a name="features"/> BIND 9.16 features
### <a name="features"/> BIND 9.17 features
BIND 9.16 is the current stable branch of BIND 9. It includes all
changes from the 9.15 development branch, updating the previous stable
branch, 9.14. New features include:
BIND 9.17 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.16 and earlier releases. New features include:
* New `dnssec-policy` statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover.
* New network manager based on `libuv`.
* Added support for the new GeoIP2 geolocation API, `libmaxminddb`.
* Improved DNSSEC trust anchor configuration using the `trust-anchors`
statement, permitting configuration of trust anchors in DS as well as
DNSKEY format.
* YAML output for `dig`, `mdig`, and `delv`.
* New option "max-ixfr-ratio" to limit the size of outgoing IXFR responses
before falling back to full zone transfers.
* "rndc nta -d" and "rndc secroots" now include "validate-except" entries
when listing negative trust anchors.
### <a name="build"/> Building BIND
@@ -176,14 +171,7 @@ affect compilation. Significant ones are:
|--------------------|-----------------------------------------------|
|`CC`|The C compiler to use. `configure` tries to figure out the right one for supported systems.|
|`CFLAGS`|C compiler flags. Defaults to include -g and/or -O2 as supported by the compiler. Please include '-g' if you need to set `CFLAGS`. |
|`STD_CINCLUDES`|System header file directories. Can be used to specify where add-on thread or IPv6 support is, for example. Defaults to empty string.|
|`STD_CDEFINES`|Any additional preprocessor symbols you want defined. Defaults to empty string. For a list of possible settings, see the file [OPTIONS](OPTIONS.md).|
|`LDFLAGS`|Linker flags. Defaults to empty string.|
|`BUILD_CC`|Needed when cross-compiling: the native C compiler to use when building for the target system.|
|`BUILD_CFLAGS`|`CFLAGS` for the target system during cross-compiling.|
|`BUILD_CPPFLAGS`|`CPPFLAGS` for the target system during cross-compiling.|
|`BUILD_LDFLAGS`|`LDFLAGS` for the target system during cross-compiling.|
|`BUILD_LIBS`|`LIBS` for the target system during cross-compiling.|
Additional environment variables affecting the build are listed at the
end of the `configure` help text, which can be obtained by running the
@@ -200,16 +188,6 @@ or, if you have Xcode already installed, you can run `xcode-select
--install`. (Note that an Apple ID may be required to access the download
page.)
### <a name="dependencies"/> Dependencies
Portions of BIND that are written in Python, including
`dnssec-keymgr`, `dnssec-coverage`, `dnssec-checkds`, and some of the
system tests, require the `argparse`, `ply` and `distutils.core` modules
to be available.
`argparse` is a standard module as of Python 2.7 and Python 3.2.
`ply` is available from [https://pypi.python.org/pypi/ply](https://pypi.python.org/pypi/ply).
`distutils.core` is required for installation.
#### <a name="opts"/> Compile-time options
To see a full list of configuration options, run `configure --help`.
@@ -288,7 +266,7 @@ defaults to `$prefix/etc` and `--localstatedir` defaults to `$prefix/var`.
### <a name="testing"/> Automated testing
A system test suite can be run with `make test`. The system tests require
A system test suite can be run with `make check`. The system tests require
you to configure a set of virtual IP addresses on your system (this allows
multiple servers to run locally and communicate with one another). These
IP addresses can be configured by running the command
@@ -299,11 +277,9 @@ and will be skipped if these are not available. Some tests require Python
and the `dnspython` module and will be skipped if these are not available.
See bin/tests/system/README for further details.
Unit tests are implemented using the [CMocka unit testing framework](https://cmocka.org/).
To build them, use `configure --with-cmocka`. Execution of tests is done
by the [Kyua test execution engine](https://github.com/jmmv/kyua); if the
`kyua` command is available, then unit tests can be run via `make test`
or `make unit`.
Unit tests are implemented using the CMocka unit testing framework. To build
them, use `configure --with-cmocka`. Execution of tests is done by the automake
parallel test driver; unit tests are also run by `make check`.
### <a name="doc"/> Documentation
@@ -344,7 +320,7 @@ the change that was made; these categories are:
| [cleanup] | Minor corrections and refactoring |
| [doc] | Documentation |
| [contrib] | Changes to the contributed tools and libraries in the 'contrib' subdirectory |
| [placeholder] | Used in the main development branch to reserve change numbers for use in other branches, e.g., when fixing a bug that only exists in older releases |
| [placeholder] | Used in the master development branch to reserve change numbers for use in other branches, e.g. when fixing a bug that only exists in older releases |
In general, [func] and [experimental] tags will only appear in new-feature
releases (i.e., those with version numbers ending in zero). Some new

388
aclocal.m4 vendored
View File

@@ -1,388 +0,0 @@
# generated automatically by aclocal 1.16.3 -*- Autoconf -*-
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])])
# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*-
# serial 12 (pkg-config-0.29.2)
dnl Copyright © 2004 Scott James Remnant <scott@netsplit.com>.
dnl Copyright © 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
dnl
dnl This program is free software; you can redistribute it and/or modify
dnl it under the terms of the GNU General Public License as published by
dnl the Free Software Foundation; either version 2 of the License, or
dnl (at your option) any later version.
dnl
dnl This program is distributed in the hope that it will be useful, but
dnl WITHOUT ANY WARRANTY; without even the implied warranty of
dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
dnl General Public License for more details.
dnl
dnl You should have received a copy of the GNU General Public License
dnl along with this program; if not, write to the Free Software
dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
dnl 02111-1307, USA.
dnl
dnl As a special exception to the GNU General Public License, if you
dnl distribute this file as part of a program that contains a
dnl configuration script generated by Autoconf, you may include it under
dnl the same distribution terms that you use for the rest of that
dnl program.
dnl PKG_PREREQ(MIN-VERSION)
dnl -----------------------
dnl Since: 0.29
dnl
dnl Verify that the version of the pkg-config macros are at least
dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's
dnl installed version of pkg-config, this checks the developer's version
dnl of pkg.m4 when generating configure.
dnl
dnl To ensure that this macro is defined, also add:
dnl m4_ifndef([PKG_PREREQ],
dnl [m4_fatal([must install pkg-config 0.29 or later before running autoconf/autogen])])
dnl
dnl See the "Since" comment for each macro you use to see what version
dnl of the macros you require.
m4_defun([PKG_PREREQ],
[m4_define([PKG_MACROS_VERSION], [0.29.2])
m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1,
[m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])])
])dnl PKG_PREREQ
dnl PKG_PROG_PKG_CONFIG([MIN-VERSION])
dnl ----------------------------------
dnl Since: 0.16
dnl
dnl Search for the pkg-config tool and set the PKG_CONFIG variable to
dnl first found in the path. Checks that the version of pkg-config found
dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is
dnl used since that's the first version where most current features of
dnl pkg-config existed.
AC_DEFUN([PKG_PROG_PKG_CONFIG],
[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$])
m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$])
AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])
AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path])
AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path])
if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
fi
if test -n "$PKG_CONFIG"; then
_pkg_min_version=m4_default([$1], [0.9.0])
AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
PKG_CONFIG=""
fi
fi[]dnl
])dnl PKG_PROG_PKG_CONFIG
dnl PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
dnl -------------------------------------------------------------------
dnl Since: 0.18
dnl
dnl Check to see whether a particular set of modules exists. Similar to
dnl PKG_CHECK_MODULES(), but does not set variables or print errors.
dnl
dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG])
dnl only at the first occurence in configure.ac, so if the first place
dnl it's called might be skipped (such as if it is within an "if", you
dnl have to call PKG_CHECK_EXISTS manually
AC_DEFUN([PKG_CHECK_EXISTS],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
if test -n "$PKG_CONFIG" && \
AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
m4_default([$2], [:])
m4_ifvaln([$3], [else
$3])dnl
fi])
dnl _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
dnl ---------------------------------------------
dnl Internal wrapper calling pkg-config via PKG_CONFIG and setting
dnl pkg_failed based on the result.
m4_define([_PKG_CONFIG],
[if test -n "$$1"; then
pkg_cv_[]$1="$$1"
elif test -n "$PKG_CONFIG"; then
PKG_CHECK_EXISTS([$3],
[pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`
test "x$?" != "x0" && pkg_failed=yes ],
[pkg_failed=yes])
else
pkg_failed=untried
fi[]dnl
])dnl _PKG_CONFIG
dnl _PKG_SHORT_ERRORS_SUPPORTED
dnl ---------------------------
dnl Internal check to see if pkg-config supports short errors.
AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
_pkg_short_errors_supported=yes
else
_pkg_short_errors_supported=no
fi[]dnl
])dnl _PKG_SHORT_ERRORS_SUPPORTED
dnl PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
dnl [ACTION-IF-NOT-FOUND])
dnl --------------------------------------------------------------
dnl Since: 0.4.0
dnl
dnl Note that if there is a possibility the first call to
dnl PKG_CHECK_MODULES might not happen, you should be sure to include an
dnl explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
AC_DEFUN([PKG_CHECK_MODULES],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
pkg_failed=no
AC_MSG_CHECKING([for $2])
_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
_PKG_CONFIG([$1][_LIBS], [libs], [$2])
m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
and $1[]_LIBS to avoid the need to call pkg-config.
See the pkg-config man page for more details.])
if test $pkg_failed = yes; then
AC_MSG_RESULT([no])
_PKG_SHORT_ERRORS_SUPPORTED
if test $_pkg_short_errors_supported = yes; then
$1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1`
else
$1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1`
fi
# Put the nasty error message in config.log where it belongs
echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
m4_default([$4], [AC_MSG_ERROR(
[Package requirements ($2) were not met:
$$1_PKG_ERRORS
Consider adjusting the PKG_CONFIG_PATH environment variable if you
installed software in a non-standard prefix.
_PKG_TEXT])[]dnl
])
elif test $pkg_failed = untried; then
AC_MSG_RESULT([no])
m4_default([$4], [AC_MSG_FAILURE(
[The pkg-config script could not be found or is too old. Make sure it
is in your PATH or set the PKG_CONFIG environment variable to the full
path to pkg-config.
_PKG_TEXT
To get pkg-config, see <http://pkg-config.freedesktop.org/>.])[]dnl
])
else
$1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
$1[]_LIBS=$pkg_cv_[]$1[]_LIBS
AC_MSG_RESULT([yes])
$3
fi[]dnl
])dnl PKG_CHECK_MODULES
dnl PKG_CHECK_MODULES_STATIC(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
dnl [ACTION-IF-NOT-FOUND])
dnl ---------------------------------------------------------------------
dnl Since: 0.29
dnl
dnl Checks for existence of MODULES and gathers its build flags with
dnl static libraries enabled. Sets VARIABLE-PREFIX_CFLAGS from --cflags
dnl and VARIABLE-PREFIX_LIBS from --libs.
dnl
dnl Note that if there is a possibility the first call to
dnl PKG_CHECK_MODULES_STATIC might not happen, you should be sure to
dnl include an explicit call to PKG_PROG_PKG_CONFIG in your
dnl configure.ac.
AC_DEFUN([PKG_CHECK_MODULES_STATIC],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
_save_PKG_CONFIG=$PKG_CONFIG
PKG_CONFIG="$PKG_CONFIG --static"
PKG_CHECK_MODULES($@)
PKG_CONFIG=$_save_PKG_CONFIG[]dnl
])dnl PKG_CHECK_MODULES_STATIC
dnl PKG_INSTALLDIR([DIRECTORY])
dnl -------------------------
dnl Since: 0.27
dnl
dnl Substitutes the variable pkgconfigdir as the location where a module
dnl should install pkg-config .pc files. By default the directory is
dnl $libdir/pkgconfig, but the default can be changed by passing
dnl DIRECTORY. The user can override through the --with-pkgconfigdir
dnl parameter.
AC_DEFUN([PKG_INSTALLDIR],
[m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])])
m4_pushdef([pkg_description],
[pkg-config installation directory @<:@]pkg_default[@:>@])
AC_ARG_WITH([pkgconfigdir],
[AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],,
[with_pkgconfigdir=]pkg_default)
AC_SUBST([pkgconfigdir], [$with_pkgconfigdir])
m4_popdef([pkg_default])
m4_popdef([pkg_description])
])dnl PKG_INSTALLDIR
dnl PKG_NOARCH_INSTALLDIR([DIRECTORY])
dnl --------------------------------
dnl Since: 0.27
dnl
dnl Substitutes the variable noarch_pkgconfigdir as the location where a
dnl module should install arch-independent pkg-config .pc files. By
dnl default the directory is $datadir/pkgconfig, but the default can be
dnl changed by passing DIRECTORY. The user can override through the
dnl --with-noarch-pkgconfigdir parameter.
AC_DEFUN([PKG_NOARCH_INSTALLDIR],
[m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])])
m4_pushdef([pkg_description],
[pkg-config arch-independent installation directory @<:@]pkg_default[@:>@])
AC_ARG_WITH([noarch-pkgconfigdir],
[AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],,
[with_noarch_pkgconfigdir=]pkg_default)
AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir])
m4_popdef([pkg_default])
m4_popdef([pkg_description])
])dnl PKG_NOARCH_INSTALLDIR
dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE,
dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
dnl -------------------------------------------
dnl Since: 0.28
dnl
dnl Retrieves the value of the pkg-config variable for the given module.
AC_DEFUN([PKG_CHECK_VAR],
[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl
_PKG_CONFIG([$1], [variable="][$3]["], [$2])
AS_VAR_COPY([$1], [pkg_cv_][$1])
AS_VAR_IF([$1], [""], [$5], [$4])dnl
])dnl PKG_CHECK_VAR
# AM_CONDITIONAL -*- Autoconf -*-
# Copyright (C) 1997-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# AM_CONDITIONAL(NAME, SHELL-CONDITION)
# -------------------------------------
# Define a conditional.
AC_DEFUN([AM_CONDITIONAL],
[AC_PREREQ([2.52])dnl
m4_if([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])],
[$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl
AC_SUBST([$1_TRUE])dnl
AC_SUBST([$1_FALSE])dnl
_AM_SUBST_NOTMAKE([$1_TRUE])dnl
_AM_SUBST_NOTMAKE([$1_FALSE])dnl
m4_define([_AM_COND_VALUE_$1], [$2])dnl
if $2; then
$1_TRUE=
$1_FALSE='#'
else
$1_TRUE='#'
$1_FALSE=
fi
AC_CONFIG_COMMANDS_PRE(
[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then
AC_MSG_ERROR([[conditional "$1" was never defined.
Usually this means the macro was only invoked conditionally.]])
fi])])
# Add --enable-maintainer-mode option to configure. -*- Autoconf -*-
# From Jim Meyering
# Copyright (C) 1996-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# AM_MAINTAINER_MODE([DEFAULT-MODE])
# ----------------------------------
# Control maintainer-specific portions of Makefiles.
# Default is to disable them, unless 'enable' is passed literally.
# For symmetry, 'disable' may be passed as well. Anyway, the user
# can override the default with the --enable/--disable switch.
AC_DEFUN([AM_MAINTAINER_MODE],
[m4_case(m4_default([$1], [disable]),
[enable], [m4_define([am_maintainer_other], [disable])],
[disable], [m4_define([am_maintainer_other], [enable])],
[m4_define([am_maintainer_other], [enable])
m4_warn([syntax], [unexpected argument to AM@&t@_MAINTAINER_MODE: $1])])
AC_MSG_CHECKING([whether to enable maintainer-specific portions of Makefiles])
dnl maintainer-mode's default is 'disable' unless 'enable' is passed
AC_ARG_ENABLE([maintainer-mode],
[AS_HELP_STRING([--]am_maintainer_other[-maintainer-mode],
am_maintainer_other[ make rules and dependencies not useful
(and sometimes confusing) to the casual installer])],
[USE_MAINTAINER_MODE=$enableval],
[USE_MAINTAINER_MODE=]m4_if(am_maintainer_other, [enable], [no], [yes]))
AC_MSG_RESULT([$USE_MAINTAINER_MODE])
AM_CONDITIONAL([MAINTAINER_MODE], [test $USE_MAINTAINER_MODE = yes])
MAINT=$MAINTAINER_MODE_TRUE
AC_SUBST([MAINT])dnl
]
)
# Copyright (C) 2006-2020 Free Software Foundation, Inc.
#
# This file is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# _AM_SUBST_NOTMAKE(VARIABLE)
# ---------------------------
# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
# This macro is traced by Automake.
AC_DEFUN([_AM_SUBST_NOTMAKE])
# AM_SUBST_NOTMAKE(VARIABLE)
# --------------------------
# Public sister of _AM_SUBST_NOTMAKE.
AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
m4_include([m4/ax_check_compile_flag.m4])
m4_include([m4/ax_check_openssl.m4])
m4_include([m4/ax_gcc_func_attribute.m4])
m4_include([m4/ax_posix_shell.m4])
m4_include([m4/ax_pthread.m4])
m4_include([m4/ax_restore_flags.m4])
m4_include([m4/ax_save_flags.m4])
m4_include([m4/libtool.m4])
m4_include([m4/ltoptions.m4])
m4_include([m4/ltsugar.m4])
m4_include([m4/ltversion.m4])
m4_include([m4/lt~obsolete.m4])

View File

@@ -1,13 +0,0 @@
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# Run this script after modifying configure.in to generate configure
autoreconf -f -i

5
bin/Makefile.am Normal file
View File

@@ -0,0 +1,5 @@
SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen tests plugins
if HAVE_PKCS11
SUBDIRS += pkcs11
endif

View File

@@ -1,18 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
TARGETS =
@BIND9_MAKE_RULES@

34
bin/check/Makefile.am Normal file
View File

@@ -0,0 +1,34 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBNS_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(LIBBIND9_CFLAGS)
AM_CPPFLAGS += \
-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
noinst_LTLIBRARIES = libcheck-tool.la
libcheck_tool_la_SOURCES = \
check-tool.h \
check-tool.c
LDADD = \
libcheck-tool.la \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBNS_LIBS) \
$(LIBISCCFG_LIBS) \
$(LIBBIND9_LIBS)
sbin_PROGRAMS = named-checkconf named-checkzone
install-exec-hook:
ln -f $(DESTDIR)$(sbindir)/named-checkzone \
$(DESTDIR)$(sbindir)/named-compilezone
uninstall-hook:
-rm -f $(DESTDIR)$(sbindir)/named-compilezone

View File

@@ -1,86 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} \
${ISCCFG_INCLUDES} ${ISC_INCLUDES} ${OPENSSL_CFLAGS}
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
NSLIBS = ../../lib/ns/libns.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
NSDEPENDLIBS = ../../lib/ns/libns.@A@
LIBS = ${ISCLIBS} @LIBS@
NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
SUBDIRS =
# Alphabetically
TARGETS = named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
# Alphabetically
SRCS = named-checkconf.c named-checkzone.c check-tool.c
@BIND9_MAKE_RULES@
named-checkconf.@O@: named-checkconf.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-c ${srcdir}/named-checkconf.c
named-checkzone.@O@: named-checkzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-c ${srcdir}/named-checkzone.c
named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
${NSDEPENDLIBS} ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
export LIBS0="${BIND9LIBS} ${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}
named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} \
${NSDEPENDLIBS} ${DNSDEPLIBS}
export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
export LIBS0="${NSLIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
uninstall::
rm -f ${DESTDIR}${sbindir}/named-compilezone@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkconf@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-checkzone@EXEEXT@
clean distclean::
rm -f ${TARGETS} r1.htm

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -695,8 +695,13 @@ load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
CHECK(dns_zone_setorigin(zone, origin));
dns_zone_setdbtype(zone, 1, (const char *const *)dbtype);
CHECK(dns_zone_setfile(zone, filename, fileformat,
&dns_master_style_default));
if (strcmp(filename, "-") == 0) {
CHECK(dns_zone_setstream(zone, stdin, fileformat,
&dns_master_style_default));
} else {
CHECK(dns_zone_setfile(zone, filename, fileformat,
&dns_master_style_default));
}
if (journal != NULL) {
CHECK(dns_zone_setjournal(zone, journal));
}

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

152
bin/check/named-checkconf.8 Normal file
View File

@@ -0,0 +1,152 @@
.\" Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: named-checkconf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-10
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\-CHECKCONF" "8" "2014\-01\-10" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
named-checkconf \- named configuration file syntax checking tool
.SH "SYNOPSIS"
.HP \w'\fBnamed\-checkconf\fR\ 'u
\fBnamed\-checkconf\fR [\fB\-chjlvz\fR] [\fB\-p\fR\ [\fB\-x\fR\ ]] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkconf\fR
checks the syntax, but not the semantics, of a
\fBnamed\fR
configuration file\&. The file is parsed and checked for syntax errors, along with all files included by it\&. If no file is specified,
/etc/named\&.conf
is read by default\&.
.PP
Note: files that
\fBnamed\fR
reads in separate parser contexts, such as
rndc\&.key
and
bind\&.keys, are not automatically read by
\fBnamed\-checkconf\fR\&. Configuration errors in these files may cause
\fBnamed\fR
to fail to run, even if
\fBnamed\-checkconf\fR
was successful\&.
\fBnamed\-checkconf\fR
can be run on these files explicitly, however\&.
.SH "OPTIONS"
.PP
\-h
.RS 4
Print the usage summary and exit\&.
.RE
.PP
\-j
.RS 4
When loading a zonefile read the journal if it exists\&.
.RE
.PP
\-l
.RS 4
List all the configured zones\&. Each line of output contains the zone name, class (e\&.g\&. IN), view, and type (e\&.g\&. master or slave)\&.
.RE
.PP
\-c
.RS 4
Check "core" configuration only\&. This suppresses the loading of plugin modules, and causes all parameters to
\fBplugin\fR
statements to be ignored\&.
.RE
.PP
\-i
.RS 4
Ignore warnings on deprecated options\&.
.RE
.PP
\-p
.RS 4
Print out the
named\&.conf
and included files in canonical form if no errors were detected\&. See also the
\fB\-x\fR
option\&.
.RE
.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
directory
so that include directives in the configuration file are processed as if run by a similarly chrooted
\fBnamed\fR\&.
.RE
.PP
\-v
.RS 4
Print the version of the
\fBnamed\-checkconf\fR
program and exit\&.
.RE
.PP
\-x
.RS 4
When printing the configuration files in canonical form, obscure shared secrets by replacing them with strings of question marks (\*(Aq?\*(Aq)\&. This allows the contents of
named\&.conf
and related files to be shared \(em for example, when submitting bug reports \(em without compromising private data\&. This option cannot be used without
\fB\-p\fR\&.
.RE
.PP
\-z
.RS 4
Perform a test load of all master zones found in
named\&.conf\&.
.RE
.PP
filename
.RS 4
The name of the configuration file to be checked\&. If not specified, it defaults to
/etc/named\&.conf\&.
.RE
.SH "RETURN VALUES"
.PP
\fBnamed\-checkconf\fR
returns an exit status of 1 if errors were detected and 0 otherwise\&.
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed-checkzone\fR(8),
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -16,6 +16,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <isc/attributes.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/hash.h>
@@ -56,8 +57,8 @@ isc_log_t *logc = NULL;
} while (0)
/*% usage */
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
@@ -184,7 +185,7 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
const char *zname;
const char *zfile = NULL;
const cfg_obj_t *maps[4];
const cfg_obj_t *primariesobj = NULL;
const cfg_obj_t *mastersobj = NULL;
const cfg_obj_t *inviewobj = NULL;
const cfg_obj_t *zoptions = NULL;
const cfg_obj_t *classobj = NULL;
@@ -278,12 +279,8 @@ configure_zone(const char *vclass, const char *view, const cfg_obj_t *zconfig,
* Is the redirect zone configured as a slave?
*/
if (strcasecmp(cfg_obj_asstring(typeobj), "redirect") == 0) {
cfg_map_get(zoptions, "primaries", &primariesobj);
if (primariesobj == NULL) {
cfg_map_get(zoptions, "masters", &primariesobj);
}
if (primariesobj != NULL) {
cfg_map_get(zoptions, "masters", &mastersobj);
if (mastersobj != NULL) {
return (ISC_R_SUCCESS);
}
}
@@ -533,12 +530,7 @@ load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
}
classobj = cfg_tuple_get(vconfig, "class");
tresult = config_getclass(classobj, dns_rdataclass_in,
&viewclass);
if (tresult != ISC_R_SUCCESS) {
CHECK(tresult);
}
CHECK(config_getclass(classobj, dns_rdataclass_in, &viewclass));
if (dns_rdataclass_ismeta(viewclass)) {
CHECK(ISC_R_FAILURE);
}
@@ -664,7 +656,7 @@ main(int argc, char **argv) {
break;
case 'v':
printf(VERSION "\n");
printf("%s\n", PACKAGE_VERSION);
exit(0);
case 'x':

View File

@@ -0,0 +1,229 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkconf">
<info>
<date>2014-01-10</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>named-checkconf</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refnamediv>
<refname><application>named-checkconf</application></refname>
<refpurpose>named configuration file syntax checking tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>named-checkconf</command>
<arg choice="opt" rep="norepeat"><option>-chjlvz</option></arg>
<arg choice="opt" rep="norepeat"><option>-p</option>
<arg choice="opt" rep="norepeat"><option>-x</option>
</arg></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named-checkconf</command>
checks the syntax, but not the semantics, of a
<command>named</command> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <filename>/etc/named.conf</filename> is read
by default.
</para>
<para>
Note: files that <command>named</command> reads in separate
parser contexts, such as <filename>rndc.key</filename> and
<filename>bind.keys</filename>, are not automatically read
by <command>named-checkconf</command>. Configuration
errors in these files may cause <command>named</command> to
fail to run, even if <command>named-checkconf</command> was
successful. <command>named-checkconf</command> can be run
on these files explicitly, however.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Print the usage summary and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j</term>
<listitem>
<para>
When loading a zonefile read the journal if it exists.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>
List all the configured zones. Each line of output
contains the zone name, class (e.g. IN), view, and type
(e.g. master or slave).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c</term>
<listitem>
<para>
Check "core" configuration only. This suppresses the loading
of plugin modules, and causes all parameters to
<command>plugin</command> statements to be ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i</term>
<listitem>
<para>
Ignore warnings on deprecated options.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Print out the <filename>named.conf</filename> and included files
in canonical form if no errors were detected.
See also the <option>-x</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Chroot to <filename>directory</filename> so that include
directives in the configuration file are processed as if
run by a similarly chrooted <command>named</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the version of the <command>named-checkconf</command>
program and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
When printing the configuration files in canonical
form, obscure shared secrets by replacing them with
strings of question marks ('?'). This allows the
contents of <filename>named.conf</filename> and related
files to be shared &mdash; for example, when submitting
bug reports &mdash; without compromising private data.
This option cannot be used without <option>-p</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Perform a test load of all master zones found in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filename</term>
<listitem>
<para>
The name of the configuration file to be checked. If not
specified, it defaults to <filename>/etc/named.conf</filename>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
<para><command>named-checkconf</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

View File

@@ -0,0 +1,180 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007, 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkconf</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.named-checkconf"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">named-checkconf</span>
&#8212; named configuration file syntax checking tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">named-checkconf</code>
[<code class="option">-chjlvz</code>]
[<code class="option">-p</code>
[<code class="option">-x</code>
]]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
{filename}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span class="command"><strong>named</strong></span> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <code class="filename">/etc/named.conf</code> is read
by default.
</p>
<p>
Note: files that <span class="command"><strong>named</strong></span> reads in separate
parser contexts, such as <code class="filename">rndc.key</code> and
<code class="filename">bind.keys</code>, are not automatically read
by <span class="command"><strong>named-checkconf</strong></span>. Configuration
errors in these files may cause <span class="command"><strong>named</strong></span> to
fail to run, even if <span class="command"><strong>named-checkconf</strong></span> was
successful. <span class="command"><strong>named-checkconf</strong></span> can be run
on these files explicitly, however.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-h</span></dt>
<dd>
<p>
Print the usage summary and exit.
</p>
</dd>
<dt><span class="term">-j</span></dt>
<dd>
<p>
When loading a zonefile read the journal if it exists.
</p>
</dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
List all the configured zones. Each line of output
contains the zone name, class (e.g. IN), view, and type
(e.g. master or slave).
</p>
</dd>
<dt><span class="term">-c</span></dt>
<dd>
<p>
Check "core" configuration only. This suppresses the loading
of plugin modules, and causes all parameters to
<span class="command"><strong>plugin</strong></span> statements to be ignored.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd>
<p>
Ignore warnings on deprecated options.
</p>
</dd>
<dt><span class="term">-p</span></dt>
<dd>
<p>
Print out the <code class="filename">named.conf</code> and included files
in canonical form if no errors were detected.
See also the <code class="option">-x</code> option.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Chroot to <code class="filename">directory</code> so that include
directives in the configuration file are processed as if
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Print the version of the <span class="command"><strong>named-checkconf</strong></span>
program and exit.
</p>
</dd>
<dt><span class="term">-x</span></dt>
<dd>
<p>
When printing the configuration files in canonical
form, obscure shared secrets by replacing them with
strings of question marks ('?'). This allows the
contents of <code class="filename">named.conf</code> and related
files to be shared &#8212; for example, when submitting
bug reports &#8212; without compromising private data.
This option cannot be used without <code class="option">-p</code>.
</p>
</dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Perform a test load of all master zones found in
<code class="filename">named.conf</code>.
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd>
<p>
The name of the configuration file to be checked. If not
specified, it defaults to <code class="filename">/etc/named.conf</code>.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,105 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_named-checkconf:
named-checkconf - named configuration file syntax checking tool
---------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`named-checkconf` [**-chjlvz**] [**-p** [**-x** ]] [**-t** directory] {filename}
Description
~~~~~~~~~~~
``named-checkconf`` checks the syntax, but not the semantics, of a
``named`` configuration file. The file, along with all files included by it, is parsed and checked for syntax
errors. If no file is specified,
``/etc/named.conf`` is read by default.
Note: files that ``named`` reads in separate parser contexts, such as
``rndc.key`` and ``bind.keys``, are not automatically read by
``named-checkconf``. Configuration errors in these files may cause
``named`` to fail to run, even if ``named-checkconf`` was successful.
However, ``named-checkconf`` can be run on these files explicitly.
Options
~~~~~~~
``-h``
This option prints the usage summary and exits.
``-j``
When loading a zonefile, this option instructs ``named`` to read the journal if it exists.
``-l``
This option lists all the configured zones. Each line of output contains the zone
name, class (e.g. IN), view, and type (e.g. primary or secondary).
``-c``
This option specifies that only the "core" configuration should be checked. This suppresses the loading of
plugin modules, and causes all parameters to ``plugin`` statements to
be ignored.
``-i``
This option ignores warnings on deprecated options.
``-p``
This option prints out the ``named.conf`` and included files in canonical form if
no errors were detected. See also the ``-x`` option.
``-t directory``
This option instructs ``named`` to chroot to ``directory``, so that ``include`` directives in the
configuration file are processed as if run by a similarly chrooted
``named``.
``-v``
This option prints the version of the ``named-checkconf`` program and exits.
``-x``
When printing the configuration files in canonical form, this option obscures
shared secrets by replacing them with strings of question marks
(``?``). This allows the contents of ``named.conf`` and related files
to be shared - for example, when submitting bug reports -
without compromising private data. This option cannot be used without
``-p``.
``-z``
This option performs a test load of all zones of type ``primary`` found in ``named.conf``.
``filename``
This indicates the name of the configuration file to be checked. If not specified,
it defaults to ``/etc/named.conf``.
Return Values
~~~~~~~~~~~~~
``named-checkconf`` returns an exit status of 1 if errors were detected
and 0 otherwise.
See Also
~~~~~~~~
:manpage:`named(8)`, :manpage:`named-checkzone(8)`, BIND 9 Administrator Reference Manual.

329
bin/check/named-checkzone.8 Normal file
View File

@@ -0,0 +1,329 @@
.\" Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: named-checkzone
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-19
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NAMED\-CHECKZONE" "8" "2014\-02\-19" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
named-checkzone, named-compilezone \- zone file validity checking or converting tool
.SH "SYNOPSIS"
.HP \w'\fBnamed\-checkzone\fR\ 'u
\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
.HP \w'\fBnamed\-compilezone\fR\ 'u
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-J\ \fR\fB\fIfilename\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-l\ \fR\fB\fIttl\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkzone\fR
checks the syntax and integrity of a zone file\&. It performs the same checks as
\fBnamed\fR
does when loading a zone\&. This makes
\fBnamed\-checkzone\fR
useful for checking zone files before configuring them into a name server\&.
.PP
\fBnamed\-compilezone\fR
is similar to
\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format\&. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
\fBnamed\fR\&. When manually specified otherwise, the check levels must at least be as strict as those specified in the
\fBnamed\fR
configuration file\&.
.SH "OPTIONS"
.PP
\-d
.RS 4
Enable debugging\&.
.RE
.PP
\-h
.RS 4
Print the usage summary and exit\&.
.RE
.PP
\-q
.RS 4
Quiet mode \- exit code only\&.
.RE
.PP
\-v
.RS 4
Print the version of the
\fBnamed\-checkzone\fR
program and exit\&.
.RE
.PP
\-j
.RS 4
When loading a zone file, read the journal if it exists\&. The journal file name is assumed to be the zone file name appended with the string
\&.jnl\&.
.RE
.PP
\-J \fIfilename\fR
.RS 4
When loading the zone file read the journal from the given file, if it exists\&. (Implies \-j\&.)
.RE
.PP
\-c \fIclass\fR
.RS 4
Specify the class of the zone\&. If not specified, "IN" is assumed\&.
.RE
.PP
\-i \fImode\fR
.RS 4
Perform post\-load zone integrity checks\&. Possible modes are
\fB"full"\fR
(default),
\fB"full\-sibling"\fR,
\fB"local"\fR,
\fB"local\-sibling"\fR
and
\fB"none"\fR\&.
.sp
Mode
\fB"full"\fR
checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
\fB"local"\fR
only checks MX records which refer to in\-zone hostnames\&.
.sp
Mode
\fB"full"\fR
checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. Mode
\fB"local"\fR
only checks SRV records which refer to in\-zone hostnames\&.
.sp
Mode
\fB"full"\fR
checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames)\&. It also checks that glue address records in the zone match those advertised by the child\&. Mode
\fB"local"\fR
only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone\&.
.sp
Mode
\fB"full\-sibling"\fR
and
\fB"local\-sibling"\fR
disable sibling glue checks but are otherwise the same as
\fB"full"\fR
and
\fB"local"\fR
respectively\&.
.sp
Mode
\fB"none"\fR
disables the checks\&.
.RE
.PP
\-f \fIformat\fR
.RS 4
Specify the format of the zone file\&. Possible formats are
\fB"text"\fR
(default),
\fB"raw"\fR, and
\fB"map"\fR\&.
.RE
.PP
\-F \fIformat\fR
.RS 4
Specify the format of the output file specified\&. For
\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents\&.
.sp
Possible formats are
\fB"text"\fR
(default), which is the standard textual representation of the zone, and
\fB"map"\fR,
\fB"raw"\fR, and
\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
\fBnamed\fR\&.
\fB"raw=N"\fR
specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
\fBnamed\fR; if N is 1, the file can be read by release 9\&.9\&.0 or higher; the default is 1\&.
.RE
.PP
\-k \fImode\fR
.RS 4
Perform
\fB"check\-names"\fR
checks with the specified failure mode\&. Possible modes are
\fB"fail"\fR
(default for
\fBnamed\-compilezone\fR),
\fB"warn"\fR
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR\&.
.RE
.PP
\-l \fIttl\fR
.RS 4
Sets a maximum permissible TTL for the input file\&. Any record with a TTL higher than this value will cause the zone to be rejected\&. This is similar to using the
\fBmax\-zone\-ttl\fR
option in
named\&.conf\&.
.RE
.PP
\-L \fIserial\fR
.RS 4
When compiling a zone to "raw" or "map" format, set the "source serial" value in the header to the specified serial number\&. (This is expected to be used primarily for testing purposes\&.)
.RE
.PP
\-m \fImode\fR
.RS 4
Specify whether MX records should be checked to see if they are addresses\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-M \fImode\fR
.RS 4
Check if a MX record refers to a CNAME\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-n \fImode\fR
.RS 4
Specify whether NS records should be checked to see if they are addresses\&. Possible modes are
\fB"fail"\fR
(default for
\fBnamed\-compilezone\fR),
\fB"warn"\fR
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR\&.
.RE
.PP
\-o \fIfilename\fR
.RS 4
Write zone output to
filename\&. If
filename
is
\-
then write to standard out\&. This is mandatory for
\fBnamed\-compilezone\fR\&.
.RE
.PP
\-r \fImode\fR
.RS 4
Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-s \fIstyle\fR
.RS 4
Specify the style of the dumped zone file\&. Possible styles are
\fB"full"\fR
(default) and
\fB"relative"\fR\&. The full format is most suitable for processing automatically by a separate script\&. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand\&. For
\fBnamed\-checkzone\fR
this does not cause any effects unless it dumps the zone contents\&. It also does not have any meaning if the output format is not text\&.
.RE
.PP
\-S \fImode\fR
.RS 4
Check if a SRV record refers to a CNAME\&. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
directory
so that include directives in the configuration file are processed as if run by a similarly chrooted
\fBnamed\fR\&.
.RE
.PP
\-T \fImode\fR
.RS 4
Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF\-formatted TXT record is not also present\&. Possible modes are
\fB"warn"\fR
(default),
\fB"ignore"\fR\&.
.RE
.PP
\-w \fIdirectory\fR
.RS 4
chdir to
directory
so that relative filenames in master file $INCLUDE directives work\&. This is similar to the directory clause in
named\&.conf\&.
.RE
.PP
\-D
.RS 4
Dump zone file in canonical format\&. This is always enabled for
\fBnamed\-compilezone\fR\&.
.RE
.PP
\-W \fImode\fR
.RS 4
Specify whether to check for non\-terminal wildcards\&. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034)\&. Possible modes are
\fB"warn"\fR
(default) and
\fB"ignore"\fR\&.
.RE
.PP
zonename
.RS 4
The domain name of the zone being checked\&.
.RE
.PP
filename
.RS 4
The name of the zone file\&.
.RE
.SH "RETURN VALUES"
.PP
\fBnamed\-checkzone\fR
returns an exit status of 1 if errors were detected and 0 otherwise\&.
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed-checkconf\fR(8),
RFC 1035,
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -16,8 +16,10 @@
#include <stdlib.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/log.h>
#include <isc/mem.h>
@@ -62,21 +64,21 @@ static enum { progmode_check, progmode_compile } progmode;
} \
} while (0)
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
fprintf(stderr,
"usage: %s [-djqvD] [-c class] "
"[-f inputformat] [-F outputformat] [-J filename] "
"[-s (full|relative)] [-t directory] [-w directory] "
"[-k (ignore|warn|fail)] [-m (ignore|warn|fail)] "
"[-n (ignore|warn|fail)] [-r (ignore|warn|fail)] "
"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
"[-r (ignore|warn|fail)] "
"[-i (full|full-sibling|local|local-sibling|none)] "
"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
"[-W (ignore|warn)] "
"%s zonename filename\n",
"%s zonename [ (filename|-) ]\n",
prog_name,
progmode == progmode_check ? "[-o filename]" : "-o filename");
exit(1);
@@ -94,7 +96,7 @@ int
main(int argc, char **argv) {
int c;
char *origin = NULL;
char *filename = NULL;
const char *filename = NULL;
isc_log_t *lctx = NULL;
isc_result_t result;
char classname_in[] = "IN";
@@ -353,7 +355,7 @@ main(int argc, char **argv) {
break;
case 'v':
printf(VERSION "\n");
printf("%s\n", PACKAGE_VERSION);
exit(0);
case 'w':
@@ -512,7 +514,8 @@ main(int argc, char **argv) {
logdump = false;
}
if (isc_commandline_index + 2 != argc) {
if (argc - isc_commandline_index < 1 ||
argc - isc_commandline_index > 2) {
usage();
}
@@ -529,7 +532,16 @@ main(int argc, char **argv) {
dns_result_register();
origin = argv[isc_commandline_index++];
filename = argv[isc_commandline_index++];
if (isc_commandline_index == argc) {
/* "-" will be interpreted as stdin */
filename = "-";
} else {
filename = argv[isc_commandline_index];
}
isc_commandline_index++;
result = load_zone(mctx, origin, filename, inputformat, classname,
maxttl, &zone);
@@ -563,5 +575,6 @@ main(int argc, char **argv) {
#ifdef _WIN32
DestroySockets();
#endif /* ifdef _WIN32 */
return ((result == ISC_R_SUCCESS) ? 0 : 1);
}

View File

@@ -0,0 +1,529 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named-checkzone">
<info>
<date>2014-02-19</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>named-checkzone</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refnamediv>
<refname><application>named-checkzone</application></refname>
<refname><application>named-compilezone</application></refname>
<refpurpose>zone file validity checking or converting tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>named-checkzone</command>
<arg choice="opt" rep="norepeat"><option>-d</option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-j</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req" rep="norepeat">zonename</arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>named-compilezone</command>
<arg choice="opt" rep="norepeat"><option>-d</option></arg>
<arg choice="opt" rep="norepeat"><option>-j</option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-J <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D</option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req" rep="norepeat"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="req" rep="norepeat">zonename</arg>
<arg choice="req" rep="norepeat">filename</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>named-checkzone</command>
checks the syntax and integrity of a zone file. It performs the
same checks as <command>named</command> does when loading a
zone. This makes <command>named-checkzone</command> useful for
checking zone files before configuring them into a name server.
</para>
<para>
<command>named-compilezone</command> is similar to
<command>named-checkzone</command>, but it always dumps the
zone contents to a specified file in a specified format.
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <command>named</command>.
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<command>named</command> configuration file.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Enable debugging.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Print the usage summary and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode - exit code only.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the version of the <command>named-checkzone</command>
program and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j</term>
<listitem>
<para>
When loading a zone file, read the journal if it exists.
The journal file name is assumed to be the zone file name
appended with the string <filename>.jnl</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-J <replaceable class="parameter">filename</replaceable></term>
<listitem>
<para>
When loading the zone file read the journal from the given
file, if it exists. (Implies -j.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specify the class of the zone. If not specified, "IN" is assumed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Perform post-load zone integrity checks. Possible modes are
<command>"full"</command> (default),
<command>"full-sibling"</command>,
<command>"local"</command>,
<command>"local-sibling"</command> and
<command>"none"</command>.
</para>
<para>
Mode <command>"full"</command> checks that MX records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <command>"local"</command> only
checks MX records which refer to in-zone hostnames.
</para>
<para>
Mode <command>"full"</command> checks that SRV records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <command>"local"</command> only
checks SRV records which refer to in-zone hostnames.
</para>
<para>
Mode <command>"full"</command> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <command>"local"</command> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
that is when the nameserver is in a child zone.
</para>
<para>
Mode <command>"full-sibling"</command> and
<command>"local-sibling"</command> disable sibling glue
checks but are otherwise the same as <command>"full"</command>
and <command>"local"</command> respectively.
</para>
<para>
Mode <command>"none"</command> disables the checks.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">format</replaceable></term>
<listitem>
<para>
Specify the format of the zone file.
Possible formats are <command>"text"</command> (default),
<command>"raw"</command>, and <command>"map"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-F <replaceable class="parameter">format</replaceable></term>
<listitem>
<para>
Specify the format of the output file specified.
For <command>named-checkzone</command>,
this does not cause any effects unless it dumps the zone
contents.
</para>
<para>
Possible formats are <command>"text"</command> (default),
which is the standard textual representation of the zone,
and <command>"map"</command>, <command>"raw"</command>,
and <command>"raw=N"</command>, which store the zone in a
binary format for rapid loading by <command>named</command>.
<command>"raw=N"</command> specifies the format version of
the raw zone file: if N is 0, the raw file can be read by
any version of <command>named</command>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Perform <command>"check-names"</command> checks with the
specified failure mode.
Possible modes are <command>"fail"</command>
(default for <command>named-compilezone</command>),
<command>"warn"</command>
(default for <command>named-checkzone</command>) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets a maximum permissible TTL for the input file.
Any record with a TTL higher than this value will cause
the zone to be rejected. This is similar to using the
<command>max-zone-ttl</command> option in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">serial</replaceable></term>
<listitem>
<para>
When compiling a zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether MX records should be checked to see if they
are addresses. Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-M <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if a MX record refers to a CNAME.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether NS records should be checked to see if they
are addresses.
Possible modes are <command>"fail"</command>
(default for <command>named-compilezone</command>),
<command>"warn"</command>
(default for <command>named-checkzone</command>) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">filename</replaceable></term>
<listitem>
<para>
Write zone output to <filename>filename</filename>.
If <filename>filename</filename> is <filename>-</filename> then
write to standard out.
This is mandatory for <command>named-compilezone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">style</replaceable></term>
<listitem>
<para>
Specify the style of the dumped zone file.
Possible styles are <command>"full"</command> (default)
and <command>"relative"</command>.
The full format is most suitable for processing
automatically by a separate script.
On the other hand, the relative format is more
human-readable and is thus suitable for editing by hand.
For <command>named-checkzone</command>
this does not cause any effects unless it dumps the zone
contents.
It also does not have any meaning if the output format
is not text.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if a SRV record refers to a CNAME.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Chroot to <filename>directory</filename> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted <command>named</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if Sender Policy Framework (SPF) records exist
and issues a warning if an SPF-formatted TXT record is
not also present. Possible modes are <command>"warn"</command>
(default), <command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
chdir to <filename>directory</filename> so that
relative
filenames in master file $INCLUDE directives work. This
is similar to the directory clause in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Dump zone file in canonical format.
This is always enabled for <command>named-compilezone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether to check for non-terminal wildcards.
Non-terminal wildcards are almost always the result of a
failure to understand the wildcard matching algorithm (RFC 1034).
Possible modes are <command>"warn"</command> (default)
and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonename</term>
<listitem>
<para>
The domain name of the zone being checked.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filename</term>
<listitem>
<para>
The name of the zone file.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
<para><command>named-checkzone</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>RFC 1035</citetitle>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

View File

@@ -0,0 +1,429 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004-2007, 2009-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkzone</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.named-checkzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">named-checkzone</span>,
<span class="application">named-compilezone</span>
&#8212; zone file validity checking or converting tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">named-checkzone</code>
[<code class="option">-d</code>]
[<code class="option">-h</code>]
[<code class="option">-j</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-M <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-o <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
[<code class="option">-S <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
{zonename}
{filename}
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">named-compilezone</code>
[<code class="option">-d</code>]
[<code class="option">-j</code>]
[<code class="option">-q</code>]
[<code class="option">-v</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-C <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-f <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-F <em class="replaceable"><code>format</code></em></code>]
[<code class="option">-J <em class="replaceable"><code>filename</code></em></code>]
[<code class="option">-i <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-k <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-n <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-l <em class="replaceable"><code>ttl</code></em></code>]
[<code class="option">-L <em class="replaceable"><code>serial</code></em></code>]
[<code class="option">-r <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>style</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-T <em class="replaceable"><code>mode</code></em></code>]
[<code class="option">-w <em class="replaceable"><code>directory</code></em></code>]
[<code class="option">-D</code>]
[<code class="option">-W <em class="replaceable"><code>mode</code></em></code>]
{<code class="option">-o <em class="replaceable"><code>filename</code></em></code>}
{zonename}
{filename}
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span class="command"><strong>named</strong></span> does when loading a
zone. This makes <span class="command"><strong>named-checkzone</strong></span> useful for
checking zone files before configuring them into a name server.
</p>
<p>
<span class="command"><strong>named-compilezone</strong></span> is similar to
<span class="command"><strong>named-checkzone</strong></span>, but it always dumps the
zone contents to a specified file in a specified format.
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <span class="command"><strong>named</strong></span>.
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<span class="command"><strong>named</strong></span> configuration file.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-d</span></dt>
<dd>
<p>
Enable debugging.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Print the usage summary and exit.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
Quiet mode - exit code only.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Print the version of the <span class="command"><strong>named-checkzone</strong></span>
program and exit.
</p>
</dd>
<dt><span class="term">-j</span></dt>
<dd>
<p>
When loading a zone file, read the journal if it exists.
The journal file name is assumed to be the zone file name
appended with the string <code class="filename">.jnl</code>.
</p>
</dd>
<dt><span class="term">-J <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
When loading the zone file read the journal from the given
file, if it exists. (Implies -j.)
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Specify the class of the zone. If not specified, "IN" is assumed.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Perform post-load zone integrity checks. Possible modes are
<span class="command"><strong>"full"</strong></span> (default),
<span class="command"><strong>"full-sibling"</strong></span>,
<span class="command"><strong>"local"</strong></span>,
<span class="command"><strong>"local-sibling"</strong></span> and
<span class="command"><strong>"none"</strong></span>.
</p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that MX records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
checks MX records which refer to in-zone hostnames.
</p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that SRV records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span class="command"><strong>"local"</strong></span> only
checks SRV records which refer to in-zone hostnames.
</p>
<p>
Mode <span class="command"><strong>"full"</strong></span> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <span class="command"><strong>"local"</strong></span> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
that is when the nameserver is in a child zone.
</p>
<p>
Mode <span class="command"><strong>"full-sibling"</strong></span> and
<span class="command"><strong>"local-sibling"</strong></span> disable sibling glue
checks but are otherwise the same as <span class="command"><strong>"full"</strong></span>
and <span class="command"><strong>"local"</strong></span> respectively.
</p>
<p>
Mode <span class="command"><strong>"none"</strong></span> disables the checks.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
<dd>
<p>
Specify the format of the zone file.
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
<span class="command"><strong>"raw"</strong></span>, and <span class="command"><strong>"map"</strong></span>.
</p>
</dd>
<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
<dd>
<p>
Specify the format of the output file specified.
For <span class="command"><strong>named-checkzone</strong></span>,
this does not cause any effects unless it dumps the zone
contents.
</p>
<p>
Possible formats are <span class="command"><strong>"text"</strong></span> (default),
which is the standard textual representation of the zone,
and <span class="command"><strong>"map"</strong></span>, <span class="command"><strong>"raw"</strong></span>,
and <span class="command"><strong>"raw=N"</strong></span>, which store the zone in a
binary format for rapid loading by <span class="command"><strong>named</strong></span>.
<span class="command"><strong>"raw=N"</strong></span> specifies the format version of
the raw zone file: if N is 0, the raw file can be read by
any version of <span class="command"><strong>named</strong></span>; if N is 1, the file
can be read by release 9.9.0 or higher; the default is 1.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Perform <span class="command"><strong>"check-names"</strong></span> checks with the
specified failure mode.
Possible modes are <span class="command"><strong>"fail"</strong></span>
(default for <span class="command"><strong>named-compilezone</strong></span>),
<span class="command"><strong>"warn"</strong></span>
(default for <span class="command"><strong>named-checkzone</strong></span>) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-l <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Sets a maximum permissible TTL for the input file.
Any record with a TTL higher than this value will cause
the zone to be rejected. This is similar to using the
<span class="command"><strong>max-zone-ttl</strong></span> option in
<code class="filename">named.conf</code>.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd>
<p>
When compiling a zone to "raw" or "map" format, set the
"source serial" value in the header to the specified serial
number. (This is expected to be used primarily for testing
purposes.)
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Specify whether MX records should be checked to see if they
are addresses. Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check if a MX record refers to a CNAME.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Specify whether NS records should be checked to see if they
are addresses.
Possible modes are <span class="command"><strong>"fail"</strong></span>
(default for <span class="command"><strong>named-compilezone</strong></span>),
<span class="command"><strong>"warn"</strong></span>
(default for <span class="command"><strong>named-checkzone</strong></span>) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
<dd>
<p>
Write zone output to <code class="filename">filename</code>.
If <code class="filename">filename</code> is <code class="filename">-</code> then
write to standard out.
This is mandatory for <span class="command"><strong>named-compilezone</strong></span>.
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
<dd>
<p>
Specify the style of the dumped zone file.
Possible styles are <span class="command"><strong>"full"</strong></span> (default)
and <span class="command"><strong>"relative"</strong></span>.
The full format is most suitable for processing
automatically by a separate script.
On the other hand, the relative format is more
human-readable and is thus suitable for editing by hand.
For <span class="command"><strong>named-checkzone</strong></span>
this does not cause any effects unless it dumps the zone
contents.
It also does not have any meaning if the output format
is not text.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check if a SRV record refers to a CNAME.
Possible modes are <span class="command"><strong>"fail"</strong></span>,
<span class="command"><strong>"warn"</strong></span> (default) and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Chroot to <code class="filename">directory</code> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Check if Sender Policy Framework (SPF) records exist
and issues a warning if an SPF-formatted TXT record is
not also present. Possible modes are <span class="command"><strong>"warn"</strong></span>
(default), <span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
chdir to <code class="filename">directory</code> so that
relative
filenames in master file $INCLUDE directives work. This
is similar to the directory clause in
<code class="filename">named.conf</code>.
</p>
</dd>
<dt><span class="term">-D</span></dt>
<dd>
<p>
Dump zone file in canonical format.
This is always enabled for <span class="command"><strong>named-compilezone</strong></span>.
</p>
</dd>
<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Specify whether to check for non-terminal wildcards.
Non-terminal wildcards are almost always the result of a
failure to understand the wildcard matching algorithm (RFC 1034).
Possible modes are <span class="command"><strong>"warn"</strong></span> (default)
and
<span class="command"><strong>"ignore"</strong></span>.
</p>
</dd>
<dt><span class="term">zonename</span></dt>
<dd>
<p>
The domain name of the zone being checked.
</p>
</dd>
<dt><span class="term">filename</span></dt>
<dd>
<p>
The name of the zone file.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>RETURN VALUES</h2>
<p><span class="command"><strong>named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named-checkconf</span>(8)
</span>,
<em class="citetitle">RFC 1035</em>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,215 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_named-checkzone:
named-checkzone, named-compilezone - zone file validity checking or converting tool
-----------------------------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename}
:program:`named-compilezone` [**-d**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-r** mode] [**-s** style] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {**-o** filename} {zonename} {filename}
Description
~~~~~~~~~~~
``named-checkzone`` checks the syntax and integrity of a zone file. It
performs the same checks as ``named`` does when loading a zone. This
makes ``named-checkzone`` useful for checking zone files before
configuring them into a name server.
``named-compilezone`` is similar to ``named-checkzone``, but it always
dumps the zone contents to a specified file in a specified format.
It also applies stricter check levels by default, since the
dump output is used as an actual zone file loaded by ``named``.
When manually specified otherwise, the check levels must at least be as
strict as those specified in the ``named`` configuration file.
Options
~~~~~~~
``-d``
This option enables debugging.
``-h``
This option prints the usage summary and exits.
``-q``
This option sets quiet mode, which only sets an exit code to indicate
successful or failed completion.
``-v``
This option prints the version of the ``named-checkzone`` program and exits.
``-j``
When loading a zone file, this option tells ``named`` to read the journal if it exists. The journal
file name is assumed to be the zone file name with the
string ``.jnl`` appended.
``-J filename``
When loading the zone file, this option tells ``named`` to read the journal from the given file, if
it exists. This implies ``-j``.
``-c class``
This option specifies the class of the zone. If not specified, ``IN`` is assumed.
``-i mode``
This option performs post-load zone integrity checks. Possible modes are
``full`` (the default), ``full-sibling``, ``local``,
``local-sibling``, and ``none``.
Mode ``full`` checks that MX records refer to A or AAAA records
(both in-zone and out-of-zone hostnames). Mode ``local`` only
checks MX records which refer to in-zone hostnames.
Mode ``full`` checks that SRV records refer to A or AAAA records
(both in-zone and out-of-zone hostnames). Mode ``local`` only
checks SRV records which refer to in-zone hostnames.
Mode ``full`` checks that delegation NS records refer to A or AAAA
records (both in-zone and out-of-zone hostnames). It also checks that
glue address records in the zone match those advertised by the child.
Mode ``local`` only checks NS records which refer to in-zone
hostnames or verifies that some required glue exists, i.e., when the
name server is in a child zone.
Modes ``full-sibling`` and ``local-sibling`` disable sibling glue
checks, but are otherwise the same as ``full`` and ``local``,
respectively.
Mode ``none`` disables the checks.
``-f format``
This option specifies the format of the zone file. Possible formats are ``text``
(the default), ``raw``, and ``map``.
``-F format``
This option specifies the format of the output file specified. For
``named-checkzone``, this does not have any effect unless it dumps
the zone contents.
Possible formats are ``text`` (the default), which is the standard
textual representation of the zone, and ``map``, ``raw``, and
``raw=N``, which store the zone in a binary format for rapid
loading by ``named``. ``raw=N`` specifies the format version of the
raw zone file: if ``N`` is 0, the raw file can be read by any version of
``named``; if N is 1, the file can only be read by release 9.9.0 or
higher. The default is 1.
``-k mode``
This option performs ``check-names`` checks with the specified failure mode.
Possible modes are ``fail`` (the default for ``named-compilezone``),
``warn`` (the default for ``named-checkzone``), and ``ignore``.
``-l ttl``
This option sets a maximum permissible TTL for the input file. Any record with a
TTL higher than this value causes the zone to be rejected. This
is similar to using the ``max-zone-ttl`` option in ``named.conf``.
``-L serial``
When compiling a zone to ``raw`` or ``map`` format, this option sets the "source
serial" value in the header to the specified serial number. This is
expected to be used primarily for testing purposes.
``-m mode``
This option specifies whether MX records should be checked to see if they are
addresses. Possible modes are ``fail``, ``warn`` (the default), and
``ignore``.
``-M mode``
This option checks whether a MX record refers to a CNAME. Possible modes are
``fail``, ``warn`` (the default), and ``ignore``.
``-n mode``
This option specifies whether NS records should be checked to see if they are
addresses. Possible modes are ``fail`` (the default for
``named-compilezone``), ``warn`` (the default for ``named-checkzone``),
and ``ignore``.
``-o filename``
This option writes the zone output to ``filename``. If ``filename`` is ``-``, then
the zone output is written to standard output. This is mandatory for ``named-compilezone``.
``-r mode``
This option checks for records that are treated as different by DNSSEC but are
semantically equal in plain DNS. Possible modes are ``fail``,
``warn`` (the default), and ``ignore``.
``-s style``
This option specifies the style of the dumped zone file. Possible styles are
``full`` (the default) and ``relative``. The ``full`` format is most
suitable for processing automatically by a separate script.
The relative format is more human-readable and is thus
suitable for editing by hand. For ``named-checkzone``, this does not
have any effect unless it dumps the zone contents. It also does not
have any meaning if the output format is not text.
``-S mode``
This option checks whether an SRV record refers to a CNAME. Possible modes are
``fail``, ``warn`` (the default), and ``ignore``.
``-t directory``
This option tells ``named`` to chroot to ``directory``, so that ``include`` directives in the
configuration file are processed as if run by a similarly chrooted
``named``.
``-T mode``
This option checks whether Sender Policy Framework (SPF) records exist and issues a
warning if an SPF-formatted TXT record is not also present. Possible
modes are ``warn`` (the default) and ``ignore``.
``-w directory``
This option instructs ``named`` to chdir to ``directory``, so that relative filenames in master file
``$INCLUDE`` directives work. This is similar to the directory clause in
``named.conf``.
``-D``
This option dumps the zone file in canonical format. This is always enabled for
``named-compilezone``.
``-W mode``
This option specifies whether to check for non-terminal wildcards. Non-terminal
wildcards are almost always the result of a failure to understand the
wildcard matching algorithm (:rfc:`1034`). Possible modes are ``warn``
(the default) and ``ignore``.
``zonename``
This indicates the domain name of the zone being checked.
``filename``
This is the name of the zone file.
Return Values
~~~~~~~~~~~~~
``named-checkzone`` returns an exit status of 1 if errors were detected
and 0 otherwise.
See Also
~~~~~~~~
:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :rfc:`1035`, BIND 9 Administrator Reference
Manual.

View File

@@ -77,7 +77,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -108,7 +108,7 @@
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);..\..\..\lib\bind9\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;libbind9.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
</ItemDefinitionGroup>

View File

@@ -77,7 +77,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PostBuildEvent>
<Command>cd ..\..\..\Build\$(Configuration)
@@ -114,7 +114,7 @@ copy /Y named-checkzone.ilk named-compilezone.ilk
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\ns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@checktool.lib;libisc.lib;libdns.lib;libisccfg.lib;libns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
</Link>
<PostBuildEvent>

30
bin/confgen/Makefile.am Normal file
View File

@@ -0,0 +1,30 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\"
LDADD = \
libconfgen.la \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS)
noinst_LTLIBRARIES = libconfgen.la
libconfgen_la_SOURCES = \
include/confgen/os.h \
keygen.h \
keygen.c \
util.h \
util.c \
unix/os.c
sbin_PROGRAMS = rndc-confgen ddns-confgen
install-exec-hook:
ln -f $(DESTDIR)$(sbindir)/ddns-confgen \
$(DESTDIR)$(sbindir)/tsig-confgen
uninstall-hook:
-rm -f $(DESTDIR)$(sbindir)/tsig-confgen

View File

@@ -1,95 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
CDEFINES =
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
SRCS= rndc-confgen.c ddns-confgen.c
SUBDIRS = unix
TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
UOBJS = unix/os.@O@
@BIND9_MAKE_RULES@
rndc-confgen.@O@: rndc-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-c ${srcdir}/rndc-confgen.c
ddns-confgen.@O@: ddns-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS}
export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
# make a link in the build directory to assist with testing
tsig-keygen@EXEEXT@: ddns-confgen@EXEEXT@
rm -f tsig-keygen@EXEEXT@
${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f tsig-keygen@EXEEXT@; ${LINK_PROGRAM} ddns-confgen@EXEEXT@ tsig-keygen@EXEEXT@)
uninstall::
rm -f ${DESTDIR}${sbindir}/tsig-keygen@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/ddns-confgen@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/rndc-confgen@EXEEXT@
clean distclean maintainer-clean::
rm -f ${TARGETS}

148
bin/confgen/ddns-confgen.8 Normal file
View File

@@ -0,0 +1,148 @@
.\" Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: ddns-confgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-03-06
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DDNS\-CONFGEN" "8" "2014\-03\-06" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
ddns-confgen \- ddns key generation tool
.SH "SYNOPSIS"
.HP \w'\fBtsig\-keygen\fR\ 'u
\fBtsig\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [name]
.HP \w'\fBddns\-confgen\fR\ 'u
\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-q\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR]
.SH "DESCRIPTION"
.PP
\fBtsig\-keygen\fR
and
\fBddns\-confgen\fR
are invocation methods for a utility that generates keys for use in TSIG signing\&. The resulting keys can be used, for example, to secure dynamic DNS updates to a zone or for the
\fBrndc\fR
command channel\&.
.PP
When run as
\fBtsig\-keygen\fR, a domain name can be specified on the command line which will be used as the name of the generated key\&. If no name is specified, the default is
\fBtsig\-key\fR\&.
.PP
When run as
\fBddns\-confgen\fR, the generated key is accompanied by configuration text and instructions that can be used with
\fBnsupdate\fR
and
\fBnamed\fR
when setting up dynamic DNS, including an example
\fBupdate\-policy\fR
statement\&. (This usage similar to the
\fBrndc\-confgen\fR
command for setting up command channel security\&.)
.PP
Note that
\fBnamed\fR
itself can configure a local DDNS key for use with
\fBnsupdate \-l\fR: it does this when a zone is configured with
\fBupdate\-policy local;\fR\&.
\fBddns\-confgen\fR
is only needed when a more elaborate configuration is required: for instance, if
\fBnsupdate\fR
is to be used from a remote system\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&. Options are case\-insensitive, and the "hmac\-" prefix may be omitted\&.
.RE
.PP
\-h
.RS 4
Prints a short summary of options and arguments\&.
.RE
.PP
\-k \fIkeyname\fR
.RS 4
Specifies the key name of the DDNS authentication key\&. The default is
\fBddns\-key\fR
when neither the
\fB\-s\fR
nor
\fB\-z\fR
option is specified; otherwise, the default is
\fBddns\-key\fR
as a separate label followed by the argument of the option, e\&.g\&.,
\fBddns\-key\&.example\&.com\&.\fR
The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods\&.
.RE
.PP
\-q
.RS 4
(\fBddns\-confgen\fR
only\&.) Quiet mode: Print only the key, with no explanatory text or usage examples; This is essentially identical to
\fBtsig\-keygen\fR\&.
.RE
.PP
\-s \fIname\fR
.RS 4
(\fBddns\-confgen\fR
only\&.) Generate configuration example to allow dynamic updates of a single hostname\&. The example
\fBnamed\&.conf\fR
text shows how to set an update policy for the specified
\fIname\fR
using the "name" nametype\&. The default key name is ddns\-key\&.\fIname\fR\&. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name\&. This option cannot be used with the
\fB\-z\fR
option\&.
.RE
.PP
\-z \fIzone\fR
.RS 4
(\fBddns\-confgen\fR
only\&.) Generate configuration example to allow dynamic updates of a zone: The example
\fBnamed\&.conf\fR
text shows how to set an update policy for the specified
\fIzone\fR
using the "zonesub" nametype, allowing updates to all subdomain names within that
\fIzone\fR\&. This option cannot be used with the
\fB\-s\fR
option\&.
.RE
.SH "SEE ALSO"
.PP
\fBnsupdate\fR(1),
\fBnamed.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -22,6 +22,7 @@
#include <stdlib.h>
#include <isc/assertions.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
@@ -57,8 +58,8 @@ const char *progname;
static enum { progmode_keygen, progmode_confgen } progmode;
bool verbose = false; /* needed by util.c but not used here */
ISC_PLATFORM_NORETURN_PRE static void
usage(int status) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(int status);
static void
usage(int status) {

View File

@@ -0,0 +1,213 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.ddns-confgen">
<info>
<date>2014-03-06</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>ddns-confgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>ddns-confgen</application></refname>
<refpurpose>ddns key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>tsig-keygen</command>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat">name</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>ddns-confgen</command>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q</option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<group choice="opt" rep="norepeat">
<arg choice="plain" rep="norepeat">-s <replaceable class="parameter">name</replaceable></arg>
<arg choice="plain" rep="norepeat">-z <replaceable class="parameter">zone</replaceable></arg>
</group>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para>
<command>tsig-keygen</command> and <command>ddns-confgen</command>
are invocation methods for a utility that generates keys for use
in TSIG signing. The resulting keys can be used, for example,
to secure dynamic DNS updates to a zone or for the
<command>rndc</command> command channel.
</para>
<para>
When run as <command>tsig-keygen</command>, a domain name
can be specified on the command line which will be used as
the name of the generated key. If no name is specified,
the default is <constant>tsig-key</constant>.
</para>
<para>
When run as <command>ddns-confgen</command>, the generated
key is accompanied by configuration text and instructions
that can be used with <command>nsupdate</command> and
<command>named</command> when setting up dynamic DNS,
including an example <command>update-policy</command>
statement. (This usage similar to the
<command>rndc-confgen</command> command for setting
up command channel security.)
</para>
<para>
Note that <command>named</command> itself can configure a
local DDNS key for use with <command>nsupdate -l</command>:
it does this when a zone is configured with
<command>update-policy local;</command>.
<command>ddns-confgen</command> is only needed when a
more elaborate configuration is required: for instance,
if <command>nsupdate</command> is to be used from a remote
system.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
Options are case-insensitive, and the "hmac-" prefix
may be omitted.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of options and arguments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyname</replaceable></term>
<listitem>
<para>
Specifies the key name of the DDNS authentication key.
The default is <constant>ddns-key</constant> when neither
the <option>-s</option> nor <option>-z</option> option is
specified; otherwise, the default
is <constant>ddns-key</constant> as a separate label
followed by the argument of the option, e.g.,
<constant>ddns-key.example.com.</constant>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
(<command>ddns-confgen</command> only.) Quiet mode: Print
only the key, with no explanatory text or usage examples;
This is essentially identical to <command>tsig-keygen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
(<command>ddns-confgen</command> only.)
Generate configuration example to allow dynamic updates
of a single hostname. The example <command>named.conf</command>
text shows how to set an update policy for the specified
<replaceable class="parameter">name</replaceable>
using the "name" nametype. The default key name is
ddns-key.<replaceable class="parameter">name</replaceable>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <option>-z</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z <replaceable class="parameter">zone</replaceable></term>
<listitem>
<para>
(<command>ddns-confgen</command> only.)
Generate configuration example to allow dynamic updates
of a zone: The example <command>named.conf</command> text
shows how to set an update policy for the specified
<replaceable class="parameter">zone</replaceable>
using the "zonesub" nametype, allowing updates to
all subdomain names within that
<replaceable class="parameter">zone</replaceable>.
This option cannot be used with the <option>-s</option> option.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

View File

@@ -0,0 +1,187 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2009, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>ddns-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.ddns-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">ddns-confgen</span>
&#8212; ddns key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">tsig-keygen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-h</code>]
[name]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">ddns-confgen</code>
[<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
[<code class="option">-q</code>]
[<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>]
[
-s <em class="replaceable"><code>name</code></em>
| -z <em class="replaceable"><code>zone</code></em>
]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p>
<span class="command"><strong>tsig-keygen</strong></span> and <span class="command"><strong>ddns-confgen</strong></span>
are invocation methods for a utility that generates keys for use
in TSIG signing. The resulting keys can be used, for example,
to secure dynamic DNS updates to a zone or for the
<span class="command"><strong>rndc</strong></span> command channel.
</p>
<p>
When run as <span class="command"><strong>tsig-keygen</strong></span>, a domain name
can be specified on the command line which will be used as
the name of the generated key. If no name is specified,
the default is <code class="constant">tsig-key</code>.
</p>
<p>
When run as <span class="command"><strong>ddns-confgen</strong></span>, the generated
key is accompanied by configuration text and instructions
that can be used with <span class="command"><strong>nsupdate</strong></span> and
<span class="command"><strong>named</strong></span> when setting up dynamic DNS,
including an example <span class="command"><strong>update-policy</strong></span>
statement. (This usage similar to the
<span class="command"><strong>rndc-confgen</strong></span> command for setting
up command channel security.)
</p>
<p>
Note that <span class="command"><strong>named</strong></span> itself can configure a
local DDNS key for use with <span class="command"><strong>nsupdate -l</strong></span>:
it does this when a zone is configured with
<span class="command"><strong>update-policy local;</strong></span>.
<span class="command"><strong>ddns-confgen</strong></span> is only needed when a
more elaborate configuration is required: for instance,
if <span class="command"><strong>nsupdate</strong></span> is to be used from a remote
system.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
Options are case-insensitive, and the "hmac-" prefix
may be omitted.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints a short summary of options and arguments.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd>
<p>
Specifies the key name of the DDNS authentication key.
The default is <code class="constant">ddns-key</code> when neither
the <code class="option">-s</code> nor <code class="option">-z</code> option is
specified; otherwise, the default
is <code class="constant">ddns-key</code> as a separate label
followed by the argument of the option, e.g.,
<code class="constant">ddns-key.example.com.</code>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</p>
</dd>
<dt><span class="term">-q</span></dt>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.) Quiet mode: Print
only the key, with no explanatory text or usage examples;
This is essentially identical to <span class="command"><strong>tsig-keygen</strong></span>.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.)
Generate configuration example to allow dynamic updates
of a single hostname. The example <span class="command"><strong>named.conf</strong></span>
text shows how to set an update policy for the specified
<em class="replaceable"><code>name</code></em>
using the "name" nametype. The default key name is
ddns-key.<em class="replaceable"><code>name</code></em>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <code class="option">-z</code> option.
</p>
</dd>
<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
<dd>
<p>
(<span class="command"><strong>ddns-confgen</strong></span> only.)
Generate configuration example to allow dynamic updates
of a zone: The example <span class="command"><strong>named.conf</strong></span> text
shows how to set an update policy for the specified
<em class="replaceable"><code>zone</code></em>
using the "zonesub" nametype, allowing updates to
all subdomain names within that
<em class="replaceable"><code>zone</code></em>.
This option cannot be used with the <code class="option">-s</code> option.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">nsupdate</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named.conf</span>(5)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,103 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_ddns-confgen:
ddns-confgen - ddns key generation tool
---------------------------------------
Synopsis
~~~~~~~~
:program:`tsig-keygen` [**-a** algorithm] [**-h**] [**-r** randomfile] [name]
:program:`ddns-confgen` [**-a** algorithm] [**-h**] [**-k** keyname] [**-q**] [**-r** randomfile] [**-s** name] [**-z** zone]
Description
~~~~~~~~~~~
``tsig-keygen`` and ``ddns-confgen`` are invocation methods for a
utility that generates keys for use in TSIG signing. The resulting keys
can be used, for example, to secure dynamic DNS updates to a zone or for
the ``rndc`` command channel.
When run as ``tsig-keygen``, a domain name can be specified on the
command line to be used as the name of the generated key. If no
name is specified, the default is ``tsig-key``.
When run as ``ddns-confgen``, the generated key is accompanied by
configuration text and instructions that can be used with ``nsupdate``
and ``named`` when setting up dynamic DNS, including an example
``update-policy`` statement. (This usage is similar to the ``rndc-confgen``
command for setting up command-channel security.)
Note that ``named`` itself can configure a local DDNS key for use with
``nsupdate -l``; it does this when a zone is configured with
``update-policy local;``. ``ddns-confgen`` is only needed when a more
elaborate configuration is required: for instance, if ``nsupdate`` is to
be used from a remote system.
Options
~~~~~~~
``-a algorithm``
This option specifies the algorithm to use for the TSIG key. Available choices
are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and
hmac-sha512. The default is hmac-sha256. Options are
case-insensitive, and the "hmac-" prefix may be omitted.
``-h``
This option prints a short summary of options and arguments.
``-k keyname``
This option specifies the key name of the DDNS authentication key. The default is
``ddns-key`` when neither the ``-s`` nor ``-z`` option is specified;
otherwise, the default is ``ddns-key`` as a separate label followed
by the argument of the option, e.g., ``ddns-key.example.com.`` The
key name must have the format of a valid domain name, consisting of
letters, digits, hyphens, and periods.
``-q`` (``ddns-confgen`` only)
This option enables quiet mode, which prints only the key, with no
explanatory text or usage examples. This is essentially identical to
``tsig-keygen``.
``-s name`` (``ddns-confgen`` only)
This option generates a configuration example to allow
dynamic updates of a single hostname. The example ``named.conf`` text
shows how to set an update policy for the specified name using the
"name" nametype. The default key name is ``ddns-key.name``. Note that the
"self" nametype cannot be used, since the name to be updated may
differ from the key name. This option cannot be used with the ``-z``
option.
``-z zone`` (``ddns-confgen`` only)
This option generates a configuration example to allow
dynamic updates of a zone. The example ``named.conf`` text shows how
to set an update policy for the specified zone using the "zonesub"
nametype, allowing updates to all subdomain names within that zone.
This option cannot be used with the ``-s`` option.
See Also
~~~~~~~~
:manpage:`nsupdate(1)`, :manpage:`named.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

210
bin/confgen/rndc-confgen.8 Normal file
View File

@@ -0,0 +1,210 @@
.\" Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: rndc-confgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2013-03-14
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "RNDC\-CONFGEN" "8" "2013\-03\-14" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
rndc-confgen \- rndc key generation tool
.SH "SYNOPSIS"
.HP \w'\fBrndc\-confgen\fR\ 'u
\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-A\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
.SH "DESCRIPTION"
.PP
\fBrndc\-confgen\fR
generates configuration files for
\fBrndc\fR\&. It can be used as a convenient alternative to writing the
rndc\&.conf
file and the corresponding
\fBcontrols\fR
and
\fBkey\fR
statements in
named\&.conf
by hand\&. Alternatively, it can be run with the
\fB\-a\fR
option to set up a
rndc\&.key
file and avoid the need for a
rndc\&.conf
file and a
\fBcontrols\fR
statement altogether\&.
.SH "OPTIONS"
.PP
\-a
.RS 4
Do automatic
\fBrndc\fR
configuration\&. This creates a file
rndc\&.key
in
/etc
(or whatever
\fIsysconfdir\fR
was specified as when
BIND
was built) that is read by both
\fBrndc\fR
and
\fBnamed\fR
on startup\&. The
rndc\&.key
file defines a default command channel and authentication key allowing
\fBrndc\fR
to communicate with
\fBnamed\fR
on the local host with no further configuration\&.
.sp
Running
\fBrndc\-confgen \-a\fR
allows BIND 9 and
\fBrndc\fR
to be used as drop\-in replacements for BIND 8 and
\fBndc\fR, with no changes to the existing BIND 8
named\&.conf
file\&.
.sp
If a more elaborate configuration than that generated by
\fBrndc\-confgen \-a\fR
is required, for example if rndc is to be used remotely, you should run
\fBrndc\-confgen\fR
without the
\fB\-a\fR
option and set up a
rndc\&.conf
and
named\&.conf
as directed\&.
.RE
.PP
\-A \fIalgorithm\fR
.RS 4
Specifies the algorithm to use for the TSIG key\&. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512\&. The default is hmac\-sha256\&.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the size of the authentication key in bits\&. Must be between 1 and 512 bits; the default is the hash size\&.
.RE
.PP
\-c \fIkeyfile\fR
.RS 4
Used with the
\fB\-a\fR
option to specify an alternate location for
rndc\&.key\&.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBrndc\-confgen\fR\&.
.RE
.PP
\-k \fIkeyname\fR
.RS 4
Specifies the key name of the rndc authentication key\&. This must be a valid domain name\&. The default is
\fBrndc\-key\fR\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Specifies the command channel port where
\fBnamed\fR
listens for connections from
\fBrndc\fR\&. The default is 953\&.
.RE
.PP
\-s \fIaddress\fR
.RS 4
Specifies the IP address where
\fBnamed\fR
listens for command channel connections from
\fBrndc\fR\&. The default is the loopback address 127\&.0\&.0\&.1\&.
.RE
.PP
\-t \fIchrootdir\fR
.RS 4
Used with the
\fB\-a\fR
option to specify a directory where
\fBnamed\fR
will run chrooted\&. An additional copy of the
rndc\&.key
will be written relative to this directory so that it will be found by the chrooted
\fBnamed\fR\&.
.RE
.PP
\-u \fIuser\fR
.RS 4
Used with the
\fB\-a\fR
option to set the owner of the
rndc\&.key
file generated\&. If
\fB\-t\fR
is also specified only the file in the chroot area has its owner changed\&.
.RE
.SH "EXAMPLES"
.PP
To allow
\fBrndc\fR
to be used with no manual configuration, run
.PP
\fBrndc\-confgen \-a\fR
.PP
To print a sample
rndc\&.conf
file and corresponding
\fBcontrols\fR
and
\fBkey\fR
statements to be manually inserted into
named\&.conf, run
.PP
\fBrndc\-confgen\fR
.SH "SEE ALSO"
.PP
\fBrndc\fR(8),
\fBrndc.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -25,6 +25,7 @@
#include <stdlib.h>
#include <isc/assertions.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
@@ -60,8 +61,8 @@ bool verbose = false;
const char *keyfile, *keydef;
ISC_PLATFORM_NORETURN_PRE static void
usage(int status) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(int status);
static void
usage(int status) {

View File

@@ -0,0 +1,271 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc-confgen">
<info>
<date>2013-03-14</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle><application>rndc-confgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>rndc-confgen</application></refname>
<refpurpose>rndc key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2001</year>
<year>2003</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>rndc-confgen</command>
<arg choice="opt" rep="norepeat"><option>-a</option></arg>
<arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-u <replaceable class="parameter">user</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>rndc-confgen</command>
generates configuration files
for <command>rndc</command>. It can be used as a
convenient alternative to writing the
<filename>rndc.conf</filename> file
and the corresponding <command>controls</command>
and <command>key</command>
statements in <filename>named.conf</filename> by hand.
Alternatively, it can be run with the <command>-a</command>
option to set up a <filename>rndc.key</filename> file and
avoid the need for a <filename>rndc.conf</filename> file
and a <command>controls</command> statement altogether.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem>
<para>
Do automatic <command>rndc</command> configuration.
This creates a file <filename>rndc.key</filename>
in <filename>/etc</filename> (or whatever
<varname>sysconfdir</varname>
was specified as when <acronym>BIND</acronym> was
built)
that is read by both <command>rndc</command>
and <command>named</command> on startup. The
<filename>rndc.key</filename> file defines a default
command channel and authentication key allowing
<command>rndc</command> to communicate with
<command>named</command> on the local host
with no further configuration.
</para>
<para>
Running <command>rndc-confgen -a</command> allows
BIND 9 and <command>rndc</command> to be used as
drop-in
replacements for BIND 8 and <command>ndc</command>,
with no changes to the existing BIND 8
<filename>named.conf</filename> file.
</para>
<para>
If a more elaborate configuration than that
generated by <command>rndc-confgen -a</command>
is required, for example if rndc is to be used remotely,
you should run <command>rndc-confgen</command> without
the
<command>-a</command> option and set up a
<filename>rndc.conf</filename> and
<filename>named.conf</filename>
as directed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is the
hash size.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">keyfile</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to specify
an alternate location for <filename>rndc.key</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>rndc-confgen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyname</replaceable></term>
<listitem>
<para>
Specifies the key name of the rndc authentication key.
This must be a valid domain name.
The default is <constant>rndc-key</constant>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port</replaceable></term>
<listitem>
<para>
Specifies the command channel port where <command>named</command>
listens for connections from <command>rndc</command>.
The default is 953.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">address</replaceable></term>
<listitem>
<para>
Specifies the IP address where <command>named</command>
listens for command channel connections from
<command>rndc</command>. The default is the loopback
address 127.0.0.1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">chrootdir</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to specify
a directory where <command>named</command> will run
chrooted. An additional copy of the <filename>rndc.key</filename>
will be written relative to this directory so that
it will be found by the chrooted <command>named</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u <replaceable class="parameter">user</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to set the
owner
of the <filename>rndc.key</filename> file generated.
If
<command>-t</command> is also specified only the file
in
the chroot area has its owner changed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>EXAMPLES</title></info>
<para>
To allow <command>rndc</command> to be used with
no manual configuration, run
</para>
<para><userinput>rndc-confgen -a</userinput>
</para>
<para>
To print a sample <filename>rndc.conf</filename> file and
corresponding <command>controls</command> and <command>key</command>
statements to be manually inserted into <filename>named.conf</filename>,
run
</para>
<para><userinput>rndc-confgen</userinput>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsection>
</refentry>

View File

@@ -0,0 +1,226 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2001, 2003-2005, 2007, 2009, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.rndc-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
<span class="application">rndc-confgen</span>
&#8212; rndc key generation tool
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">rndc-confgen</code>
[<code class="option">-a</code>]
[<code class="option">-A <em class="replaceable"><code>algorithm</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>]
[<code class="option">-h</code>]
[<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-s <em class="replaceable"><code>address</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>]
[<code class="option">-u <em class="replaceable"><code>user</code></em></code>]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>rndc-confgen</strong></span>
generates configuration files
for <span class="command"><strong>rndc</strong></span>. It can be used as a
convenient alternative to writing the
<code class="filename">rndc.conf</code> file
and the corresponding <span class="command"><strong>controls</strong></span>
and <span class="command"><strong>key</strong></span>
statements in <code class="filename">named.conf</code> by hand.
Alternatively, it can be run with the <span class="command"><strong>-a</strong></span>
option to set up a <code class="filename">rndc.key</code> file and
avoid the need for a <code class="filename">rndc.conf</code> file
and a <span class="command"><strong>controls</strong></span> statement altogether.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a</span></dt>
<dd>
<p>
Do automatic <span class="command"><strong>rndc</strong></span> configuration.
This creates a file <code class="filename">rndc.key</code>
in <code class="filename">/etc</code> (or whatever
<code class="varname">sysconfdir</code>
was specified as when <acronym class="acronym">BIND</acronym> was
built)
that is read by both <span class="command"><strong>rndc</strong></span>
and <span class="command"><strong>named</strong></span> on startup. The
<code class="filename">rndc.key</code> file defines a default
command channel and authentication key allowing
<span class="command"><strong>rndc</strong></span> to communicate with
<span class="command"><strong>named</strong></span> on the local host
with no further configuration.
</p>
<p>
Running <span class="command"><strong>rndc-confgen -a</strong></span> allows
BIND 9 and <span class="command"><strong>rndc</strong></span> to be used as
drop-in
replacements for BIND 8 and <span class="command"><strong>ndc</strong></span>,
with no changes to the existing BIND 8
<code class="filename">named.conf</code> file.
</p>
<p>
If a more elaborate configuration than that
generated by <span class="command"><strong>rndc-confgen -a</strong></span>
is required, for example if rndc is to be used remotely,
you should run <span class="command"><strong>rndc-confgen</strong></span> without
the
<span class="command"><strong>-a</strong></span> option and set up a
<code class="filename">rndc.conf</code> and
<code class="filename">named.conf</code>
as directed.
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is the
hash size.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to specify
an alternate location for <code class="filename">rndc.key</code>.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints a short summary of the options and arguments to
<span class="command"><strong>rndc-confgen</strong></span>.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd>
<p>
Specifies the key name of the rndc authentication key.
This must be a valid domain name.
The default is <code class="constant">rndc-key</code>.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd>
<p>
Specifies the command channel port where <span class="command"><strong>named</strong></span>
listens for connections from <span class="command"><strong>rndc</strong></span>.
The default is 953.
</p>
</dd>
<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
<dd>
<p>
Specifies the IP address where <span class="command"><strong>named</strong></span>
listens for command channel connections from
<span class="command"><strong>rndc</strong></span>. The default is the loopback
address 127.0.0.1.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to specify
a directory where <span class="command"><strong>named</strong></span> will run
chrooted. An additional copy of the <code class="filename">rndc.key</code>
will be written relative to this directory so that
it will be found by the chrooted <span class="command"><strong>named</strong></span>.
</p>
</dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd>
<p>
Used with the <span class="command"><strong>-a</strong></span> option to set the
owner
of the <code class="filename">rndc.key</code> file generated.
If
<span class="command"><strong>-t</strong></span> is also specified only the file
in
the chroot area has its owner changed.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>EXAMPLES</h2>
<p>
To allow <span class="command"><strong>rndc</strong></span> to be used with
no manual configuration, run
</p>
<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
</p>
<p>
To print a sample <code class="filename">rndc.conf</code> file and
corresponding <span class="command"><strong>controls</strong></span> and <span class="command"><strong>key</strong></span>
statements to be manually inserted into <code class="filename">named.conf</code>,
run
</p>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">rndc</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">rndc.conf</span>(5)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,116 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_rndc-confgen:
rndc-confgen - rndc key generation tool
---------------------------------------
Synopsis
~~~~~~~~
:program:`rndc-confgen` [**-a**] [**-A** algorithm] [**-b** keysize] [**-c** keyfile] [**-h**] [**-k** keyname] [**-p** port] [**-s** address] [**-t** chrootdir] [**-u** user]
Description
~~~~~~~~~~~
``rndc-confgen`` generates configuration files for ``rndc``. It can be
used as a convenient alternative to writing the ``rndc.conf`` file and
the corresponding ``controls`` and ``key`` statements in ``named.conf``
by hand. Alternatively, it can be run with the ``-a`` option to set up a
``rndc.key`` file and avoid the need for a ``rndc.conf`` file and a
``controls`` statement altogether.
Options
~~~~~~~
``-a``
This option sets automatic ``rndc`` configuration, which creates a file ``rndc.key``
in ``/etc`` (or a different ``sysconfdir`` specified when BIND
was built) that is read by both ``rndc`` and ``named`` on startup.
The ``rndc.key`` file defines a default command channel and
authentication key allowing ``rndc`` to communicate with ``named`` on
the local host with no further configuration.
If a more elaborate configuration than that generated by
``rndc-confgen -a`` is required, for example if rndc is to be used
remotely, run ``rndc-confgen`` without the ``-a`` option
and set up ``rndc.conf`` and ``named.conf`` as directed.
``-A algorithm``
This option specifies the algorithm to use for the TSIG key. Available choices
are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, hmac-sha384, and
hmac-sha512. The default is hmac-sha256.
``-b keysize``
This option specifies the size of the authentication key in bits. The size must be between
1 and 512 bits; the default is the hash size.
``-c keyfile``
This option is used with the ``-a`` option to specify an alternate location for
``rndc.key``.
``-h``
This option prints a short summary of the options and arguments to
``rndc-confgen``.
``-k keyname``
This option specifies the key name of the ``rndc`` authentication key. This must be a
valid domain name. The default is ``rndc-key``.
``-p port``
This option specifies the command channel port where ``named`` listens for
connections from ``rndc``. The default is 953.
``-s address``
This option specifies the IP address where ``named`` listens for command-channel
connections from ``rndc``. The default is the loopback address
127.0.0.1.
``-t chrootdir``
This option is used with the ``-a`` option to specify a directory where ``named``
runs chrooted. An additional copy of the ``rndc.key`` is
written relative to this directory, so that it is found by the
chrooted ``named``.
``-u user``
This option is used with the ``-a`` option to set the owner of the generated ``rndc.key`` file.
If ``-t`` is also specified, only the file in the chroot
area has its owner changed.
Examples
~~~~~~~~
To allow ``rndc`` to be used with no manual configuration, run:
``rndc-confgen -a``
To print a sample ``rndc.conf`` file and the corresponding ``controls`` and
``key`` statements to be manually inserted into ``named.conf``, run:
``rndc-confgen``
See Also
~~~~~~~~
:manpage:`rndc(8)`, :manpage:`rndc.conf(5)`, :manpage:`named(8)`, BIND 9 Administrator Reference Manual.

View File

@@ -1,28 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
${DNS_INCLUDES} ${ISC_INCLUDES}
CDEFINES =
CWARNINGS =
OBJS = os.@O@
SRCS = os.c
TARGETS = ${OBJS}
@BIND9_MAKE_RULES@

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -14,6 +14,7 @@
/*! \file */
#include <isc/attributes.h>
#include <isc/formatcheck.h>
#include <isc/lang.h>
#include <isc/platform.h>
@@ -35,9 +36,8 @@ ISC_LANG_BEGINDECLS
void
notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_LANG_ENDDECLS

View File

@@ -77,7 +77,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PostBuildEvent>
<Command>cd ..\..\..\Build\$(Configuration)
@@ -115,7 +115,7 @@ copy /Y ddns-confgen.ilk tsig-keygen.ilk
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<PostBuildEvent>
<Command>cd ..\..\..\Build\$(Configuration)

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.

View File

@@ -77,7 +77,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -109,7 +109,7 @@
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\isccc\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@confgentool.lib;libisc.lib;libdns.lib;libisccfg.lib;libisccc.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>

21
bin/delv/Makefile.am Normal file
View File

@@ -0,0 +1,21 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
-I$(top_builddir)/include \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(LIBIRS_CFLAGS)
AM_CPPFLAGS += \
-DSYSCONFDIR=\"${sysconfdir}\"
bin_PROGRAMS = delv
delv_SOURCES = \
delv.c
delv_LDADD = \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBISCCFG_LIBS) \
$(LIBIRS_LIBS)

View File

@@ -1,68 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
${IRS_INCLUDES} ${ISCCFG_INCLUDES} \
${OPENSSL_CFLAGS}
CDEFINES = -DVERSION=\"${VERSION}\" \
-DSYSCONFDIR=\"${sysconfdir}\"
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
IRSLIBS = ../../lib/irs/libirs.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
IRSDEPLIBS = ../../lib/irs/libirs.@A@
DEPLIBS = ${DNSDEPLIBS} ${IRSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${IRSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
SUBDIRS =
TARGETS = delv@EXEEXT@
OBJS = delv.@O@
SRCS = delv.c
@BIND9_MAKE_RULES@
delv@EXEEXT@: delv.@O@ ${DEPLIBS}
export BASEOBJS="delv.@O@"; \
export LIBS0="${DNSLIBS}"; \
${FINALBUILDCMD}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
install:: delv@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
delv@EXEEXT@ ${DESTDIR}${bindir}
uninstall::
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/delv@EXEEXT@
clean distclean maintainer-clean::
rm -f ${TARGETS}

437
bin/delv/delv.1 Normal file
View File

@@ -0,0 +1,437 @@
.\" Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: delv
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-04-23
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DELV" "1" "2014\-04\-23" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
delv \- DNS lookup and validation utility
.SH "SYNOPSIS"
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [@server] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [\fB\-h\fR]
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [\fB\-v\fR]
.HP \w'\fBdelv\fR\ 'u
\fBdelv\fR [queryopt...] [query...]
.SH "DESCRIPTION"
.PP
\fBdelv\fR
is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
\fBnamed\fR\&.
.PP
\fBdelv\fR
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
.PP
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by
\fBdelv\fR
are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
\fBdelv\fR
does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy\&.
.PP
Unless it is told to query a specific name server,
\fBdelv\fR
will try each of the servers listed in
/etc/resolv\&.conf\&. If no usable server addresses are found,
\fBdelv\fR
will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
.PP
When no command line arguments or options are given,
\fBdelv\fR
will perform an NS query for "\&." (the root zone)\&.
.SH "SIMPLE USAGE"
.PP
A typical invocation of
\fBdelv\fR
looks like:
.sp
.if n \{\
.RS 4
.\}
.nf
delv @server name type
.fi
.if n \{\
.RE
.\}
.sp
where:
.PP
\fBserver\fR
.RS 4
is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
\fIserver\fR
argument is a hostname,
\fBdelv\fR
resolves that name before querying that name server (note, however, that this initial lookup is
\fInot\fR
validated by DNSSEC)\&.
.sp
If no
\fIserver\fR
argument is provided,
\fBdelv\fR
consults
/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
\fBdelv\fR
will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
.RE
.PP
\fBname\fR
.RS 4
is the domain name to be looked up\&.
.RE
.PP
\fBtype\fR
.RS 4
indicates what type of query is required \(em ANY, A, MX, etc\&.
\fItype\fR
can be any valid query type\&. If no
\fItype\fR
argument is supplied,
\fBdelv\fR
will perform a lookup for an A record\&.
.RE
.SH "OPTIONS"
.PP
\-a \fIanchor\-file\fR
.RS 4
Specifies a file from which to read DNSSEC trust anchors\&. The default is
/etc/bind\&.keys, which is included with
BIND
9 and contains one or more trust anchors for the root zone ("\&.")\&.
.sp
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the
\fB+root=NAME\fR
options\&.
.sp
Note: When reading the trust anchor file,
\fBdelv\fR
treats
\fBtrust\-anchors\fR\fBinitial\-key\fR
and
\fBstatic\-key\fR
entries identically\&. That is, even if a key is configured with
\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by
\fBdelv\fR
as if it had been configured as a
\fBstatic\-key\fR\&.
\fBdelv\fR
does not consult the managed keys database maintained by
\fBnamed\fR\&. This means that if either of the keys in
/etc/bind\&.keys
is revoked and rolled over, it will be necessary to update
/etc/bind\&.keys
to use DNSSEC validation in
\fBdelv\fR\&.
.RE
.PP
\-b \fIaddress\fR
.RS 4
Sets the source IP address of the query to
\fIaddress\fR\&. This must be a valid address on one of the host\*(Aqs network interfaces or "0\&.0\&.0\&.0" or "::"\&. An optional source port may be specified by appending "#<port>"
.RE
.PP
\-c \fIclass\fR
.RS 4
Sets the query class for the requested data\&. Currently, only class "IN" is supported in
\fBdelv\fR
and any other value is ignored\&.
.RE
.PP
\-d \fIlevel\fR
.RS 4
Set the systemwide debug level to
\fBlevel\fR\&. The allowed range is from 0 to 99\&. The default is 0 (no debugging)\&. Debugging traces from
\fBdelv\fR
become more verbose as the debug level increases\&. See the
\fB+mtrace\fR,
\fB+rtrace\fR, and
\fB+vtrace\fR
options below for additional debugging details\&.
.RE
.PP
\-h
.RS 4
Display the
\fBdelv\fR
help usage output and exit\&.
.RE
.PP
\-i
.RS 4
Insecure mode\&. This disables internal DNSSEC validation\&. (Note, however, this does not set the CD bit on upstream queries\&. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
\fBdelv\fR
to time out\&. When it is necessary to examine invalid data to debug a DNSSEC problem, use
\fBdig +cd\fR\&.)
.RE
.PP
\-m
.RS 4
Enables memory usage debugging\&.
.RE
.PP
\-p \fIport#\fR
.RS 4
Specifies a destination port to use for queries instead of the standard DNS port number 53\&. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number\&.
.RE
.PP
\-q \fIname\fR
.RS 4
Sets the query name to
\fIname\fR\&. While the query name can be specified without using the
\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH)\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Sets the query type to
\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR\&. As with
\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous\&. it is sometimes necessary to disambiguate names from types\&.
.sp
The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup, in which case it is "PTR"\&.
.RE
.PP
\-v
.RS 4
Print the
\fBdelv\fR
version and exit\&.
.RE
.PP
\-x \fIaddr\fR
.RS 4
Performs a reverse lookup, mapping an addresses to a name\&.
\fIaddr\fR
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When
\fB\-x\fR
is used, there is no need to provide the
\fIname\fR
or
\fItype\fR
arguments\&.
\fBdelv\fR
automatically performs a lookup for a name like
11\&.12\&.13\&.10\&.in\-addr\&.arpa
and sets the query type to PTR\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.RE
.PP
\-4
.RS 4
Forces
\fBdelv\fR
to only use IPv4\&.
.RE
.PP
\-6
.RS 4
Forces
\fBdelv\fR
to only use IPv6\&.
.RE
.SH "QUERY OPTIONS"
.PP
\fBdelv\fR
provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed\&.
.PP
Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
no
to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
\fB+keyword=value\fR\&. The query options are:
.PP
\fB+[no]cdflag\fR
.RS 4
Controls whether to set the CD (checking disabled) bit in queries sent by
\fBdelv\fR\&. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver\&. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis\&. Setting the CD flag on queries will cause the resolver to return invalid responses, which
\fBdelv\fR
can then validate internally and report the errors in detail\&.
.RE
.PP
\fB+[no]class\fR
.RS 4
Controls whether to display the CLASS when printing a record\&. The default is to display the CLASS\&.
.RE
.PP
\fB+[no]ttl\fR
.RS 4
Controls whether to display the TTL when printing a record\&. The default is to display the TTL\&.
.RE
.PP
\fB+[no]rtrace\fR
.RS 4
Toggle resolver fetch logging\&. This reports the name and type of each query sent by
\fBdelv\fR
in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation\&.
.sp
This is equivalent to setting the debug level to 1 in the "resolver" logging category\&. Setting the systemwide debug level to 1 using the
\fB\-d\fR
option will product the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]mtrace\fR
.RS 4
Toggle message logging\&. This produces a detailed dump of the responses received by
\fBdelv\fR
in the process of carrying out the resolution and validation process\&.
.sp
This is equivalent to setting the debug level to 10 for the "packets" module of the "resolver" logging category\&. Setting the systemwide debug level to 10 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]vtrace\fR
.RS 4
Toggle validation logging\&. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid\&.
.sp
This is equivalent to setting the debug level to 3 for the "validator" module of the "dnssec" logging category\&. Setting the systemwide debug level to 3 using the
\fB\-d\fR
option will produce the same output (but will affect other logging categories as well)\&.
.RE
.PP
\fB+[no]short\fR
.RS 4
Provide a terse answer\&. The default is to print the answer in a verbose form\&.
.RE
.PP
\fB+[no]comments\fR
.RS 4
Toggle the display of comment lines in the output\&. The default is to print comments\&.
.RE
.PP
\fB+[no]rrcomments\fR
.RS 4
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is to print per\-record comments\&.
.RE
.PP
\fB+[no]crypto\fR
.RS 4
Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
.RE
.PP
\fB+[no]trust\fR
.RS 4
Controls whether to display the trust level when printing a record\&. The default is to display the trust level\&.
.RE
.PP
\fB+[no]split[=W]\fR
.RS 4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
is rounded up to the nearest multiple of 4)\&.
\fI+nosplit\fR
or
\fI+split=0\fR
causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
.RE
.PP
\fB+[no]all\fR
.RS 4
Set or clear the display options
\fB+[no]comments\fR,
\fB+[no]rrcomments\fR, and
\fB+[no]trust\fR
as a group\&.
.RE
.PP
\fB+[no]multiline\fR
.RS 4
Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdelv\fR
output\&.
.RE
.PP
\fB+[no]dnssec\fR
.RS 4
Indicates whether to display RRSIG records in the
\fBdelv\fR
output\&. The default is to do so\&. Note that (unlike in
\fBdig\fR) this does
\fInot\fR
control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
\fB\-i\fR
or
\fB+noroot\fR\&.
.RE
.PP
\fB+[no]root[=ROOT]\fR
.RS 4
Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
\fB\-a\fR
must be used to specify a file containing the key\&.
.RE
.PP
\fB+[no]tcp\fR
.RS 4
Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
.RE
.PP
\fB+[no]unknownformat\fR
.RS 4
Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
.RE
.PP
\fB+[no]yaml\fR
.RS 4
Print response data in YAML format\&.
.RE
.SH "FILES"
.PP
/etc/bind\&.keys
.PP
/etc/resolv\&.conf
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8),
RFC4034,
RFC4035,
RFC4431,
RFC5074,
RFC5155\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -28,6 +28,7 @@
#include <unistd.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/hex.h>
@@ -205,9 +206,8 @@ usage(void) {
exit(1);
}
ISC_PLATFORM_NORETURN_PRE static void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
static void
fatal(const char *format, ...) {
@@ -601,14 +601,11 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
dns_name_t *keyname;
isc_result_t result;
bool match_root = false;
enum {
INITIAL_KEY,
STATIC_KEY,
INITIAL_DS,
STATIC_DS,
TRUSTED
} anchortype;
const cfg_obj_t *obj;
enum { INITIAL_KEY,
STATIC_KEY,
INITIAL_DS,
STATIC_DS,
TRUSTED } anchortype;
keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
CHECK(convert_name(&fkeyname, &keyname, keynamestr));
@@ -641,30 +638,21 @@ key_fromconfig(const cfg_obj_t *key, dns_client_t *client) {
rdata3 = cfg_obj_asuint32(cfg_tuple_get(key, "rdata3"));
/* What type of trust anchor is this? */
obj = cfg_tuple_get(key, "anchortype");
if (cfg_obj_isvoid(obj)) {
/*
* "anchortype" is not defined, this must be a static-key
* configured with trusted-keys.
*/
atstr = cfg_obj_asstring(cfg_tuple_get(key, "anchortype"));
if (strcasecmp(atstr, "static-key") == 0) {
anchortype = STATIC_KEY;
} else if (strcasecmp(atstr, "static-ds") == 0) {
anchortype = STATIC_DS;
} else if (strcasecmp(atstr, "initial-key") == 0) {
anchortype = INITIAL_KEY;
} else if (strcasecmp(atstr, "initial-ds") == 0) {
anchortype = INITIAL_DS;
} else {
atstr = cfg_obj_asstring(obj);
if (strcasecmp(atstr, "static-key") == 0) {
anchortype = STATIC_KEY;
} else if (strcasecmp(atstr, "static-ds") == 0) {
anchortype = STATIC_DS;
} else if (strcasecmp(atstr, "initial-key") == 0) {
anchortype = INITIAL_KEY;
} else if (strcasecmp(atstr, "initial-ds") == 0) {
anchortype = INITIAL_DS;
} else {
delv_log(ISC_LOG_ERROR,
"key '%s': invalid initialization method '%s'",
keynamestr, atstr);
result = ISC_R_FAILURE;
goto cleanup;
}
delv_log(ISC_LOG_ERROR,
"key '%s': invalid initialization method '%s'",
keynamestr, atstr);
result = ISC_R_FAILURE;
goto cleanup;
}
isc_buffer_init(&databuf, data, sizeof(data));
@@ -1339,7 +1327,7 @@ dash_option(char *option, char *next, bool *open_type_class) {
/* handled in preparse_args() */
break;
case 'v':
fputs("delv " VERSION "\n", stderr);
fprintf(stderr, "delv %s\n", PACKAGE_VERSION);
exit(0);
/* NOTREACHED */
default:

699
bin/delv/delv.docbook Normal file
View File

@@ -0,0 +1,699 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
<info>
<date>2014-04-23</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle>delv</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>delv</refname>
<refpurpose>DNS lookup and validation utility</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="norepeat">@server</arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i</option></arg>
<arg choice="opt" rep="norepeat"><option>-m</option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-q <replaceable class="parameter">name</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
<arg choice="opt" rep="norepeat">name</arg>
<arg choice="opt" rep="norepeat">type</arg>
<arg choice="opt" rep="norepeat">class</arg>
<arg choice="opt" rep="repeat">queryopt</arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="norepeat"><option>-h</option></arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
</cmdsynopsis>
<cmdsynopsis sepchar=" ">
<command>delv</command>
<arg choice="opt" rep="repeat">queryopt</arg>
<arg choice="opt" rep="repeat">query</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>delv</command>
is a tool for sending
DNS queries and validating the results, using the same internal
resolver and validator logic as <command>named</command>.
</para>
<para>
<command>delv</command> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
forwarding.
</para>
<para>
By default, responses are validated using built-in DNSSEC trust
anchor for the root zone ("."). Records returned by
<command>delv</command> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
can be traced in detail. Because <command>delv</command> does
not rely on an external server to carry out validation, it can
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</para>
<para>
Unless it is told to query a specific name server,
<command>delv</command> will try each of the servers listed in
<filename>/etc/resolv.conf</filename>. If no usable server
addresses are found, <command>delv</command> will send
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</para>
<para>
When no command line arguments or options are given,
<command>delv</command> will perform an NS query for "."
(the root zone).
</para>
</refsection>
<refsection><info><title>SIMPLE USAGE</title></info>
<para>
A typical invocation of <command>delv</command> looks like:
<programlisting> delv @server name type </programlisting>
where:
<variablelist>
<varlistentry>
<term><constant>server</constant></term>
<listitem>
<para>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<parameter>server</parameter> argument is a hostname,
<command>delv</command> resolves that name before
querying that name server (note, however, that this
initial lookup is <emphasis>not</emphasis> validated
by DNSSEC).
</para>
<para>
If no <parameter>server</parameter> argument is
provided, <command>delv</command> consults
<filename>/etc/resolv.conf</filename>; if an
address is found there, it queries the name server at
that address. If either of the <option>-4</option> or
<option>-6</option> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<command>delv</command> will send queries to
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>name</constant></term>
<listitem>
<para>
is the domain name to be looked up.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>type</constant></term>
<listitem>
<para>
indicates what type of query is required &mdash;
ANY, A, MX, etc.
<parameter>type</parameter> can be any valid query
type. If no
<parameter>type</parameter> argument is supplied,
<command>delv</command> will perform a lookup for an
A record.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">anchor-file</replaceable></term>
<listitem>
<para>
Specifies a file from which to read DNSSEC trust anchors.
The default is <filename>/etc/bind.keys</filename>, which
is included with <acronym>BIND</acronym> 9 and contains
one or more trust anchors for the root zone (".").
</para>
<para>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<option>+root=NAME</option> options.
</para>
<para>
Note: When reading the trust anchor file,
<command>delv</command> treats <option>trust-anchors</option>
<option>initial-key</option> and <option>static-key</option>
entries identically. That is, even if a key is configured
with <command>initial-key</command>, indicating that it is
meant to be used only as an initializing key for RFC 5011
key maintenance, it is still treated by <command>delv</command>
as if it had been configured as a <command>static-key</command>.
<command>delv</command> does not consult the managed keys
database maintained by <command>named</command>. This means
that if either of the keys in
<filename>/etc/bind.keys</filename> is revoked
and rolled over, it will be necessary to update
<filename>/etc/bind.keys</filename> to use DNSSEC
validation in <command>delv</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">address</replaceable></term>
<listitem>
<para>
Sets the source IP address of the query to
<parameter>address</parameter>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <command>delv</command>
and any other value is ignored.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Set the systemwide debug level to <option>level</option>.
The allowed range is from 0 to 99.
The default is 0 (no debugging).
Debugging traces from <command>delv</command> become
more verbose as the debug level increases.
See the <option>+mtrace</option>, <option>+rtrace</option>,
and <option>+vtrace</option> options below for additional
debugging details.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Display the <command>delv</command> help usage output and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i</term>
<listitem>
<para>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
validation, then it will not return invalid data; this
can cause <command>delv</command> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <command>dig +cd</command>.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m</term>
<listitem>
<para>
Enables memory usage debugging.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port#</replaceable></term>
<listitem>
<para>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q <replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
Sets the query name to <parameter>name</parameter>.
While the query name can be specified without using the
<option>-q</option>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Sets the query type to <parameter>type</parameter>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
<option>-q</option>, this is useful to distinguish
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</para>
<para>
The default query type is "A", unless the <option>-x</option>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the <command>delv</command> version and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x <replaceable class="parameter">addr</replaceable></term>
<listitem>
<para>
Performs a reverse lookup, mapping an addresses to
a name. <parameter>addr</parameter> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
When <option>-x</option> is used, there is no need to provide
the <parameter>name</parameter> or <parameter>type</parameter>
arguments. <command>delv</command> automatically performs a
lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-4</term>
<listitem>
<para>
Forces <command>delv</command> to only use IPv4.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-6</term>
<listitem>
<para>
Forces <command>delv</command> to only use IPv6.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>QUERY OPTIONS</title></info>
<para><command>delv</command>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</para>
<para>
Each query option is identified by a keyword preceded by a plus sign
(<literal>+</literal>). Some keywords set or reset an
option. These may be preceded by the string
<literal>no</literal> to negate the meaning of that keyword.
Other keywords assign values to options like the timeout interval.
They have the form <option>+keyword=value</option>.
The query options are:
<variablelist>
<varlistentry>
<term><option>+[no]cdflag</option></term>
<listitem>
<para>
Controls whether to set the CD (checking disabled) bit in
queries sent by <command>delv</command>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
resolver. A validating resolver will block invalid responses,
making it difficult to retrieve them for analysis. Setting
the CD flag on queries will cause the resolver to return
invalid responses, which <command>delv</command> can then
validate internally and report the errors in detail.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]class</option></term>
<listitem>
<para>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]ttl</option></term>
<listitem>
<para>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]rtrace</option></term>
<listitem>
<para>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <command>delv</command>
in the process of carrying out the resolution and validation
process: this includes including the original query and
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</para>
<para>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <option>-d</option> option will
product the same output (but will affect other logging
categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]mtrace</option></term>
<listitem>
<para>
Toggle message logging. This produces a detailed dump of
the responses received by <command>delv</command> in the
process of carrying out the resolution and validation process.
</para>
<para>
This is equivalent to setting the debug level to 10
for the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <option>-d</option> option will produce the same output
(but will affect other logging categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]vtrace</option></term>
<listitem>
<para>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</para>
<para>
This is equivalent to setting the debug level to 3
for the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <option>-d</option> option will produce the same output
(but will affect other logging categories as well).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]short</option></term>
<listitem>
<para>
Provide a terse answer. The default is to print the answer in a
verbose form.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]comments</option></term>
<listitem>
<para>
Toggle the display of comment lines in the output. The default
is to print comments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]rrcomments</option></term>
<listitem>
<para>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]crypto</option></term>
<listitem>
<para>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
the common failures. The default is to display the fields.
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]trust</option></term>
<listitem>
<para>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]split[=W]</option></term>
<listitem>
<para>
Split long hex- or base64-formatted fields in resource
records into chunks of <parameter>W</parameter> characters
(where <parameter>W</parameter> is rounded up to the nearest
multiple of 4).
<parameter>+nosplit</parameter> or
<parameter>+split=0</parameter> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]all</option></term>
<listitem>
<para>
Set or clear the display options
<option>+[no]comments</option>,
<option>+[no]rrcomments</option>, and
<option>+[no]trust</option> as a group.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]multiline</option></term>
<listitem>
<para>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <command>delv</command>
output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]dnssec</option></term>
<listitem>
<para>
Indicates whether to display RRSIG records in the
<command>delv</command> output. The default is to
do so. Note that (unlike in <command>dig</command>)
this does <emphasis>not</emphasis> control whether to
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<option>-i</option> or <option>+noroot</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]root[=ROOT]</option></term>
<listitem>
<para>
Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
a built-in key. If specifying a different trust anchor,
then <option>-a</option> must be used to specify a file
containing the key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]tcp</option></term>
<listitem>
<para>
Controls whether to use TCP when sending queries.
The default is to use UDP unless a truncated
response has been received.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]unknownformat</option></term>
<listitem>
<para>
Print all RDATA in unknown RR type presentation format
(RFC 3597). The default is to print RDATA for known types
in the type's presentation format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>+[no]yaml</option></term>
<listitem>
<para>
Print response data in YAML format.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/bind.keys</filename></para>
<para><filename>/etc/resolv.conf</filename></para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>RFC4034</citetitle>,
<citetitle>RFC4035</citetitle>,
<citetitle>RFC4431</citetitle>,
<citetitle>RFC5074</citetitle>,
<citetitle>RFC5155</citetitle>.
</para>
</refsection>
</refentry>

588
bin/delv/delv.html Normal file
View File

@@ -0,0 +1,588 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>delv</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.delv"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
delv
&#8212; DNS lookup and validation utility
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[@server]
[
[<code class="option">-4</code>]
| [<code class="option">-6</code>]
]
[<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
[<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
[<code class="option">-i</code>]
[<code class="option">-m</code>]
[<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
[<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
[name]
[type]
[class]
[queryopt...]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[<code class="option">-h</code>]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[<code class="option">-v</code>]
</p></div>
<div class="cmdsynopsis"><p>
<code class="command">delv</code>
[queryopt...]
[query...]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>delv</strong></span>
is a tool for sending
DNS queries and validating the results, using the same internal
resolver and validator logic as <span class="command"><strong>named</strong></span>.
</p>
<p>
<span class="command"><strong>delv</strong></span> will send to a specified name server all
queries needed to fetch and validate the requested data; this
includes the original requested query, subsequent queries to follow
CNAME or DNAME chains, and queries for DNSKEY and DS records
to establish a chain of trust for DNSSEC validation.
It does not perform iterative resolution, but simulates the
behavior of a name server configured for DNSSEC validating and
forwarding.
</p>
<p>
By default, responses are validated using built-in DNSSEC trust
anchor for the root zone ("."). Records returned by
<span class="command"><strong>delv</strong></span> are either fully validated or
were not signed. If validation fails, an explanation of
the failure is included in the output; the validation process
can be traced in detail. Because <span class="command"><strong>delv</strong></span> does
not rely on an external server to carry out validation, it can
be used to check the validity of DNS responses in environments
where local name servers may not be trustworthy.
</p>
<p>
Unless it is told to query a specific name server,
<span class="command"><strong>delv</strong></span> will try each of the servers listed in
<code class="filename">/etc/resolv.conf</code>. If no usable server
addresses are found, <span class="command"><strong>delv</strong></span> will send
queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
</p>
<p>
When no command line arguments or options are given,
<span class="command"><strong>delv</strong></span> will perform an NS query for "."
(the root zone).
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
</p>
<pre class="programlisting"> delv @server name type </pre>
<p>
where:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd>
<p>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<em class="parameter"><code>server</code></em> argument is a hostname,
<span class="command"><strong>delv</strong></span> resolves that name before
querying that name server (note, however, that this
initial lookup is <span class="emphasis"><em>not</em></span> validated
by DNSSEC).
</p>
<p>
If no <em class="parameter"><code>server</code></em> argument is
provided, <span class="command"><strong>delv</strong></span> consults
<code class="filename">/etc/resolv.conf</code>; if an
address is found there, it queries the name server at
that address. If either of the <code class="option">-4</code> or
<code class="option">-6</code> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<span class="command"><strong>delv</strong></span> will send queries to
the localhost addresses (127.0.0.1 for IPv4,
::1 for IPv6).
</p>
</dd>
<dt><span class="term"><code class="constant">name</code></span></dt>
<dd>
<p>
is the domain name to be looked up.
</p>
</dd>
<dt><span class="term"><code class="constant">type</code></span></dt>
<dd>
<p>
indicates what type of query is required &#8212;
ANY, A, MX, etc.
<em class="parameter"><code>type</code></em> can be any valid query
type. If no
<em class="parameter"><code>type</code></em> argument is supplied,
<span class="command"><strong>delv</strong></span> will perform a lookup for an
A record.
</p>
</dd>
</dl></div>
<p>
</p>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
<dd>
<p>
Specifies a file from which to read DNSSEC trust anchors.
The default is <code class="filename">/etc/bind.keys</code>, which
is included with <acronym class="acronym">BIND</acronym> 9 and contains
one or more trust anchors for the root zone (".").
</p>
<p>
Keys that do not match the root zone name are ignored.
An alternate key name can be specified using the
<code class="option">+root=NAME</code> options.
</p>
<p>
Note: When reading the trust anchor file,
<span class="command"><strong>delv</strong></span> treats <code class="option">trust-anchors</code>
<code class="option">initial-key</code> and <code class="option">static-key</code>
entries identically. That is, even if a key is configured
with <span class="command"><strong>initial-key</strong></span>, indicating that it is
meant to be used only as an initializing key for RFC 5011
key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
<span class="command"><strong>delv</strong></span> does not consult the managed keys
database maintained by <span class="command"><strong>named</strong></span>. This means
that if either of the keys in
<code class="filename">/etc/bind.keys</code> is revoked
and rolled over, it will be necessary to update
<code class="filename">/etc/bind.keys</code> to use DNSSEC
validation in <span class="command"><strong>delv</strong></span>.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
<dd>
<p>
Sets the source IP address of the query to
<em class="parameter"><code>address</code></em>. This must be a valid address
on one of the host's network interfaces or "0.0.0.0" or "::".
An optional source port may be specified by appending
"#&lt;port&gt;"
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Sets the query class for the requested data. Currently,
only class "IN" is supported in <span class="command"><strong>delv</strong></span>
and any other value is ignored.
</p>
</dd>
<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Set the systemwide debug level to <code class="option">level</code>.
The allowed range is from 0 to 99.
The default is 0 (no debugging).
Debugging traces from <span class="command"><strong>delv</strong></span> become
more verbose as the debug level increases.
See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
and <code class="option">+vtrace</code> options below for additional
debugging details.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
</p>
</dd>
<dt><span class="term">-i</span></dt>
<dd>
<p>
Insecure mode. This disables internal DNSSEC validation.
(Note, however, this does not set the CD bit on upstream
queries. If the server being queried is performing DNSSEC
validation, then it will not return invalid data; this
can cause <span class="command"><strong>delv</strong></span> to time out. When it
is necessary to examine invalid data to debug a DNSSEC
problem, use <span class="command"><strong>dig +cd</strong></span>.)
</p>
</dd>
<dt><span class="term">-m</span></dt>
<dd>
<p>
Enables memory usage debugging.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
<dd>
<p>
Specifies a destination port to use for queries instead of
the standard DNS port number 53. This option would be used
with a name server that has been configured to listen
for queries on a non-standard port number.
</p>
</dd>
<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
<dd>
<p>
Sets the query name to <em class="parameter"><code>name</code></em>.
While the query name can be specified without using the
<code class="option">-q</code>, it is sometimes necessary to disambiguate
names from types or classes (for example, when looking up the
name "ns", which could be misinterpreted as the type NS,
or "ch", which could be misinterpreted as class CH).
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Sets the query type to <em class="parameter"><code>type</code></em>, which
can be any valid query type supported in BIND 9 except
for zone transfer types AXFR and IXFR. As with
<code class="option">-q</code>, this is useful to distinguish
query name type or class when they are ambiguous.
it is sometimes necessary to disambiguate names from types.
</p>
<p>
The default query type is "A", unless the <code class="option">-x</code>
option is supplied to indicate a reverse lookup, in which case
it is "PTR".
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Print the <span class="command"><strong>delv</strong></span> version and exit.
</p>
</dd>
<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
<dd>
<p>
Performs a reverse lookup, mapping an addresses to
a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
dotted-decimal notation, or a colon-delimited IPv6 address.
When <code class="option">-x</code> is used, there is no need to provide
the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
arguments. <span class="command"><strong>delv</strong></span> automatically performs a
lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
and sets the query type to PTR. IPv6 addresses are looked up
using nibble format under the IP6.ARPA domain.
</p>
</dd>
<dt><span class="term">-4</span></dt>
<dd>
<p>
Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd>
<p>
Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
<p><span class="command"><strong>delv</strong></span>
provides a number of query options which affect the way results are
displayed, and in some cases the way lookups are performed.
</p>
<p>
Each query option is identified by a keyword preceded by a plus sign
(<code class="literal">+</code>). Some keywords set or reset an
option. These may be preceded by the string
<code class="literal">no</code> to negate the meaning of that keyword.
Other keywords assign values to options like the timeout interval.
They have the form <code class="option">+keyword=value</code>.
The query options are:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
<dd>
<p>
Controls whether to set the CD (checking disabled) bit in
queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
when troubleshooting DNSSEC problems from behind a validating
resolver. A validating resolver will block invalid responses,
making it difficult to retrieve them for analysis. Setting
the CD flag on queries will cause the resolver to return
invalid responses, which <span class="command"><strong>delv</strong></span> can then
validate internally and report the errors in detail.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]class</code></span></dt>
<dd>
<p>
Controls whether to display the CLASS when printing
a record. The default is to display the CLASS.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
<dd>
<p>
Controls whether to display the TTL when printing
a record. The default is to display the TTL.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
<dd>
<p>
Toggle resolver fetch logging. This reports the
name and type of each query sent by <span class="command"><strong>delv</strong></span>
in the process of carrying out the resolution and validation
process: this includes including the original query and
all subsequent queries to follow CNAMEs and to establish a
chain of trust for DNSSEC validation.
</p>
<p>
This is equivalent to setting the debug level to 1 in
the "resolver" logging category. Setting the systemwide
debug level to 1 using the <code class="option">-d</code> option will
product the same output (but will affect other logging
categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
<dd>
<p>
Toggle message logging. This produces a detailed dump of
the responses received by <span class="command"><strong>delv</strong></span> in the
process of carrying out the resolution and validation process.
</p>
<p>
This is equivalent to setting the debug level to 10
for the "packets" module of the "resolver" logging
category. Setting the systemwide debug level to 10 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
<dd>
<p>
Toggle validation logging. This shows the internal
process of the validator as it determines whether an
answer is validly signed, unsigned, or invalid.
</p>
<p>
This is equivalent to setting the debug level to 3
for the "validator" module of the "dnssec" logging
category. Setting the systemwide debug level to 3 using
the <code class="option">-d</code> option will produce the same output
(but will affect other logging categories as well).
</p>
</dd>
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
<dd>
<p>
Provide a terse answer. The default is to print the answer in a
verbose form.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd>
<p>
Toggle the display of comment lines in the output. The default
is to print comments.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
<dd>
<p>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is to print per-record comments.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
<dd>
<p>
Toggle the display of cryptographic fields in DNSSEC records.
The contents of these field are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see
the common failures. The default is to display the fields.
When omitted they are replaced by the string "[omitted]" or
in the DNSKEY case the key id is displayed as the replacement,
e.g. "[ key id = value ]".
</p>
</dd>
<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
<dd>
<p>
Controls whether to display the trust level when printing
a record. The default is to display the trust level.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
<dd>
<p>
Split long hex- or base64-formatted fields in resource
records into chunks of <em class="parameter"><code>W</code></em> characters
(where <em class="parameter"><code>W</code></em> is rounded up to the nearest
multiple of 4).
<em class="parameter"><code>+nosplit</code></em> or
<em class="parameter"><code>+split=0</code></em> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
<dd>
<p>
Set or clear the display options
<code class="option">+[no]comments</code>,
<code class="option">+[no]rrcomments</code>, and
<code class="option">+[no]trust</code> as a group.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
<dd>
<p>
Print long records (such as RRSIG, DNSKEY, and SOA records)
in a verbose multi-line format with human-readable comments.
The default is to print each record on a single line, to
facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
output.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
<dd>
<p>
Indicates whether to display RRSIG records in the
<span class="command"><strong>delv</strong></span> output. The default is to
do so. Note that (unlike in <span class="command"><strong>dig</strong></span>)
this does <span class="emphasis"><em>not</em></span> control whether to
request DNSSEC records or whether to validate them.
DNSSEC records are always requested, and validation
will always occur unless suppressed by the use of
<code class="option">-i</code> or <code class="option">+noroot</code>.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
<dd>
<p>
Indicates whether to perform conventional
DNSSEC validation, and if so, specifies the
name of a trust anchor. The default is to validate using
a trust anchor of "." (the root zone), for which there is
a built-in key. If specifying a different trust anchor,
then <code class="option">-a</code> must be used to specify a file
containing the key.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd>
<p>
Controls whether to use TCP when sending queries.
The default is to use UDP unless a truncated
response has been received.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
<dd>
<p>
Print all RDATA in unknown RR type presentation format
(RFC 3597). The default is to print RDATA for known types
in the type's presentation format.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]yaml</code></span></dt>
<dd>
<p>
Print response data in YAML format.
</p>
</dd>
</dl></div>
<p>
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>,
<em class="citetitle">RFC4034</em>,
<em class="citetitle">RFC4035</em>,
<em class="citetitle">RFC4431</em>,
<em class="citetitle">RFC5074</em>,
<em class="citetitle">RFC5155</em>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,336 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_delv:
delv - DNS lookup and validation utility
----------------------------------------
Synopsis
~~~~~~~~
:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...]
:program:`delv` [**-h**]
:program:`delv` [**-v**]
:program:`delv` [queryopt...] [query...]
Description
~~~~~~~~~~~
``delv`` is a tool for sending DNS queries and validating the results,
using the same internal resolver and validator logic as ``named``.
``delv`` sends to a specified name server all queries needed to
fetch and validate the requested data; this includes the original
requested query, subsequent queries to follow CNAME or DNAME chains,
queries for DNSKEY, and DS records to establish a chain of trust for
DNSSEC validation. It does not perform iterative resolution, but
simulates the behavior of a name server configured for DNSSEC validating
and forwarding.
By default, responses are validated using the built-in DNSSEC trust anchor
for the root zone ("."). Records returned by ``delv`` are either fully
validated or were not signed. If validation fails, an explanation of the
failure is included in the output; the validation process can be traced
in detail. Because ``delv`` does not rely on an external server to carry
out validation, it can be used to check the validity of DNS responses in
environments where local name servers may not be trustworthy.
Unless it is told to query a specific name server, ``delv`` tries
each of the servers listed in ``/etc/resolv.conf``. If no usable server
addresses are found, ``delv`` sends queries to the localhost
addresses (127.0.0.1 for IPv4, ::1 for IPv6).
When no command-line arguments or options are given, ``delv``
performs an NS query for "." (the root zone).
Simple Usage
~~~~~~~~~~~~
A typical invocation of ``delv`` looks like:
::
delv @server name type
where:
``server``
is the name or IP address of the name server to query. This can be an
IPv4 address in dotted-decimal notation or an IPv6 address in
colon-delimited notation. When the supplied ``server`` argument is a
hostname, ``delv`` resolves that name before querying that name
server (note, however, that this initial lookup is *not* validated by
DNSSEC).
If no ``server`` argument is provided, ``delv`` consults
``/etc/resolv.conf``; if an address is found there, it queries the
name server at that address. If either of the ``-4`` or ``-6``
options is in use, then only addresses for the corresponding
transport are tried. If no usable addresses are found, ``delv``
sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
for IPv6).
``name``
is the domain name to be looked up.
``type``
indicates what type of query is required - ANY, A, MX, etc.
``type`` can be any valid query type. If no ``type`` argument is
supplied, ``delv`` performs a lookup for an A record.
Options
~~~~~~~
``-a anchor-file``
This option specifies a file from which to read DNSSEC trust anchors. The default
is ``/etc/bind.keys``, which is included with BIND 9 and contains one
or more trust anchors for the root zone (".").
Keys that do not match the root zone name are ignored. An alternate
key name can be specified using the ``+root=NAME`` options.
Note: When reading the trust anchor file, ``delv`` treats ``trust-anchors``,
``initial-key``, and ``static-key`` identically. That is, for a managed key,
it is the *initial* key that is trusted; :rfc:`5011` key management is not
supported. ``delv`` does not consult the managed-keys database maintained by
``named``, which means that if either of the keys in ``/etc/bind.keys`` is
revoked and rolled over, ``/etc/bind.keys`` must be updated to
use DNSSEC validation in ``delv``.
``-b address``
This option sets the source IP address of the query to ``address``. This must be
a valid address on one of the host's network interfaces, or ``0.0.0.0``,
or ``::``. An optional source port may be specified by appending
``#<port>``
``-c class``
This option sets the query class for the requested data. Currently, only class
"IN" is supported in ``delv`` and any other value is ignored.
``-d level``
This option sets the systemwide debug level to ``level``. The allowed range is
from 0 to 99. The default is 0 (no debugging). Debugging traces from
``delv`` become more verbose as the debug level increases. See the
``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for
additional debugging details.
``-h``
This option displays the ``delv`` help usage output and exits.
``-i``
This option sets insecure mode, which disables internal DNSSEC validation. (Note,
however, that this does not set the CD bit on upstream queries. If the
server being queried is performing DNSSEC validation, then it does
not return invalid data; this can cause ``delv`` to time out. When it
is necessary to examine invalid data to debug a DNSSEC problem, use
``dig +cd``.)
``-m``
This option enables memory usage debugging.
``-p port#``
This option specifies a destination port to use for queries, instead of the
standard DNS port number 53. This option is used with a name
server that has been configured to listen for queries on a
non-standard port number.
``-q name``
This option sets the query name to ``name``. While the query name can be
specified without using the ``-q`` option, it is sometimes necessary to
disambiguate names from types or classes (for example, when looking
up the name "ns", which could be misinterpreted as the type NS, or
"ch", which could be misinterpreted as class CH).
``-t type``
This option sets the query type to ``type``, which can be any valid query type
supported in BIND 9 except for zone transfer types AXFR and IXFR. As
with ``-q``, this is useful to distinguish query-name types or classes
when they are ambiguous. It is sometimes necessary to disambiguate
names from types.
The default query type is "A", unless the ``-x`` option is supplied
to indicate a reverse lookup, in which case it is "PTR".
``-v``
This option prints the ``delv`` version and exits.
``-x addr``
This option performs a reverse lookup, mapping an address to a name. ``addr``
is an IPv4 address in dotted-decimal notation, or a colon-delimited
IPv6 address. When ``-x`` is used, there is no need to provide the
``name`` or ``type`` arguments; ``delv`` automatically performs a
lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the
query type to PTR. IPv6 addresses are looked up using nibble format
under the IP6.ARPA domain.
``-4``
This option forces ``delv`` to only use IPv4.
``-6``
This option forces ``delv`` to only use IPv6.
Query Options
~~~~~~~~~~~~~
``delv`` provides a number of query options which affect the way results
are displayed, and in some cases the way lookups are performed.
Each query option is identified by a keyword preceded by a plus sign
(``+``). Some keywords set or reset an option. These may be preceded by
the string ``no`` to negate the meaning of that keyword. Other keywords
assign values to options like the timeout interval. They have the form
``+keyword=value``. The query options are:
``+[no]cdflag``
This option controls whether to set the CD (checking disabled) bit in queries
sent by ``delv``. This may be useful when troubleshooting DNSSEC
problems from behind a validating resolver. A validating resolver
blocks invalid responses, making it difficult to retrieve them
for analysis. Setting the CD flag on queries causes the resolver
to return invalid responses, which ``delv`` can then validate
internally and report the errors in detail.
``+[no]class``
This option controls whether to display the CLASS when printing a record. The
default is to display the CLASS.
``+[no]ttl``
This option controls whether to display the TTL when printing a record. The
default is to display the TTL.
``+[no]rtrace``
This option toggles resolver fetch logging. This reports the name and type of each
query sent by ``delv`` in the process of carrying out the resolution
and validation process, including the original query
and all subsequent queries to follow CNAMEs and to establish a chain
of trust for DNSSEC validation.
This is equivalent to setting the debug level to 1 in the "resolver"
logging category. Setting the systemwide debug level to 1 using the
``-d`` option produces the same output, but affects other
logging categories as well.
``+[no]mtrace``
This option toggles message logging. This produces a detailed dump of the
responses received by ``delv`` in the process of carrying out the
resolution and validation process.
This is equivalent to setting the debug level to 10 for the "packets"
module of the "resolver" logging category. Setting the systemwide
debug level to 10 using the ``-d`` option produces the same
output, but affects other logging categories as well.
``+[no]vtrace``
This option toggles validation logging. This shows the internal process of the
validator as it determines whether an answer is validly signed,
unsigned, or invalid.
This is equivalent to setting the debug level to 3 for the
"validator" module of the "dnssec" logging category. Setting the
systemwide debug level to 3 using the ``-d`` option produces the
same output, but affects other logging categories as well.
``+[no]short``
This option toggles between verbose and terse answers. The default is to print the answer in a
verbose form.
``+[no]comments``
This option toggles the display of comment lines in the output. The default is to
print comments.
``+[no]rrcomments``
This option toggles the display of per-record comments in the output (for example,
human-readable key information about DNSKEY records). The default is
to print per-record comments.
``+[no]crypto``
This option toggles the display of cryptographic fields in DNSSEC records. The
contents of these fields are unnecessary to debug most DNSSEC
validation failures and removing them makes it easier to see the
common failures. The default is to display the fields. When omitted,
they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
``+[no]trust``
This option controls whether to display the trust level when printing a record.
The default is to display the trust level.
``+[no]split[=W]``
This option splits long hex- or base64-formatted fields in resource records into
chunks of ``W`` characters (where ``W`` is rounded up to the nearest
multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
split at all. The default is 56 characters, or 44 characters when
multiline mode is active.
``+[no]all``
This option sets or clears the display options ``+[no]comments``,
``+[no]rrcomments``, and ``+[no]trust`` as a group.
``+[no]multiline``
This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
verbose multi-line format with human-readable comments. The default
is to print each record on a single line, to facilitate machine
parsing of the ``delv`` output.
``+[no]dnssec``
This option indicates whether to display RRSIG records in the ``delv`` output.
The default is to do so. Note that (unlike in ``dig``) this does
*not* control whether to request DNSSEC records or to
validate them. DNSSEC records are always requested, and validation
always occurs unless suppressed by the use of ``-i`` or
``+noroot``.
``+[no]root[=ROOT]``
This option indicates whether to perform conventional DNSSEC validation, and if so,
specifies the name of a trust anchor. The default is to validate using a
trust anchor of "." (the root zone), for which there is a built-in key. If
specifying a different trust anchor, then ``-a`` must be used to specify a
file containing the key.
``+[no]tcp``
This option controls whether to use TCP when sending queries. The default is to
use UDP unless a truncated response has been received.
``+[no]unknownformat``
This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`).
The default is to print RDATA for known types in the type's
presentation format.
``+[no]yaml``
This option prints response data in YAML format.
Files
~~~~~
``/etc/bind.keys``
``/etc/resolv.conf``
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`named(8)`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`.

View File

@@ -75,7 +75,7 @@
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
@@ -107,7 +107,7 @@
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalLibraryDirectories>..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\irs\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIBCRYPTO@@OPENSSL_LIBSSL@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>@OPENSSL_LIB@libisc.lib;libdns.lib;libisccfg.lib;libirs.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemGroup>

30
bin/dig/Makefile.am Normal file
View File

@@ -0,0 +1,30 @@
include $(top_srcdir)/Makefile.top
AM_CPPFLAGS += \
$(LIBISC_CFLAGS) \
$(LIBDNS_CFLAGS) \
$(LIBISCCFG_CFLAGS) \
$(LIBIRS_CFLAGS) \
$(LIBBIND9_CFLAGS) \
$(LIBIDN2_CFLAGS)
LDADD = \
libdighost.la \
$(LIBISC_LIBS) \
$(LIBDNS_LIBS) \
$(LIBISCCFG_LIBS) \
$(LIBIRS_LIBS) \
$(LIBBIND9_LIBS) \
$(LIBIDN2_LIBS)
noinst_LTLIBRARIES = libdighost.la
libdighost_la_SOURCES = \
dighost.h \
dighost.c
bin_PROGRAMS = dig host nslookup
nslookup_LDADD = \
$(LDADD) \
$(READLINE_LIB)

View File

@@ -1,96 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
READLINE_LIB = @READLINE_LIB@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} \
${BIND9_INCLUDES} ${ISC_INCLUDES} \
${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ \
${OPENSSL_CFLAGS}
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
IRSLIBS = ../../lib/irs/libirs.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
IRSDEPLIBS = ../../lib/irs/libirs.@A@
DEPLIBS = ${DNSDEPLIBS} ${IRSDEPLIBS} ${BIND9DEPLIBS} \
${ISCDEPLIBS} ${ISCCFGDEPLIBS}
LIBS = ${DNSLIBS} ${IRSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCLIBS} @LIBIDN2_LIBS@ @LIBS@
NOSYMLIBS = ${DNSLIBS} ${IRSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCNOSYMLIBS} @LIBIDN2_LIBS@ @LIBS@
SUBDIRS =
TARGETS = dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
OBJS = dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
UOBJS =
SRCS = dig.c dighost.c host.c nslookup.c
@BIND9_MAKE_RULES@
LDFLAGS = @LDFLAGS@ @LIBIDN2_LDFLAGS@
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
${FINALBUILDCMD}
host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
${FINALBUILDCMD}
nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${IRSLIBS}"; \
${FINALBUILDCMD}
clean distclean maintainer-clean::
rm -f ${TARGETS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
dig@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
host@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
nslookup@EXEEXT@ ${DESTDIR}${bindir}
uninstall::
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/nslookup@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/host@EXEEXT@
${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${bindir}/dig@EXEEXT@

853
bin/dig/dig.1 Normal file
View File

@@ -0,0 +1,853 @@
.\" Copyright (C) 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: dig
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-02-19
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "DIG" "1" "2014\-02\-19" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dig \- DNS lookup utility
.SH "SYNOPSIS"
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [name] [type] [class] [queryopt...]
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [\fB\-h\fR]
.HP \w'\fBdig\fR\ 'u
\fBdig\fR [global\-queryopt...] [query...]
.SH "DESCRIPTION"
.PP
\fBdig\fR
is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
\fBdig\fR
to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output\&. Other lookup tools tend to have less functionality than
\fBdig\fR\&.
.PP
Although
\fBdig\fR
is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file\&. A brief summary of its command\-line arguments and options is printed when the
\fB\-h\fR
option is given\&. Unlike earlier versions, the BIND 9 implementation of
\fBdig\fR
allows multiple lookups to be issued from the command line\&.
.PP
Unless it is told to query a specific name server,
\fBdig\fR
will try each of the servers listed in
/etc/resolv\&.conf\&. If no usable server addresses are found,
\fBdig\fR
will send the query to the local host\&.
.PP
When no command line arguments or options are given,
\fBdig\fR
will perform an NS query for "\&." (the root)\&.
.PP
It is possible to set per\-user defaults for
\fBdig\fR
via
${HOME}/\&.digrc\&. This file is read and any options in it are applied before the command line arguments\&. The
\fB\-r\fR
option disables this feature, for scripts that need predictable behaviour\&.
.PP
The IN and CH class names overlap with the IN and CH top level domain names\&. Either use the
\fB\-t\fR
and
\fB\-c\fR
options to specify the type and class, use the
\fB\-q\fR
the specify the domain name, or use "IN\&." and "CH\&." when looking up these top level domains\&.
.SH "SIMPLE USAGE"
.PP
A typical invocation of
\fBdig\fR
looks like:
.sp
.if n \{\
.RS 4
.\}
.nf
dig @server name type
.fi
.if n \{\
.RE
.\}
.sp
where:
.PP
\fBserver\fR
.RS 4
is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
\fIserver\fR
argument is a hostname,
\fBdig\fR
resolves that name before querying that name server\&.
.sp
If no
\fIserver\fR
argument is provided,
\fBdig\fR
consults
/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
\fBdig\fR
will send the query to the local host\&. The reply from the name server that responds is displayed\&.
.RE
.PP
\fBname\fR
.RS 4
is the name of the resource record that is to be looked up\&.
.RE
.PP
\fBtype\fR
.RS 4
indicates what type of query is required \(em ANY, A, MX, SIG, etc\&.
\fItype\fR
can be any valid query type\&. If no
\fItype\fR
argument is supplied,
\fBdig\fR
will perform a lookup for an A record\&.
.RE
.SH "OPTIONS"
.PP
\-4
.RS 4
Use IPv4 only\&.
.RE
.PP
\-6
.RS 4
Use IPv6 only\&.
.RE
.PP
\-b \fIaddress\fR\fI[#port]\fR
.RS 4
Set the source IP address of the query\&. The
\fIaddress\fR
must be a valid address on one of the host\*(Aqs network interfaces, or "0\&.0\&.0\&.0" or "::"\&. An optional port may be specified by appending "#<port>"
.RE
.PP
\-c \fIclass\fR
.RS 4
Set the query class\&. The default
\fIclass\fR
is IN; other classes are HS for Hesiod records or CH for Chaosnet records\&.
.RE
.PP
\-f \fIfile\fR
.RS 4
Batch mode:
\fBdig\fR
reads a list of lookup requests to process from the given
\fIfile\fR\&. Each line in the file should be organized in the same way they would be presented as queries to
\fBdig\fR
using the command\-line interface\&.
.RE
.PP
\-k \fIkeyfile\fR
.RS 4
Sign queries using TSIG using a key read from the given file\&. Key files can be generated using
\fBtsig-keygen\fR(8)\&. When using TSIG authentication with
\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used\&. In BIND, this is done by providing appropriate
\fBkey\fR
and
\fBserver\fR
statements in
named\&.conf\&.
.RE
.PP
\-m
.RS 4
Enable memory usage debugging\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Send the query to a non\-standard port on the server, instead of the default port 53\&. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number\&.
.RE
.PP
\-q \fIname\fR
.RS 4
The domain name to query\&. This is useful to distinguish the
\fIname\fR
from other arguments\&.
.RE
.PP
\-r
.RS 4
Do not read options from
${HOME}/\&.digrc\&. This is useful for scripts that need predictable behaviour\&.
.RE
.PP
\-t \fItype\fR
.RS 4
The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup\&. A zone transfer can be requested by specifying a type of AXFR\&. When an incremental zone transfer (IXFR) is required, set the
\fItype\fR
to
ixfr=N\&. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone\*(Aqs SOA record was
\fIN\fR\&.
.sp
All resource record types can be expressed as "TYPEnn", where "nn" is the number of the type\&. If the resource record type is not supported in BIND 9, the result will be displayed as described in RFC 3597\&.
.RE
.PP
\-u
.RS 4
Print query times in microseconds instead of milliseconds\&.
.RE
.PP
\-v
.RS 4
Print the version number and exit\&.
.RE
.PP
\-x \fIaddr\fR
.RS 4
Simplified reverse lookups, for mapping addresses to names\&. The
\fIaddr\fR
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When the
\fB\-x\fR
is used, there is no need to provide the
\fIname\fR,
\fIclass\fR
and
\fItype\fR
arguments\&.
\fBdig\fR
automatically performs a lookup for a name like
94\&.2\&.0\&.192\&.in\-addr\&.arpa
and sets the query type and class to PTR and IN respectively\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
.RE
.PP
\-y \fI[hmac:]\fR\fIkeyname:secret\fR
.RS 4
Sign queries using TSIG with the given authentication key\&.
\fIkeyname\fR
is the name of the key, and
\fIsecret\fR
is the base64 encoded shared secret\&.
\fIhmac\fR
is the name of the key algorithm; valid choices are
hmac\-md5,
hmac\-sha1,
hmac\-sha224,
hmac\-sha256,
hmac\-sha384, or
hmac\-sha512\&. If
\fIhmac\fR
is not specified, the default is
hmac\-md5
or if MD5 was disabled
hmac\-sha256\&.
.sp
NOTE: You should use the
\fB\-k\fR
option and avoid the
\fB\-y\fR
option, because with
\fB\-y\fR
the shared secret is supplied as a command line argument in clear text\&. This may be visible in the output from
\fBps\fR(1)
or in a history file maintained by the user\*(Aqs shell\&.
.RE
.SH "QUERY OPTIONS"
.PP
\fBdig\fR
provides a number of query options which affect the way in which lookups are made and the results displayed\&. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies\&.
.PP
Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
no
to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
\fB+keyword=value\fR\&. Keywords may be abbreviated, provided the abbreviation is unambiguous; for example,
+cd
is equivalent to
+cdflag\&. The query options are:
.PP
\fB+[no]aaflag\fR
.RS 4
A synonym for
\fI+[no]aaonly\fR\&.
.RE
.PP
\fB+[no]aaonly\fR
.RS 4
Sets the "aa" flag in the query\&.
.RE
.PP
\fB+[no]additional\fR
.RS 4
Display [do not display] the additional section of a reply\&. The default is to display it\&.
.RE
.PP
\fB+[no]adflag\fR
.RS 4
Set [do not set] the AD (authentic data) bit in the query\&. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server\&. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range\&. AD=0 indicate that some part of the answer was insecure or not validated\&. This bit is set by default\&.
.RE
.PP
\fB+[no]all\fR
.RS 4
Set or clear all display flags\&.
.RE
.PP
\fB+[no]answer\fR
.RS 4
Display [do not display] the answer section of a reply\&. The default is to display it\&.
.RE
.PP
\fB+[no]authority\fR
.RS 4
Display [do not display] the authority section of a reply\&. The default is to display it\&.
.RE
.PP
\fB+[no]badcookie\fR
.RS 4
Retry lookup with the new server cookie if a BADCOOKIE response is received\&.
.RE
.PP
\fB+[no]besteffort\fR
.RS 4
Attempt to display the contents of messages which are malformed\&. The default is to not display malformed answers\&.
.RE
.PP
\fB+bufsize=B\fR
.RS 4
Set the UDP message buffer size advertised using EDNS0 to
\fIB\fR
bytes\&. The maximum and minimum sizes of this buffer are 65535 and 0 respectively\&. Values outside this range are rounded up or down appropriately\&. Values other than zero will cause a EDNS query to be sent\&.
.RE
.PP
\fB+[no]cdflag\fR
.RS 4
Set [do not set] the CD (checking disabled) bit in the query\&. This requests the server to not perform DNSSEC validation of responses\&.
.RE
.PP
\fB+[no]class\fR
.RS 4
Display [do not display] the CLASS when printing the record\&.
.RE
.PP
\fB+[no]cmd\fR
.RS 4
Toggles the printing of the initial comment in the output, identifying the version of
\fBdig\fR
and the query options that have been applied\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&. The default is to print this comment\&.
.RE
.PP
\fB+[no]comments\fR
.RS 4
Toggles the display of some comment lines in the output, containing information about the packet header and OPT pseudosection, and the names of the response section\&. The default is to print these comments\&.
.sp
Other types of comments in the output are not affected by this option, but can be controlled using other command line switches\&. These include
\fB+[no]cmd\fR,
\fB+[no]question\fR,
\fB+[no]stats\fR, and
\fB+[no]rrcomments\fR\&.
.RE
.PP
\fB+[no]cookie\fR\fB[=####]\fR
.RS 4
Send a COOKIE EDNS option, with optional value\&. Replaying a COOKIE from a previous response will allow the server to identify a previous client\&. The default is
\fB+cookie\fR\&.
.sp
\fB+cookie\fR
is also set when +trace is set to better emulate the default queries from a nameserver\&.
.RE
.PP
\fB+[no]crypto\fR
.RS 4
Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
.RE
.PP
\fB+[no]defname\fR
.RS 4
Deprecated, treated as a synonym for
\fI+[no]search\fR
.RE
.PP
\fB+[no]dnssec\fR
.RS 4
Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query\&.
.RE
.PP
\fB+domain=somename\fR
.RS 4
Set the search list to contain the single domain
\fIsomename\fR, as if specified in a
\fBdomain\fR
directive in
/etc/resolv\&.conf, and enable search list processing as if the
\fI+search\fR
option were given\&.
.RE
.PP
\fB+dscp=value\fR
.RS 4
Set the DSCP code point to be used when sending the query\&. Valid DSCP code points are in the range [0\&.\&.63]\&. By default no code point is explicitly set\&.
.RE
.PP
\fB+[no]edns[=#]\fR
.RS 4
Specify the EDNS version to query with\&. Valid values are 0 to 255\&. Setting the EDNS version will cause a EDNS query to be sent\&.
\fB+noedns\fR
clears the remembered EDNS version\&. EDNS is set to 0 by default\&.
.RE
.PP
\fB+[no]ednsflags[=#]\fR
.RS 4
Set the must\-be\-zero EDNS flags bits (Z bits) to the specified value\&. Decimal, hex and octal encodings are accepted\&. Setting a named flag (e\&.g\&. DO) will silently be ignored\&. By default, no Z bits are set\&.
.RE
.PP
\fB+[no]ednsnegotiation\fR
.RS 4
Enable / disable EDNS version negotiation\&. By default EDNS version negotiation is enabled\&.
.RE
.PP
\fB+[no]ednsopt[=code[:value]]\fR
.RS 4
Specify EDNS option with code point
\fBcode\fR
and optionally payload of
\fBvalue\fR
as a hexadecimal string\&.
\fBcode\fR
can be either an EDNS option name (for example,
NSID
or
ECS), or an arbitrary numeric value\&.
\fB+noednsopt\fR
clears the EDNS options to be sent\&.
.RE
.PP
\fB+[no]expire\fR
.RS 4
Send an EDNS Expire option\&.
.RE
.PP
\fB+[no]expandaaaa\fR
.RS 4
When printing AAAA record print all zero nibbles rather than the default RFC 5952 preferred presentation format\&.
.RE
.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL\&. The default is to not try the next server which is the reverse of normal stub resolver behavior\&.
.RE
.PP
\fB+[no]header\-only\fR
.RS 4
Send a query with a DNS header without a question section\&. The default is to add a question section\&. The query type and query name are ignored when this is set\&.
.RE
.PP
\fB+[no]identify\fR
.RS 4
Show [or do not show] the IP address and port number that supplied the answer when the
\fI+short\fR
option is enabled\&. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer\&.
.RE
.PP
\fB+[no]idnin\fR
.RS 4
Process [do not process] IDN domain names on input\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process IDN input when standard output is a tty\&. The IDN processing on input is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]idnout\fR
.RS 4
Convert [do not convert] puny code on output\&. This requires IDN SUPPORT to have been enabled at compile time\&.
.sp
The default is to process puny code on output when standard output is a tty\&. The puny code processing on output is disabled when dig output is redirected to files, pipes, and other non\-tty file descriptors\&.
.RE
.PP
\fB+[no]ignore\fR
.RS 4
Ignore truncation in UDP responses instead of retrying with TCP\&. By default, TCP retries are performed\&.
.RE
.PP
\fB+[no]keepalive\fR
.RS 4
Send [or do not send] an EDNS Keepalive option\&.
.RE
.PP
\fB+[no]keepopen\fR
.RS 4
Keep the TCP socket open between queries and reuse it rather than creating a new TCP socket for each lookup\&. The default is
\fB+nokeepopen\fR\&.
.RE
.PP
\fB+[no]mapped\fR
.RS 4
Allow mapped IPv4 over IPv6 addresses to be used\&. The default is
\fB+mapped\fR\&.
.RE
.PP
\fB+[no]multiline\fR
.RS 4
Print records like the SOA records in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdig\fR
output\&.
.RE
.PP
\fB+ndots=D\fR
.RS 4
Set the number of dots that have to appear in
\fIname\fR
to
\fID\fR
for it to be considered absolute\&. The default value is that defined using the ndots statement in
/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
\fBsearch\fR
or
\fBdomain\fR
directive in
/etc/resolv\&.conf
if
\fB+search\fR
is set\&.
.RE
.PP
\fB+[no]nsid\fR
.RS 4
Include an EDNS name server ID request when sending a query\&.
.RE
.PP
\fB+[no]nssearch\fR
.RS 4
When this option is set,
\fBdig\fR
attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone\&. Addresses of servers that that did not respond are also printed\&.
.RE
.PP
\fB+[no]onesoa\fR
.RS 4
Print only one (starting) SOA record when performing an AXFR\&. The default is to print both the starting and ending SOA records\&.
.RE
.PP
\fB+[no]opcode=value\fR
.RS 4
Set [restore] the DNS message opcode to the specified value\&. The default value is QUERY (0)\&.
.RE
.PP
\fB+padding=value\fR
.RS 4
Pad the size of the query packet using the EDNS Padding option to blocks of
\fIvalue\fR
bytes\&. For example,
\fB+padding=32\fR
would cause a 48\-byte query to be padded to 64 bytes\&. The default block size is 0, which disables padding\&. The maximum is 512\&. Values are ordinarily expected to be powers of two, such as 128; however, this is not mandatory\&. Responses to padded queries may also be padded, but only if the query uses TCP or DNS COOKIE\&.
.RE
.PP
\fB+[no]qr\fR
.RS 4
Toggles the display of the query message as it is sent\&. By default, the query is not printed\&.
.RE
.PP
\fB+[no]question\fR
.RS 4
Toggles the display of the question section of a query when an answer is returned\&. The default is to print the question section as a comment\&.
.RE
.PP
\fB+[no]raflag\fR
.RS 4
Set [do not set] the RA (Recursion Available) bit in the query\&. The default is +noraflag\&. This bit should be ignored by the server for QUERY\&.
.RE
.PP
\fB+[no]rdflag\fR
.RS 4
A synonym for
\fI+[no]recurse\fR\&.
.RE
.PP
\fB+[no]recurse\fR
.RS 4
Toggle the setting of the RD (recursion desired) bit in the query\&. This bit is set by default, which means
\fBdig\fR
normally sends recursive queries\&. Recursion is automatically disabled when using the
\fI+nssearch\fR
option, and when using
\fI+trace\fR
except for an initial recursive query to get the list of root servers\&.
.RE
.PP
\fB+retry=T\fR
.RS 4
Sets the number of times to retry UDP queries to server to
\fIT\fR
instead of the default, 2\&. Unlike
\fI+tries\fR, this does not include the initial query\&.
.RE
.PP
\fB+[no]rrcomments\fR
.RS 4
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is not to print record comments unless multiline mode is active\&.
.RE
.PP
\fB+[no]search\fR
.RS 4
Use [do not use] the search list defined by the searchlist or domain directive in
resolv\&.conf
(if any)\&. The search list is not used by default\&.
.sp
\*(Aqndots\*(Aq from
resolv\&.conf
(default 1) which may be overridden by
\fI+ndots\fR
determines if the name will be treated as relative or not and hence whether a search is eventually performed or not\&.
.RE
.PP
\fB+[no]short\fR
.RS 4
Provide a terse answer\&. The default is to print the answer in a verbose form\&. This option always has global effect; it cannot be set globally and then overridden on a per\-lookup basis\&.
.RE
.PP
\fB+[no]showsearch\fR
.RS 4
Perform [do not perform] a search showing intermediate results\&.
.RE
.PP
\fB+[no]sigchase\fR
.RS 4
This feature is now obsolete and has been removed; use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+split=W\fR
.RS 4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
is rounded up to the nearest multiple of 4)\&.
\fI+nosplit\fR
or
\fI+split=0\fR
causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
.RE
.PP
\fB+[no]stats\fR
.RS 4
Toggles the printing of statistics: when the query was made, the size of the reply and so on\&. The default behavior is to print the query statistics as a comment after each lookup\&.
.RE
.PP
\fB+[no]subnet=addr[/prefix\-length]\fR
.RS 4
Send (don\*(Aqt send) an EDNS Client Subnet option with the specified IP address or network prefix\&.
.sp
\fBdig +subnet=0\&.0\&.0\&.0/0\fR, or simply
\fBdig +subnet=0\fR
for short, sends an EDNS CLIENT\-SUBNET option with an empty address and a source prefix\-length of zero, which signals a resolver that the client\*(Aqs address information must
\fInot\fR
be used when resolving this query\&.
.RE
.PP
\fB+[no]tcflag\fR
.RS 4
Set [do not set] the TC (TrunCation) bit in the query\&. The default is +notcflag\&. This bit should be ignored by the server for QUERY\&.
.RE
.PP
\fB+[no]tcp\fR
.RS 4
Use [do not use] TCP when querying name servers\&. The default behavior is to use UDP unless a type
any
or
ixfr=N
query is requested, in which case the default is TCP\&. AXFR queries always use TCP\&.
.RE
.PP
\fB+timeout=T\fR
.RS 4
Sets the timeout for a query to
\fIT\fR
seconds\&. The default timeout is 5 seconds\&. An attempt to set
\fIT\fR
to less than 1 will result in a query timeout of 1 second being applied\&.
.RE
.PP
\fB+[no]topdown\fR
.RS 4
This feature is related to
\fBdig +sigchase\fR, which is obsolete and has been removed\&. Use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+[no]trace\fR
.RS 4
Toggle tracing of the delegation path from the root name servers for the name being looked up\&. Tracing is disabled by default\&. When tracing is enabled,
\fBdig\fR
makes iterative queries to resolve the name being looked up\&. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup\&.
.sp
If @server is also specified, it affects only the initial query for the root zone name servers\&.
.sp
\fB+dnssec\fR
is also set when +trace is set to better emulate the default queries from a nameserver\&.
.RE
.PP
\fB+tries=T\fR
.RS 4
Sets the number of times to try UDP queries to server to
\fIT\fR
instead of the default, 3\&. If
\fIT\fR
is less than or equal to zero, the number of tries is silently rounded up to 1\&.
.RE
.PP
\fB+trusted\-key=####\fR
.RS 4
Formerly specified trusted keys for use with
\fBdig +sigchase\fR\&. This feature is now obsolete and has been removed; use
\fBdelv\fR
instead\&.
.RE
.PP
\fB+[no]ttlid\fR
.RS 4
Display [do not display] the TTL when printing the record\&.
.RE
.PP
\fB+[no]ttlunits\fR
.RS 4
Display [do not display] the TTL in friendly human\-readable time units of "s", "m", "h", "d", and "w", representing seconds, minutes, hours, days and weeks\&. Implies +ttlid\&.
.RE
.PP
\fB+[no]unexpected\fR
.RS 4
Accept [do not accept] answers from unexpected sources\&. By default,
\fBdig\fR
won\*(Aqt accept a reply from a source other than the one to which it sent the query\&.
.RE
.PP
\fB+[no]unknownformat\fR
.RS 4
Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
.RE
.PP
\fB+[no]vc\fR
.RS 4
Use [do not use] TCP when querying name servers\&. This alternate syntax to
\fI+[no]tcp\fR
is provided for backwards compatibility\&. The "vc" stands for "virtual circuit"\&.
.RE
.PP
\fB+[no]yaml\fR
.RS 4
Print the responses (and, if
\fB+qr\fR
is in use, also the outgoing queries) in a detailed YAML format\&.
.RE
.PP
\fB+[no]zflag\fR
.RS 4
Set [do not set] the last unassigned DNS header flag in a DNS query\&. This flag is off by default\&.
.RE
.SH "MULTIPLE QUERIES"
.PP
The BIND 9 implementation of
\fBdig \fR
supports specifying multiple queries on the command line (in addition to supporting the
\fB\-f\fR
batch file option)\&. Each of those queries can be supplied with its own set of flags, options and query options\&.
.PP
In this case, each
\fIquery\fR
argument represent an individual query in the command\-line syntax described above\&. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query\&.
.PP
A global set of query options, which should be applied to all queries, can also be supplied\&. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line\&. Any global query options (except
\fB+[no]cmd\fR
and
\fB+[no]short\fR
options) can be overridden by a query\-specific set of query options\&. For example:
.sp
.if n \{\
.RS 4
.\}
.nf
dig +qr www\&.isc\&.org any \-x 127\&.0\&.0\&.1 isc\&.org ns +noqr
.fi
.if n \{\
.RE
.\}
.sp
shows how
\fBdig\fR
could be used from the command line to make three lookups: an ANY query for
www\&.isc\&.org, a reverse lookup of 127\&.0\&.0\&.1 and a query for the NS records of
isc\&.org\&. A global query option of
\fI+qr\fR
is applied, so that
\fBdig\fR
shows the initial query it made for each lookup\&. The final query has a local query option of
\fI+noqr\fR
which means that
\fBdig\fR
will not print the initial query when it looks up the NS records for
isc\&.org\&.
.SH "IDN SUPPORT"
.PP
If
\fBdig\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBdig\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, use parameters
\fI+noidnin\fR
and
\fI+noidnout\fR
or define the
\fBIDN_DISABLE\fR
environment variable\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
.PP
${HOME}/\&.digrc
.SH "SEE ALSO"
.PP
\fBdelv\fR(1),
\fBhost\fR(1),
\fBnamed\fR(8),
\fBdnssec-keygen\fR(8),
RFC 1035\&.
.SH "BUGS"
.PP
There are probably too many query options\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2011, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -18,6 +18,7 @@
#include <time.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/netaddr.h>
#include <isc/parseint.h>
#include <isc/platform.h>
@@ -41,12 +42,12 @@
#include <dns/result.h>
#include <dns/tsig.h>
#include <dig/dig.h>
#include "dighost.h"
#define ADD_STRING(b, s) \
{ \
if (strlen(s) >= isc_buffer_availablelength(b)) { \
return (ISC_R_NOSPACE); \
return ((((ISC_R_NOSPACE)))); \
} else { \
isc_buffer_putstr(b, s); \
} \
@@ -109,8 +110,8 @@ usage(void) {
fprintf(stderr, "Press <Help> for complete list of options\n");
}
#else /* if TARGET_OS_IPHONE */
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
@@ -125,7 +126,7 @@ usage(void) {
/*% version */
static void
version(void) {
fputs("DiG " VERSION "\n", stderr);
fprintf(stderr, "DiG %s\n", PACKAGE_VERSION);
}
/*% help */
@@ -179,7 +180,7 @@ help(void) {
"responses)\n"
" +[no]besteffort (Try to parse even illegal "
"messages)\n"
" +bufsize[=###] (Set EDNS0 Max UDP packet "
" +bufsize=### (Set EDNS0 Max UDP packet "
"size)\n"
" +[no]cdflag (Set checking disabled "
"flag in query)\n"
@@ -666,25 +667,15 @@ printmessage(dig_query_t *query, const isc_buffer_t *msgbuf, dns_message_t *msg,
if (!isc_time_isepoch(&query->time_sent)) {
char tbuf[100];
if (query->lookup->use_usec) {
isc_time_formatISO8601us(&query->time_sent,
tbuf, sizeof(tbuf));
} else {
isc_time_formatISO8601ms(&query->time_sent,
tbuf, sizeof(tbuf));
}
isc_time_formatISO8601ms(&query->time_sent, tbuf,
sizeof(tbuf));
printf(" query_time: !!timestamp %s\n", tbuf);
}
if (!isquery && !isc_time_isepoch(&query->time_recv)) {
char tbuf[100];
if (query->lookup->use_usec) {
isc_time_formatISO8601us(&query->time_recv,
tbuf, sizeof(tbuf));
} else {
isc_time_formatISO8601ms(&query->time_recv,
tbuf, sizeof(tbuf));
}
isc_time_formatISO8601ms(&query->time_recv, tbuf,
sizeof(tbuf));
printf(" response_time: !!timestamp %s\n", tbuf);
}
@@ -922,7 +913,8 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
if (printcmd) {
snprintf(lookup->cmdline, sizeof(lookup->cmdline),
"%s; <<>> DiG " VERSION " <<>>", first ? "\n" : "");
"%s; <<>> DiG %s <<>>", first ? "\n" : "",
PACKAGE_VERSION);
i = 1;
while (i < argc) {
snprintf(append, sizeof(append), " %s", argv[i++]);
@@ -1047,13 +1039,12 @@ plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
break;
case 'u': /* bufsize */
FULLCHECK("bufsize");
if (value == NULL) {
goto need_value;
}
if (!state) {
goto invalid_option;
}
if (value == NULL) {
lookup->udpsize = DEFAULT_EDNS_BUFSIZE;
break;
}
result = parse_uint(&num, value, COMMSIZE,
"buffer size");
if (result != ISC_R_SUCCESS) {
@@ -1061,9 +1052,6 @@ plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
goto exit_or_usage;
}
lookup->udpsize = num;
if (lookup->udpsize == 0) {
lookup->edns = -1;
}
break;
default:
goto invalid_option;
@@ -1103,7 +1091,7 @@ plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
case 'o': /* cookie */
FULLCHECK("cookie");
if (state && lookup->edns == -1) {
lookup->edns = DEFAULT_EDNS_VERSION;
lookup->edns = 0;
}
lookup->sendcookie = state;
if (value != NULL) {
@@ -1142,7 +1130,7 @@ plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
FULLCHECK("dnssec");
dnssec:
if (state && lookup->edns == -1) {
lookup->edns = DEFAULT_EDNS_VERSION;
lookup->edns = 0;
}
lookup->dnssec = state;
break;
@@ -1194,8 +1182,7 @@ plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
break;
}
if (value == NULL) {
lookup->edns =
DEFAULT_EDNS_VERSION;
lookup->edns = 0;
break;
}
result = parse_uint(&num, value,
@@ -1410,7 +1397,7 @@ plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
case 'i': /* nsid */
FULLCHECK("nsid");
if (state && lookup->edns == -1) {
lookup->edns = DEFAULT_EDNS_VERSION;
lookup->edns = 0;
}
lookup->nsid = state;
break;
@@ -1480,7 +1467,7 @@ plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
case 'p':
FULLCHECK("padding");
if (state && lookup->edns == -1) {
lookup->edns = DEFAULT_EDNS_VERSION;
lookup->edns = 0;
}
if (value == NULL) {
goto need_value;
@@ -1648,7 +1635,7 @@ plus_option(char *option, bool is_batchfile, dig_lookup_t *lookup) {
break;
}
if (lookup->edns == -1) {
lookup->edns = DEFAULT_EDNS_VERSION;
lookup->edns = 0;
}
if (lookup->ecs_addr != NULL) {
isc_mem_free(mctx, lookup->ecs_addr);
@@ -2197,20 +2184,16 @@ preparse_args(int argc, char **argv) {
continue;
}
/* Look for dash value option. */
if (strpbrk(option, dash_opts) != &option[0]) {
goto invalid_option;
}
if (strlen(option) > 1U) {
/* value in option. */
if (strpbrk(option, dash_opts) != &option[0] ||
strlen(option) > 1U) {
/* Error or value in option. */
continue;
}
/* Dash value is next argument so we need to skip it. */
rc--, rv++;
/* Handle missing argument */
if (rc == 0) {
invalid_option:
fprintf(stderr, "Invalid option: -%s\n", option);
usage();
break;
}
}
}
@@ -2267,7 +2250,7 @@ parse_args(bool is_batchfile, bool config_only, int argc, char **argv) {
debug("making new lookup");
default_lookup = make_empty_lookup();
default_lookup->adflag = true;
default_lookup->edns = DEFAULT_EDNS_VERSION;
default_lookup->edns = 0;
default_lookup->sendcookie = true;
#ifndef NOPOSIX
@@ -2677,7 +2660,7 @@ dig_query_setup(bool is_batchfile, bool config_only, int argc, char **argv) {
}
void
dig_startup() {
dig_startup(void) {
isc_result_t result;
debug("dig_startup()");
@@ -2688,12 +2671,12 @@ dig_startup() {
}
void
dig_query_start() {
dig_query_start(void) {
start_lookup();
}
void
dig_shutdown() {
dig_shutdown(void) {
destroy_lookup(default_lookup);
if (atomic_load(&batchname) != 0) {
if (batchfp != stdin) {

1431
bin/dig/dig.docbook Normal file

File diff suppressed because it is too large Load Diff

1155
bin/dig/dig.html Normal file

File diff suppressed because it is too large Load Diff

View File

@@ -1,633 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_dig:
dig - DNS lookup utility
------------------------
Synopsis
~~~~~~~~
:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...]
:program:`dig` [**-h**]
:program:`dig` [global-queryopt...] [query...]
Description
~~~~~~~~~~~
``dig`` is a flexible tool for interrogating DNS name servers. It
performs DNS lookups and displays the answers that are returned from the
name server(s) that were queried. Most DNS administrators use ``dig`` to
troubleshoot DNS problems because of its flexibility, ease of use, and
clarity of output. Other lookup tools tend to have less functionality
than ``dig``.
Although ``dig`` is normally used with command-line arguments, it also
has a batch mode of operation for reading lookup requests from a file. A
brief summary of its command-line arguments and options is printed when
the ``-h`` option is given. The BIND 9
implementation of ``dig`` allows multiple lookups to be issued from the
command line.
Unless it is told to query a specific name server, ``dig`` tries each
of the servers listed in ``/etc/resolv.conf``. If no usable server
addresses are found, ``dig`` sends the query to the local host.
When no command-line arguments or options are given, ``dig``
performs an NS query for "." (the root).
It is possible to set per-user defaults for ``dig`` via
``${HOME}/.digrc``. This file is read and any options in it are applied
before the command-line arguments. The ``-r`` option disables this
feature, for scripts that need predictable behavior.
The IN and CH class names overlap with the IN and CH top-level domain
names. Either use the ``-t`` and ``-c`` options to specify the type and
class, use the ``-q`` to specify the domain name, or use "IN." and
"CH." when looking up these top-level domains.
Simple Usage
~~~~~~~~~~~~
A typical invocation of ``dig`` looks like:
::
dig @server name type
where:
``server``
is the name or IP address of the name server to query. This can be an
IPv4 address in dotted-decimal notation or an IPv6 address in
colon-delimited notation. When the supplied ``server`` argument is a
hostname, ``dig`` resolves that name before querying that name
server.
If no ``server`` argument is provided, ``dig`` consults
``/etc/resolv.conf``; if an address is found there, it queries the
name server at that address. If either of the ``-4`` or ``-6``
options are in use, then only addresses for the corresponding
transport are tried. If no usable addresses are found, ``dig``
sends the query to the local host. The reply from the name server
that responds is displayed.
``name``
is the name of the resource record that is to be looked up.
``type``
indicates what type of query is required - ANY, A, MX, SIG, etc.
``type`` can be any valid query type. If no ``type`` argument is
supplied, ``dig`` performs a lookup for an A record.
Options
~~~~~~~
``-4``
This option indicates that only IPv4 should be used.
``-6``
This option indicates that only IPv6 should be used.
``-b address[#port]``
This option sets the source IP address of the query. The ``address`` must be a
valid address on one of the host's network interfaces, or "0.0.0.0"
or "::". An optional port may be specified by appending ``#port``.
``-c class``
This option sets the query class. The default ``class`` is IN; other classes are
HS for Hesiod records or CH for Chaosnet records.
``-f file``
This option sets batch mode, in which ``dig`` reads a list of lookup requests to process from
the given ``file``. Each line in the file should be organized in the
same way it would be presented as a query to ``dig`` using the
command-line interface.
``-k keyfile``
This option tells ``named`` to sign queries using TSIG using a key read from the given file. Key
files can be generated using ``tsig-keygen``. When using TSIG
authentication with ``dig``, the name server that is queried needs to
know the key and algorithm that is being used. In BIND, this is done
by providing appropriate ``key`` and ``server`` statements in
``named.conf``.
``-m``
This option enables memory usage debugging.
``-p port``
This option sends the query to a non-standard port on the server, instead of the
default port 53. This option is used to test a name server that
has been configured to listen for queries on a non-standard port
number.
``-q name``
This option specifies the domain name to query. This is useful to distinguish the ``name``
from other arguments.
``-r``
This option indicates that options from ``${HOME}/.digrc`` should not be read. This is useful for
scripts that need predictable behavior.
``-t type``
This option indicates the resource record type to query, which can be any valid query type. If
it is a resource record type supported in BIND 9, it can be given by
the type mnemonic (such as ``NS`` or ``AAAA``). The default query type is
``A``, unless the ``-x`` option is supplied to indicate a reverse
lookup. A zone transfer can be requested by specifying a type of
AXFR. When an incremental zone transfer (IXFR) is required, set the
``type`` to ``ixfr=N``. The incremental zone transfer contains
all changes made to the zone since the serial number in the zone's
SOA record was ``N``.
All resource record types can be expressed as ``TYPEnn``, where ``nn`` is
the number of the type. If the resource record type is not supported
in BIND 9, the result is displayed as described in :rfc:`3597`.
``-u``
This option indicates that print query times should be provided in microseconds instead of milliseconds.
``-v``
This option prints the version number and exits.
``-x addr``
This option sets simplified reverse lookups, for mapping addresses to names. The
``addr`` is an IPv4 address in dotted-decimal notation, or a
colon-delimited IPv6 address. When the ``-x`` option is used, there is no
need to provide the ``name``, ``class``, and ``type`` arguments.
``dig`` automatically performs a lookup for a name like
``94.2.0.192.in-addr.arpa`` and sets the query type and class to PTR
and IN respectively. IPv6 addresses are looked up using nibble format
under the IP6.ARPA domain.
``-y [hmac:]keyname:secret``
This option signs queries using TSIG with the given authentication key.
``keyname`` is the name of the key, and ``secret`` is the
base64-encoded shared secret. ``hmac`` is the name of the key algorithm;
valid choices are ``hmac-md5``, ``hmac-sha1``, ``hmac-sha224``,
``hmac-sha256``, ``hmac-sha384``, or ``hmac-sha512``. If ``hmac`` is
not specified, the default is ``hmac-md5``; if MD5 was disabled, the default is
``hmac-sha256``.
.. note:: Only the ``-k`` option should be used, rather than the ``-y`` option,
because with ``-y`` the shared secret is supplied as a command-line
argument in clear text. This may be visible in the output from ``ps1`` or
in a history file maintained by the user's shell.
Query Options
~~~~~~~~~~~~~
``dig`` provides a number of query options which affect the way in which
lookups are made and the results displayed. Some of these set or reset
flag bits in the query header, some determine which sections of the
answer get printed, and others determine the timeout and retry
strategies.
Each query option is identified by a keyword preceded by a plus sign
(``+``). Some keywords set or reset an option; these may be preceded by
the string ``no`` to negate the meaning of that keyword. Other keywords
assign values to options, like the timeout interval. They have the form
``+keyword=value``. Keywords may be abbreviated, provided the
abbreviation is unambiguous; for example, ``+cd`` is equivalent to
``+cdflag``. The query options are:
``+[no]aaflag``
This option is a synonym for ``+[no]aaonly``.
``+[no]aaonly``
This option sets the ``aa`` flag in the query.
``+[no]additional``
This option displays [or does not display] the additional section of a reply. The
default is to display it.
``+[no]adflag``
This option sets [or does not set] the AD (authentic data) bit in the query. This
requests the server to return whether all of the answer and authority
sections have been validated as secure, according to the security
policy of the server. ``AD=1`` indicates that all records have been
validated as secure and the answer is not from a OPT-OUT range. ``AD=0``
indicates that some part of the answer was insecure or not validated.
This bit is set by default.
``+[no]all``
This option sets or clears all display flags.
``+[no]answer``
This option displays [or does not display] the answer section of a reply. The default
is to display it.
``+[no]authority``
This option displays [or does not display] the authority section of a reply. The
default is to display it.
``+[no]badcookie``
This option retries the lookup with a new server cookie if a BADCOOKIE response is
received.
``+[no]besteffort``
This option attempts to display the contents of messages which are malformed. The
default is to not display malformed answers.
``+bufsize[=B]``
This option sets the UDP message buffer size advertised using EDNS0
to ``B`` bytes. The maximum and minimum sizes of this buffer are
65535 and 0, respectively. ``+bufsize=0`` disables EDNS (use
``+bufsize=0 +edns`` to send an EDNS message with an advertised size
of 0 bytes). ``+bufsize`` restores the default buffer size.
``+[no]cdflag``
This option sets [or does not set] the CD (checking disabled) bit in the query. This
requests the server to not perform DNSSEC validation of responses.
``+[no]class``
This option displays [or does not display] the CLASS when printing the record.
``+[no]cmd``
This option toggles the printing of the initial comment in the output, identifying the
version of ``dig`` and the query options that have been applied. This option
always has a global effect; it cannot be set globally and then overridden on a
per-lookup basis. The default is to print this comment.
``+[no]comments``
This option toggles the display of some comment lines in the output, with
information about the packet header and OPT pseudosection, and the names of
the response section. The default is to print these comments.
Other types of comments in the output are not affected by this option, but
can be controlled using other command-line switches. These include
``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``.
``+[no]cookie=####``
This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
from a previous response allows the server to identify a previous
client. The default is ``+cookie``.
``+cookie`` is also set when ``+trace`` is set to better emulate the
default queries from a nameserver.
``+[no]crypto``
This option toggles the display of cryptographic fields in DNSSEC records. The
contents of these fields are unnecessary for debugging most DNSSEC
validation failures and removing them makes it easier to see the
common failures. The default is to display the fields. When omitted,
they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the
key ID is displayed as the replacement, e.g. ``[ key id = value ]``.
``+[no]defname``
This option, which is deprecated, is treated as a synonym for ``+[no]search``.
``+[no]dnssec``
This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
the OPT record in the additional section of the query.
``+domain=somename``
This option sets the search list to contain the single domain ``somename``, as if
specified in a ``domain`` directive in ``/etc/resolv.conf``, and
enables search list processing as if the ``+search`` option were
given.
``+dscp=value``
This option sets the DSCP code point to be used when sending the query. Valid DSCP
code points are in the range [0...63]. By default no code point is
explicitly set.
``+[no]edns[=#]``
This option specifies the EDNS version to query with. Valid values are 0 to 255.
Setting the EDNS version causes an EDNS query to be sent.
``+noedns`` clears the remembered EDNS version. EDNS is set to 0 by
default.
``+[no]ednsflags[=#]``
This option sets the must-be-zero EDNS flags bits (Z bits) to the specified value.
Decimal, hex, and octal encodings are accepted. Setting a named flag
(e.g., DO) is silently ignored. By default, no Z bits are set.
``+[no]ednsnegotiation``
This option enables/disables EDNS version negotiation. By default, EDNS version
negotiation is enabled.
``+[no]ednsopt[=code[:value]]``
This option specifies the EDNS option with code point ``code`` and an optional payload
of ``value`` as a hexadecimal string. ``code`` can be either an EDNS
option name (for example, ``NSID`` or ``ECS``) or an arbitrary
numeric value. ``+noednsopt`` clears the EDNS options to be sent.
``+[no]expire``
This option sends an EDNS Expire option.
``+[no]fail``
This option indicates that ``named`` should try [or not try] the next server if a SERVFAIL is received. The default is
to not try the next server, which is the reverse of normal stub
resolver behavior.
``+[no]header-only``
This option sends a query with a DNS header without a question section. The
default is to add a question section. The query type and query name
are ignored when this is set.
``+[no]identify``
This option shows [or does not show] the IP address and port number that supplied
the answer, when the ``+short`` option is enabled. If short form
answers are requested, the default is not to show the source address
and port number of the server that provided the answer.
``+[no]idnin``
This option processes [or does not process] IDN domain names on input. This requires
``IDN SUPPORT`` to have been enabled at compile time.
The default is to process IDN input when standard output is a tty.
The IDN processing on input is disabled when ``dig`` output is redirected
to files, pipes, and other non-tty file descriptors.
``+[no]idnout``
This option converts [or does not convert] puny code on output. This requires
``IDN SUPPORT`` to have been enabled at compile time.
The default is to process puny code on output when standard output is
a tty. The puny code processing on output is disabled when ``dig`` output
is redirected to files, pipes, and other non-tty file descriptors.
``+[no]ignore``
This option ignores [or does not ignore] truncation in UDP responses instead of retrying with TCP. By
default, TCP retries are performed.
``+[no]keepalive``
This option sends [or does not send] an EDNS Keepalive option.
``+[no]keepopen``
This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than
creating a new TCP socket for each lookup. The default is
``+nokeepopen``.
``+[no]mapped``
This option allows [or does not allow] mapped IPv4-over-IPv6 addresses to be used. The default is
``+mapped``.
``+[no]multiline``
This option prints [or does not print] records, like the SOA records, in a verbose multi-line format
with human-readable comments. The default is to print each record on
a single line to facilitate machine parsing of the ``dig`` output.
``+ndots=D``
This option sets the number of dots (``D``) that must appear in ``name`` for
it to be considered absolute. The default value is that defined using
the ``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots``
statement is present. Names with fewer dots are interpreted as
relative names, and are searched for in the domains listed in the
``search`` or ``domain`` directive in ``/etc/resolv.conf`` if
``+search`` is set.
``+[no]nsid``
When enabled, this option includes an EDNS name server ID request when sending a query.
``+[no]nssearch``
When this option is set, ``dig`` attempts to find the authoritative
name servers for the zone containing the name being looked up, and
display the SOA record that each name server has for the zone.
Addresses of servers that did not respond are also printed.
``+[no]onesoa``
When enabled, this option prints only one (starting) SOA record when performing an AXFR. The
default is to print both the starting and ending SOA records.
``+[no]opcode=value``
When enabled, this option sets (restores) the DNS message opcode to the specified value. The
default value is QUERY (0).
``+padding=value``
This option pads the size of the query packet using the EDNS Padding option to
blocks of ``value`` bytes. For example, ``+padding=32`` causes a
48-byte query to be padded to 64 bytes. The default block size is 0,
which disables padding; the maximum is 512. Values are ordinarily
expected to be powers of two, such as 128; however, this is not
mandatory. Responses to padded queries may also be padded, but only
if the query uses TCP or DNS COOKIE.
``+[no]qr``
This option toggles the display of the query message as it is sent. By default, the query
is not printed.
``+[no]question``
This option toggles the display of the question section of a query when an answer is
returned. The default is to print the question section as a comment.
``+[no]raflag``
This option sets [or does not set] the RA (Recursion Available) bit in the query. The
default is ``+noraflag``. This bit is ignored by the server for
QUERY.
``+[no]rdflag``
This option is a synonym for ``+[no]recurse``.
``+[no]recurse``
This option toggles the setting of the RD (recursion desired) bit in the query.
This bit is set by default, which means ``dig`` normally sends
recursive queries. Recursion is automatically disabled when the
``+nssearch`` or ``+trace`` query option is used.
``+retry=T``
This option sets the number of times to retry UDP and TCP queries to server to ``T``
instead of the default, 2. Unlike ``+tries``, this does not include
the initial query.
``+[no]rrcomments``
This option toggles the display of per-record comments in the output (for example,
human-readable key information about DNSKEY records). The default is
not to print record comments unless multiline mode is active.
``+[no]search``
This option uses [or does not use] the search list defined by the searchlist or domain
directive in ``resolv.conf``, if any. The search list is not used by
default.
``ndots`` from ``resolv.conf`` (default 1), which may be overridden by
``+ndots``, determines whether the name is treated as relative
and hence whether a search is eventually performed.
``+[no]short``
This option toggles whether a terse answer is provided. The default is to print the answer in a verbose
form. This option always has a global effect; it cannot be set globally and
then overridden on a per-lookup basis.
``+[no]showsearch``
This option performs [or does not perform] a search showing intermediate results.
``+[no]sigchase``
This feature is now obsolete and has been removed; use ``delv``
instead.
``+split=W``
This option splits long hex- or base64-formatted fields in resource records into
chunks of ``W`` characters (where ``W`` is rounded up to the nearest
multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be
split at all. The default is 56 characters, or 44 characters when
multiline mode is active.
``+[no]stats``
This option toggles the printing of statistics: when the query was made, the size of the
reply, etc. The default behavior is to print the query statistics as a
comment after each lookup.
``+[no]subnet=addr[/prefix-length]``
This option sends [or does not send] an EDNS CLIENT-SUBNET option with the specified IP
address or network prefix.
``dig +subnet=0.0.0.0/0``, or simply ``dig +subnet=0`` for short,
sends an EDNS CLIENT-SUBNET option with an empty address and a source
prefix-length of zero, which signals a resolver that the client's
address information must *not* be used when resolving this query.
``+[no]tcflag``
This option sets [or does not set] the TC (TrunCation) bit in the query. The default is
``+notcflag``. This bit is ignored by the server for QUERY.
``+[no]tcp``
This option uses [or does not use] TCP when querying name servers. The default behavior
is to use UDP unless a type ``any`` or ``ixfr=N`` query is requested,
in which case the default is TCP. AXFR queries always use TCP.
``+timeout=T``
This option sets the timeout for a query to ``T`` seconds. The default timeout is
5 seconds. An attempt to set ``T`` to less than 1 is silently set to 1.
``+[no]topdown``
This feature is related to ``dig +sigchase``, which is obsolete and
has been removed. Use ``delv`` instead.
``+[no]trace``
This option toggles tracing of the delegation path from the root name servers for
the name being looked up. Tracing is disabled by default. When
tracing is enabled, ``dig`` makes iterative queries to resolve the
name being looked up. It follows referrals from the root servers,
showing the answer from each server that was used to resolve the
lookup.
If ``@server`` is also specified, it affects only the initial query for
the root zone name servers.
``+dnssec`` is also set when ``+trace`` is set, to better emulate the
default queries from a name server.
``+tries=T``
This option sets the number of times to try UDP and TCP queries to server to ``T``
instead of the default, 3. If ``T`` is less than or equal to zero,
the number of tries is silently rounded up to 1.
``+trusted-key=####``
This option formerly specified trusted keys for use with ``dig +sigchase``. This
feature is now obsolete and has been removed; use ``delv`` instead.
``+[no]ttlid``
This option displays [or does not display] the TTL when printing the record.
``+[no]ttlunits``
This option displays [or does not display] the TTL in friendly human-readable time
units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes,
hours, days, and weeks. This implies ``+ttlid``.
``+[no]unexpected``
This option accepts [or does not accept] answers from unexpected sources. By default, ``dig``
will not accept a reply from a source other than the one to which it sent the
query.
``+[no]unknownformat``
This option prints all RDATA in unknown RR type presentation format (:rfc:`3597`).
The default is to print RDATA for known types in the type's
presentation format.
``+[no]vc``
This option uses [or does not use] TCP when querying name servers. This alternate
syntax to ``+[no]tcp`` is provided for backwards compatibility. The
``vc`` stands for "virtual circuit."
``+[no]yaml``
When enabled, this option prints the responses (and, if ``+qr`` is in use, also the
outgoing queries) in a detailed YAML format.
``+[no]zflag``
This option sets [or does not set] the last unassigned DNS header flag in a DNS query.
This flag is off by default.
Multiple Queries
~~~~~~~~~~~~~~~~
The BIND 9 implementation of ``dig`` supports specifying multiple
queries on the command line (in addition to supporting the ``-f`` batch
file option). Each of those queries can be supplied with its own set of
flags, options, and query options.
In this case, each ``query`` argument represents an individual query in
the command-line syntax described above. Each consists of any of the
standard options and flags, the name to be looked up, an optional query
type and class, and any query options that should be applied to that
query.
A global set of query options, which should be applied to all queries,
can also be supplied. These global query options must precede the first
tuple of name, class, type, options, flags, and query options supplied
on the command line. Any global query options (except ``+[no]cmd`` and
``+[no]short`` options) can be overridden by a query-specific set of
query options. For example:
::
dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
shows how ``dig`` can be used from the command line to make three
lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1,
and a query for the NS records of ``isc.org``. A global query option of
``+qr`` is applied, so that ``dig`` shows the initial query it made for
each lookup. The final query has a local query option of ``+noqr`` which
means that ``dig`` does not print the initial query when it looks up the
NS records for ``isc.org``.
IDN Support
~~~~~~~~~~~
If ``dig`` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. ``dig``
appropriately converts character encoding of a domain name before sending
a request to a DNS server or displaying a reply from the server.
To turn off IDN support, use the parameters
``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment
variable.
Files
~~~~~
``/etc/resolv.conf``
``${HOME}/.digrc``
See Also
~~~~~~~~
:manpage:`delv(1)`, :manpage:`host(1)`, :manpage:`named(8)`, :manpage:`dnssec-keygen(8)`, :rfc:`1035`.
Bugs
~~~~
There are probably too many query options.

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -84,7 +84,7 @@
#include <bind9/getaddresses.h>
#include <dig/dig.h>
#include "dighost.h"
#if USE_PKCS11
#include <pk11/result.h>
@@ -667,7 +667,7 @@ make_empty_lookup(void) {
looknew->idnin = false;
looknew->idnout = false;
#endif /* HAVE_LIBIDN2 */
looknew->udpsize = -1;
looknew->udpsize = 0;
looknew->edns = -1;
looknew->recurse = true;
looknew->aaonly = false;
@@ -1452,7 +1452,6 @@ dig_ednsoptname_t optnames[] = {
{ 12, "PAD" }, /* shorthand */
{ 13, "CHAIN" }, /* RFC 7901 */
{ 14, "KEY-TAG" }, /* RFC 8145 */
{ 15, "EDE" }, /* ietf-dnsop-extended-error-16 */
{ 16, "CLIENT-TAG" }, /* draft-bellis-dnsop-edns-tags */
{ 17, "SERVER-TAG" }, /* draft-bellis-dnsop-edns-tags */
{ 26946, "DEVICEID" }, /* Brian Hartvigsen */
@@ -1676,7 +1675,7 @@ destroy_lookup(dig_lookup_t *lookup) {
isc_mem_free(mctx, ptr);
}
if (lookup->sendmsg != NULL) {
dns_message_detach(&lookup->sendmsg);
dns_message_destroy(&lookup->sendmsg);
}
if (lookup->querysig != NULL) {
debug("freeing buffer %p", lookup->querysig);
@@ -2101,7 +2100,9 @@ setup_lookup(dig_lookup_t *lookup) {
debug("setup_lookup(%p)", lookup);
dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &lookup->sendmsg);
result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
&lookup->sendmsg);
check_result(result, "dns_message_create");
if (lookup->new_search) {
debug("resetting lookup counter.");
@@ -2364,11 +2365,11 @@ setup_lookup(dig_lookup_t *lookup) {
* and DNS_EDNSOPTIONS set by other arguments
* (+nsid, +cookie, etc).
*/
if (lookup->udpsize < 0) {
lookup->udpsize = DEFAULT_EDNS_BUFSIZE;
if (lookup->udpsize == 0) {
lookup->udpsize = 4096;
}
if (lookup->edns < 0) {
lookup->edns = DEFAULT_EDNS_VERSION;
lookup->edns = 0;
}
if (lookup->nsid) {
@@ -2935,11 +2936,7 @@ send_udp(dig_query_t *query) {
}
isc_buffer_usedregion(&query->sendbuf, &r);
debug("sending a request");
if (query->lookup->use_usec) {
TIME_NOW_HIRES(&query->time_sent);
} else {
TIME_NOW(&query->time_sent);
}
TIME_NOW(&query->time_sent);
INSIST(query->sock != NULL);
query->waiting_senddone = true;
sevent = isc_socket_socketevent(
@@ -3079,8 +3076,7 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
*/
static void
requeue_or_update_exitcode(dig_lookup_t *lookup) {
if (lookup->eoferr == 0U && lookup->retries > 1) {
--lookup->retries;
if (lookup->eoferr == 0U) {
/*
* Peer closed the connection prematurely for the first time
* for this lookup. Try again, keeping track of this failure.
@@ -3222,11 +3218,7 @@ launch_next_query(dig_query_t *query, bool include_question) {
debug("recvcount=%d", recvcount);
if (!query->first_soa_rcvd) {
debug("sending a request in launch_next_query");
if (query->lookup->use_usec) {
TIME_NOW_HIRES(&query->time_sent);
} else {
TIME_NOW(&query->time_sent);
}
TIME_NOW(&query->time_sent);
query->waiting_senddone = true;
isc_buffer_clear(&query->tmpsendbuf);
isc_buffer_putuint16(&query->tmpsendbuf,
@@ -3632,11 +3624,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
INSIST(recvcount >= 0);
query = event->ev_arg;
if (query->lookup->use_usec) {
TIME_NOW_HIRES(&query->time_recv);
} else {
TIME_NOW(&query->time_recv);
}
TIME_NOW(&query->time_recv);
l = query->lookup;
@@ -3777,7 +3765,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
goto udp_mismatch;
}
dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
check_result(result, "dns_message_create");
if (tsigkey != NULL) {
if (l->querysig == NULL) {
@@ -3817,7 +3806,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
hex_dump(&b);
}
query->waiting_connect = false;
dns_message_detach(&msg);
dns_message_destroy(&msg);
isc_event_free(&event);
clear_query(query);
cancel_lookup(l);
@@ -3839,7 +3828,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
dighost_warning("Warning: Opcode mismatch: expected %s, got %s",
expect, got);
dns_message_detach(&msg);
dns_message_destroy(&msg);
if (l->tcp_mode) {
isc_event_free(&event);
clear_query(query);
@@ -3891,7 +3880,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
}
}
if (!match) {
dns_message_detach(&msg);
dns_message_destroy(&msg);
if (l->tcp_mode) {
isc_event_free(&event);
clear_query(query);
@@ -3917,7 +3906,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
if (l->trace && l->trace_root) {
n->rdtype = l->qrdtype;
}
dns_message_detach(&msg);
dns_message_destroy(&msg);
isc_event_free(&event);
clear_query(query);
cancel_lookup(l);
@@ -3936,7 +3925,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
if (l->trace && l->trace_root) {
n->rdtype = l->qrdtype;
}
dns_message_detach(&msg);
dns_message_destroy(&msg);
isc_event_free(&event);
clear_query(query);
cancel_lookup(l);
@@ -3960,7 +3949,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
if (l->trace && l->trace_root) {
n->rdtype = l->qrdtype;
}
dns_message_detach(&msg);
dns_message_destroy(&msg);
isc_event_free(&event);
clear_query(query);
cancel_lookup(l);
@@ -4001,7 +3990,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
query->servname);
clear_query(query);
check_next_lookup(l);
dns_message_detach(&msg);
dns_message_destroy(&msg);
isc_event_free(&event);
UNLOCK_LOOKUP;
return;
@@ -4134,7 +4123,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
}
if (l->doing_xfr) {
if (query != l->xfr_q) {
dns_message_detach(&msg);
dns_message_destroy(&msg);
isc_event_free(&event);
query->waiting_connect = false;
UNLOCK_LOOKUP;
@@ -4144,7 +4133,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
docancel = check_for_more_data(query, msg, sevent);
}
if (docancel) {
dns_message_detach(&msg);
dns_message_destroy(&msg);
clear_query(query);
cancel_lookup(l);
check_next_lookup(l);
@@ -4160,14 +4149,14 @@ recv_done(isc_task_t *task, isc_event_t *event) {
}
if (!query->lookup->ns_search_only ||
query->lookup->trace_root || docancel) {
dns_message_detach(&msg);
dns_message_destroy(&msg);
cancel_lookup(l);
}
clear_query(query);
check_next_lookup(l);
}
if (msg != NULL) {
dns_message_detach(&msg);
dns_message_destroy(&msg);
}
isc_event_free(&event);
UNLOCK_LOOKUP;

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -17,6 +17,7 @@
#include <inttypes.h>
#include <stdbool.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/bufferlist.h>
#include <isc/formatcheck.h>
@@ -68,10 +69,6 @@
#define SERVER_TIMEOUT 1
#define LOOKUP_LIMIT 64
#define DEFAULT_EDNS_VERSION 0
#define DEFAULT_EDNS_BUFSIZE 4096
/*%
* Lookup_limit is just a limiter, keeping too many lookups from being
* created. It's job is mainly to prevent the program from running away
@@ -81,7 +78,7 @@
ISC_LANG_BEGINDECLS
typedef struct dig_lookup dig_lookup_t;
typedef struct dig_query dig_query_t;
typedef struct dig_query dig_query_t;
typedef struct dig_server dig_server_t;
typedef ISC_LIST(dig_server_t) dig_serverlist_t;
typedef struct dig_searchlist dig_searchlist_t;
@@ -116,76 +113,76 @@ struct dig_lookup {
* sources. */
char textname[MXNAME]; /*% Name we're going to be
* looking up */
char cmdline[MXNAME];
dns_rdatatype_t rdtype;
dns_rdatatype_t qrdtype;
char cmdline[MXNAME];
dns_rdatatype_t rdtype;
dns_rdatatype_t qrdtype;
dns_rdataclass_t rdclass;
bool rdtypeset;
bool rdclassset;
char name_space[BUFSIZE];
char oname_space[BUFSIZE];
isc_buffer_t namebuf;
isc_buffer_t onamebuf;
isc_buffer_t renderbuf;
char * sendspace;
dns_name_t * name;
isc_interval_t interval;
dns_message_t * sendmsg;
dns_name_t * oname;
bool rdtypeset;
bool rdclassset;
char name_space[BUFSIZE];
char oname_space[BUFSIZE];
isc_buffer_t namebuf;
isc_buffer_t onamebuf;
isc_buffer_t renderbuf;
char *sendspace;
dns_name_t *name;
isc_interval_t interval;
dns_message_t *sendmsg;
dns_name_t *oname;
ISC_LINK(dig_lookup_t) link;
ISC_LIST(dig_query_t) q;
ISC_LIST(dig_query_t) connecting;
dig_query_t * current_query;
dig_serverlist_t my_server_list;
dig_query_t *current_query;
dig_serverlist_t my_server_list;
dig_searchlist_t *origin;
dig_query_t * xfr_q;
uint32_t retries;
int nsfound;
int16_t udpsize;
int16_t edns;
int16_t padding;
uint32_t ixfr_serial;
isc_buffer_t rdatabuf;
char rdatastore[MXNAME];
dst_context_t * tsigctx;
isc_buffer_t * querysig;
uint32_t msgcounter;
dns_fixedname_t fdomain;
isc_sockaddr_t * ecs_addr;
char * cookie;
dns_ednsopt_t * ednsopts;
unsigned int ednsoptscnt;
isc_dscp_t dscp;
unsigned int ednsflags;
dns_opcode_t opcode;
int rrcomments;
unsigned int eoferr;
dig_query_t *xfr_q;
uint32_t retries;
int nsfound;
uint16_t udpsize;
int16_t edns;
int16_t padding;
uint32_t ixfr_serial;
isc_buffer_t rdatabuf;
char rdatastore[MXNAME];
dst_context_t *tsigctx;
isc_buffer_t *querysig;
uint32_t msgcounter;
dns_fixedname_t fdomain;
isc_sockaddr_t *ecs_addr;
char *cookie;
dns_ednsopt_t *ednsopts;
unsigned int ednsoptscnt;
isc_dscp_t dscp;
unsigned int ednsflags;
dns_opcode_t opcode;
int rrcomments;
unsigned int eoferr;
};
/*% The dig_query structure */
struct dig_query {
unsigned int magic;
unsigned int magic;
dig_lookup_t *lookup;
bool waiting_connect, pending_free, waiting_senddone, first_pass,
first_soa_rcvd, second_rr_rcvd, first_repeat_rcvd, recv_made,
warn_id, timedout;
uint32_t first_rr_serial;
uint32_t second_rr_serial;
uint32_t msg_count;
uint32_t rr_count;
bool ixfr_axfr;
char * servname;
char * userarg;
isc_buffer_t recvbuf, lengthbuf, tmpsendbuf, sendbuf;
char * recvspace, *tmpsendspace, lengthspace[4];
uint32_t first_rr_serial;
uint32_t second_rr_serial;
uint32_t msg_count;
uint32_t rr_count;
bool ixfr_axfr;
char *servname;
char *userarg;
isc_buffer_t recvbuf, lengthbuf, tmpsendbuf, sendbuf;
char *recvspace, *tmpsendspace, lengthspace[4];
isc_socket_t *sock;
ISC_LINK(dig_query_t) link;
ISC_LINK(dig_query_t) clink;
isc_sockaddr_t sockaddr;
isc_time_t time_sent;
isc_time_t time_recv;
uint64_t byte_count;
isc_timer_t * timer;
isc_time_t time_sent;
isc_time_t time_recv;
uint64_t byte_count;
isc_timer_t *timer;
};
struct dig_server {
@@ -206,38 +203,38 @@ typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
* Externals from dighost.c
*/
extern dig_lookuplist_t lookup_list;
extern dig_serverlist_t server_list;
extern dig_lookuplist_t lookup_list;
extern dig_serverlist_t server_list;
extern dig_searchlistlist_t search_list;
extern unsigned int extrabytes;
extern unsigned int extrabytes;
extern bool check_ra, have_ipv4, have_ipv6, specified_source, usesearch,
showsearch, yaml;
extern in_port_t port;
extern unsigned int timeout;
extern isc_mem_t * mctx;
extern int sendcount;
extern int ndots;
extern int lookup_counter;
extern int exitcode;
extern isc_sockaddr_t bind_address;
extern char keynametext[MXNAME];
extern char keyfile[MXNAME];
extern char keysecret[MXNAME];
extern in_port_t port;
extern unsigned int timeout;
extern isc_mem_t *mctx;
extern int sendcount;
extern int ndots;
extern int lookup_counter;
extern int exitcode;
extern isc_sockaddr_t bind_address;
extern char keynametext[MXNAME];
extern char keyfile[MXNAME];
extern char keysecret[MXNAME];
extern const dns_name_t *hmacname;
extern unsigned int digestbits;
extern dns_tsigkey_t * tsigkey;
extern bool validated;
extern isc_taskmgr_t * taskmgr;
extern isc_task_t * global_task;
extern bool free_now;
extern bool debugging, debugtiming, memdebugging;
extern bool keep_open;
extern unsigned int digestbits;
extern dns_tsigkey_t *tsigkey;
extern bool validated;
extern isc_taskmgr_t *taskmgr;
extern isc_task_t *global_task;
extern bool free_now;
extern bool debugging, debugtiming, memdebugging;
extern bool keep_open;
extern char *progname;
extern int tries;
extern int fatalexit;
extern bool verbose;
extern int tries;
extern int fatalexit;
extern bool verbose;
/*
* Routines in dighost.c.
@@ -251,15 +248,14 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
isc_result_t
get_reverse(char *reverse, size_t len, char *value, bool strict);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN void
fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
void
warn(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_PLATFORM_NORETURN_PRE void
digexit(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN void
digexit(void);
void
debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
@@ -337,7 +333,7 @@ set_search_domain(char *domain);
* Routines to be defined in dig.c, host.c, and nslookup.c. and
* then assigned to the appropriate function pointer
*/
extern isc_result_t (*dighost_printmessage)(dig_query_t * query,
extern isc_result_t (*dighost_printmessage)(dig_query_t *query,
const isc_buffer_t *msgbuf,
dns_message_t *msg, bool headers);

278
bin/dig/host.1 Normal file
View File

@@ -0,0 +1,278 @@
.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: host
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2009-01-20
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "HOST" "1" "2009\-01\-20" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
host \- DNS lookup utility
.SH "SYNOPSIS"
.HP \w'\fBhost\fR\ 'u
\fBhost\fR [\fB\-aACdlnrsTUwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
.SH "DESCRIPTION"
.PP
\fBhost\fR
is a simple utility for performing DNS lookups\&. It is normally used to convert names to IP addresses and vice versa\&. When no arguments or options are given,
\fBhost\fR
prints a short summary of its command line arguments and options\&.
.PP
\fIname\fR
is the domain name that is to be looked up\&. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
\fBhost\fR
will by default perform a reverse lookup for that address\&.
\fIserver\fR
is an optional argument which is either the name or IP address of the name server that
\fBhost\fR
should query instead of the server or servers listed in
/etc/resolv\&.conf\&.
.SH "OPTIONS"
.PP
\-4
.RS 4
Use IPv4 only for query transport\&. See also the
\fB\-6\fR
option\&.
.RE
.PP
\-6
.RS 4
Use IPv6 only for query transport\&. See also the
\fB\-4\fR
option\&.
.RE
.PP
\-a
.RS 4
"All"\&. The
\fB\-a\fR
option is normally equivalent to
\fB\-v \-t \fR\fBANY\fR\&. It also affects the behaviour of the
\fB\-l\fR
list zone option\&.
.RE
.PP
\-A
.RS 4
"Almost all"\&. The
\fB\-A\fR
option is equivalent to
\fB\-a\fR
except RRSIG, NSEC, and NSEC3 records are omitted from the output\&.
.RE
.PP
\-c \fIclass\fR
.RS 4
Query class: This can be used to lookup HS (Hesiod) or CH (Chaosnet) class resource records\&. The default class is IN (Internet)\&.
.RE
.PP
\-C
.RS 4
Check consistency:
\fBhost\fR
will query the SOA records for zone
\fIname\fR
from all the listed authoritative name servers for that zone\&. The list of name servers is defined by the NS records that are found for the zone\&.
.RE
.PP
\-d
.RS 4
Print debugging traces\&. Equivalent to the
\fB\-v\fR
verbose option\&.
.RE
.PP
\-l
.RS 4
List zone: The
\fBhost\fR
command performs a zone transfer of zone
\fIname\fR
and prints out the NS, PTR and address records (A/AAAA)\&.
.sp
Together, the
\fB\-l \-a\fR
options print all records in the zone\&.
.RE
.PP
\-N \fIndots\fR
.RS 4
The number of dots that have to be in
\fIname\fR
for it to be considered absolute\&. The default value is that defined using the ndots statement in
/etc/resolv\&.conf, or 1 if no ndots statement is present\&. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
\fBsearch\fR
or
\fBdomain\fR
directive in
/etc/resolv\&.conf\&.
.RE
.PP
\-p \fIport\fR
.RS 4
Specify the port on the server to query\&. The default is 53\&.
.RE
.PP
\-r
.RS 4
Non\-recursive query: Setting this option clears the RD (recursion desired) bit in the query\&. This should mean that the name server receiving the query will not attempt to resolve
\fIname\fR\&. The
\fB\-r\fR
option enables
\fBhost\fR
to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that can be referrals to other name servers\&.
.RE
.PP
\-R \fInumber\fR
.RS 4
Number of retries for UDP queries: If
\fInumber\fR
is negative or zero, the number of retries will default to 1\&. The default value is 1, or the value of the
\fIattempts\fR
option in
/etc/resolv\&.conf, if set\&.
.RE
.PP
\-s
.RS 4
Do
\fInot\fR
send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior\&.
.RE
.PP
\-t \fItype\fR
.RS 4
Query type: The
\fItype\fR
argument can be any recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc\&.
.sp
When no query type is specified,
\fBhost\fR
automatically selects an appropriate query type\&. By default, it looks for A, AAAA, and MX records\&. If the
\fB\-C\fR
option is given, queries will be made for SOA records\&. If
\fIname\fR
is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
\fBhost\fR
will query for PTR records\&.
.sp
If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (like
\fB\-t \fR\fBIXFR=12345678\fR)\&.
.RE
.PP
\-T, \-U
.RS 4
TCP/UDP: By default,
\fBhost\fR
uses UDP when making queries\&. The
\fB\-T\fR
option makes it use a TCP connection when querying the name server\&. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests\&. Type ANY queries default to TCP but can be forced to UDP initially using
\fB\-U\fR\&.
.RE
.PP
\-m \fIflag\fR
.RS 4
Memory usage debugging: the flag can be
\fIrecord\fR,
\fIusage\fR, or
\fItrace\fR\&. You can specify the
\fB\-m\fR
option more than once to set multiple flags\&.
.RE
.PP
\-v
.RS 4
Verbose output\&. Equivalent to the
\fB\-d\fR
debug option\&. Verbose output can also be enabled by setting the
\fIdebug\fR
option in
/etc/resolv\&.conf\&.
.RE
.PP
\-V
.RS 4
Print the version number and exit\&.
.RE
.PP
\-w
.RS 4
Wait forever: The query timeout is set to the maximum possible\&. See also the
\fB\-W\fR
option\&.
.RE
.PP
\-W \fIwait\fR
.RS 4
Timeout: Wait for up to
\fIwait\fR
seconds for a reply\&. If
\fIwait\fR
is less than one, the wait interval is set to one second\&.
.sp
By default,
\fBhost\fR
will wait for 5 seconds for UDP responses and 10 seconds for TCP connections\&. These defaults can be overridden by the
\fItimeout\fR
option in
/etc/resolv\&.conf\&.
.sp
See also the
\fB\-w\fR
option\&.
.RE
.SH "IDN SUPPORT"
.PP
If
\fBhost\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBhost\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBhost\fR
runs\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8)\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -21,6 +21,7 @@
#endif /* ifdef HAVE_LOCALE_H */
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/commandline.h>
#include <isc/netaddr.h>
#include <isc/print.h>
@@ -38,7 +39,7 @@
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dig/dig.h>
#include "dighost.h"
static bool short_form = true, listed_server = false;
static bool default_lookups = true;
@@ -101,8 +102,8 @@ rcode_totext(dns_rcode_t rcode) {
return (totext.deconsttext);
}
ISC_PLATFORM_NORETURN_PRE static void
show_usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
show_usage(void);
static void
show_usage(void) {
@@ -148,11 +149,7 @@ received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
if (!short_form) {
char fromtext[ISC_SOCKADDR_FORMATSIZE];
isc_sockaddr_format(from, fromtext, sizeof(fromtext));
if (query->lookup->use_usec) {
TIME_NOW_HIRES(&now);
} else {
TIME_NOW(&now);
}
TIME_NOW(&now);
diff = (int)isc_time_microdiff(&now, &query->time_sent);
printf("Received %u bytes from %s in %d ms\n", bytes, fromtext,
diff / 1000);
@@ -585,7 +582,7 @@ static const char *optstring = "46aAc:dilnm:p:rst:vVwCDN:R:TUW:";
/*% version */
static void
version(void) {
fputs("host " VERSION "\n", stderr);
fprintf(stderr, "host %s\n", PACKAGE_VERSION);
}
static void

416
bin/dig/host.docbook Normal file
View File

@@ -0,0 +1,416 @@
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.host">
<info>
<date>2009-01-20</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle>host</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>host</refname>
<refpurpose>DNS lookup utility</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2008</year>
<year>2009</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>host</command>
<arg choice="opt" rep="norepeat"><option>-aACdlnrsTUwv</option></arg>
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-p <replaceable class="port">port</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">number</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<group choice="opt" rep="norepeat">
<arg choice="opt" rep="norepeat"><option>-4</option></arg>
<arg choice="opt" rep="norepeat"><option>-6</option></arg>
</group>
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="req" rep="norepeat">name</arg>
<arg choice="opt" rep="norepeat">server</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>host</command>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given,
<command>host</command>
prints a short summary of its command line arguments and options.
</para>
<para><parameter>name</parameter> is the domain name that is to be
looked
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
IPv6 address, in which case <command>host</command> will by
default
perform a reverse lookup for that address.
<parameter>server</parameter> is an optional argument which
is either
the name or IP address of the name server that <command>host</command>
should query instead of the server or servers listed in
<filename>/etc/resolv.conf</filename>.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-4</term>
<listitem>
<para>
Use IPv4 only for query transport.
See also the <option>-6</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-6</term>
<listitem>
<para>
Use IPv6 only for query transport.
See also the <option>-4</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a</term>
<listitem>
<para>
"All". The <option>-a</option> option is normally equivalent
to <option>-v -t <literal>ANY</literal></option>.
It also affects the behaviour of the <option>-l</option>
list zone option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
"Almost all". The <option>-A</option> option is equivalent
to <option>-a</option> except RRSIG, NSEC, and NSEC3
records are omitted from the output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Query class: This can be used to lookup HS (Hesiod) or CH
(Chaosnet) class resource records. The default class is IN
(Internet).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Check consistency: <command>host</command> will query the
SOA records for zone <parameter>name</parameter> from all
the listed authoritative name servers for that zone. The
list of name servers is defined by the NS records that are
found for the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Print debugging traces.
Equivalent to the <option>-v</option> verbose option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem>
<para>
List zone:
The <command>host</command> command performs a zone transfer of
zone <parameter>name</parameter> and prints out the NS,
PTR and address records (A/AAAA).
</para>
<para>
Together, the <option>-l -a</option>
options print all records in the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-N <replaceable class="parameter">ndots</replaceable></term>
<listitem>
<para>
The number of dots that have to be
in <parameter>name</parameter> for it to be considered
absolute. The default value is that defined using the
ndots statement in <filename>/etc/resolv.conf</filename>,
or 1 if no ndots statement is present. Names with fewer
dots are interpreted as relative names and will be
searched for in the domains listed in
the <type>search</type> or <type>domain</type> directive
in <filename>/etc/resolv.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port</replaceable></term>
<listitem>
<para>
Specify the port on the server to query. The default is 53.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
Non-recursive query:
Setting this option clears the RD (recursion desired) bit
in the query. This should mean that the name server
receiving the query will not attempt to
resolve <parameter>name</parameter>.
The <option>-r</option> option
enables <command>host</command> to mimic the behavior of a
name server by making non-recursive queries and expecting
to receive answers to those queries that can be
referrals to other name servers.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">number</replaceable></term>
<listitem>
<para>
Number of retries for UDP queries:
If <parameter>number</parameter> is negative or zero, the
number of retries will default to 1. The default value is
1, or the value of the <parameter>attempts</parameter>
option in <filename>/etc/resolv.conf</filename>, if set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Do <emphasis>not</emphasis> send the query to the next
nameserver if any server responds with a SERVFAIL
response, which is the reverse of normal stub resolver
behavior.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Query type:
The <parameter>type</parameter> argument can be any
recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
</para>
<para>
When no query type is specified, <command>host</command>
automatically selects an appropriate query type. By default, it
looks for A, AAAA, and MX records.
If the <option>-C</option> option is given, queries will
be made for SOA records.
If <parameter>name</parameter> is a dotted-decimal IPv4
address or colon-delimited IPv6
address, <command>host</command> will query for PTR
records.
</para>
<para>
If a query type of IXFR is chosen the starting serial
number can be specified by appending an equal followed by
the starting serial number
(like <option>-t <literal>IXFR=12345678</literal></option>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T</term>
<term>-U</term>
<listitem>
<para>
TCP/UDP:
By default, <command>host</command> uses UDP when making
queries. The <option>-T</option> option makes it use a TCP
connection when querying the name server. TCP will be
automatically selected for queries that require it, such
as zone transfer (AXFR) requests. Type ANY queries default
to TCP but can be forced to UDP initially using <option>-U</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Memory usage debugging: the flag can
be <parameter>record</parameter>, <parameter>usage</parameter>,
or <parameter>trace</parameter>. You can specify
the <option>-m</option> option more than once to set
multiple flags.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Verbose output.
Equivalent to the <option>-d</option> debug option.
Verbose output can also be enabled by setting
the <parameter>debug</parameter> option
in <filename>/etc/resolv.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Print the version number and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w</term>
<listitem>
<para>
Wait forever: The query timeout is set to the maximum possible.
See also the <option>-W</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W <replaceable class="parameter">wait</replaceable></term>
<listitem>
<para>
Timeout: Wait for up to <parameter>wait</parameter>
seconds for a reply. If <parameter>wait</parameter> is
less than one, the wait interval is set to one second.
</para>
<para>
By default, <command>host</command> will wait for 5
seconds for UDP responses and 10 seconds for TCP
connections. These defaults can be overridden by
the <parameter>timeout</parameter> option
in <filename>/etc/resolv.conf</filename>.
</para>
<para>
See also the <option>-w</option> option.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>IDN SUPPORT</title></info>
<para>
If <command>host</command> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>host</command> runs.
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsection>
</refentry>

339
bin/dig/host.html Normal file
View File

@@ -0,0 +1,339 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.host"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
host
&#8212; DNS lookup utility
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">host</code>
[<code class="option">-aACdlnrsTUwv</code>]
[<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
[<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>]
[<code class="option">-p <em class="replaceable"><code>port</code></em></code>]
[<code class="option">-R <em class="replaceable"><code>number</code></em></code>]
[<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
[<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
[<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
[
[<code class="option">-4</code>]
| [<code class="option">-6</code>]
]
[<code class="option">-v</code>]
[<code class="option">-V</code>]
{name}
[server]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given,
<span class="command"><strong>host</strong></span>
prints a short summary of its command line arguments and options.
</p>
<p><em class="parameter"><code>name</code></em> is the domain name that is to be
looked
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
IPv6 address, in which case <span class="command"><strong>host</strong></span> will by
default
perform a reverse lookup for that address.
<em class="parameter"><code>server</code></em> is an optional argument which
is either
the name or IP address of the name server that <span class="command"><strong>host</strong></span>
should query instead of the server or servers listed in
<code class="filename">/etc/resolv.conf</code>.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-4</span></dt>
<dd>
<p>
Use IPv4 only for query transport.
See also the <code class="option">-6</code> option.
</p>
</dd>
<dt><span class="term">-6</span></dt>
<dd>
<p>
Use IPv6 only for query transport.
See also the <code class="option">-4</code> option.
</p>
</dd>
<dt><span class="term">-a</span></dt>
<dd>
<p>
"All". The <code class="option">-a</code> option is normally equivalent
to <code class="option">-v -t <code class="literal">ANY</code></code>.
It also affects the behaviour of the <code class="option">-l</code>
list zone option.
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd>
<p>
"Almost all". The <code class="option">-A</code> option is equivalent
to <code class="option">-a</code> except RRSIG, NSEC, and NSEC3
records are omitted from the output.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Query class: This can be used to lookup HS (Hesiod) or CH
(Chaosnet) class resource records. The default class is IN
(Internet).
</p>
</dd>
<dt><span class="term">-C</span></dt>
<dd>
<p>
Check consistency: <span class="command"><strong>host</strong></span> will query the
SOA records for zone <em class="parameter"><code>name</code></em> from all
the listed authoritative name servers for that zone. The
list of name servers is defined by the NS records that are
found for the zone.
</p>
</dd>
<dt><span class="term">-d</span></dt>
<dd>
<p>
Print debugging traces.
Equivalent to the <code class="option">-v</code> verbose option.
</p>
</dd>
<dt><span class="term">-l</span></dt>
<dd>
<p>
List zone:
The <span class="command"><strong>host</strong></span> command performs a zone transfer of
zone <em class="parameter"><code>name</code></em> and prints out the NS,
PTR and address records (A/AAAA).
</p>
<p>
Together, the <code class="option">-l -a</code>
options print all records in the zone.
</p>
</dd>
<dt><span class="term">-N <em class="replaceable"><code>ndots</code></em></span></dt>
<dd>
<p>
The number of dots that have to be
in <em class="parameter"><code>name</code></em> for it to be considered
absolute. The default value is that defined using the
ndots statement in <code class="filename">/etc/resolv.conf</code>,
or 1 if no ndots statement is present. Names with fewer
dots are interpreted as relative names and will be
searched for in the domains listed in
the <span class="type">search</span> or <span class="type">domain</span> directive
in <code class="filename">/etc/resolv.conf</code>.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd>
<p>
Specify the port on the server to query. The default is 53.
</p>
</dd>
<dt><span class="term">-r</span></dt>
<dd>
<p>
Non-recursive query:
Setting this option clears the RD (recursion desired) bit
in the query. This should mean that the name server
receiving the query will not attempt to
resolve <em class="parameter"><code>name</code></em>.
The <code class="option">-r</code> option
enables <span class="command"><strong>host</strong></span> to mimic the behavior of a
name server by making non-recursive queries and expecting
to receive answers to those queries that can be
referrals to other name servers.
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Number of retries for UDP queries:
If <em class="parameter"><code>number</code></em> is negative or zero, the
number of retries will default to 1. The default value is
1, or the value of the <em class="parameter"><code>attempts</code></em>
option in <code class="filename">/etc/resolv.conf</code>, if set.
</p>
</dd>
<dt><span class="term">-s</span></dt>
<dd>
<p>
Do <span class="emphasis"><em>not</em></span> send the query to the next
nameserver if any server responds with a SERVFAIL
response, which is the reverse of normal stub resolver
behavior.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Query type:
The <em class="parameter"><code>type</code></em> argument can be any
recognized query type: CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
</p>
<p>
When no query type is specified, <span class="command"><strong>host</strong></span>
automatically selects an appropriate query type. By default, it
looks for A, AAAA, and MX records.
If the <code class="option">-C</code> option is given, queries will
be made for SOA records.
If <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
address or colon-delimited IPv6
address, <span class="command"><strong>host</strong></span> will query for PTR
records.
</p>
<p>
If a query type of IXFR is chosen the starting serial
number can be specified by appending an equal followed by
the starting serial number
(like <code class="option">-t <code class="literal">IXFR=12345678</code></code>).
</p>
</dd>
<dt>
<span class="term">-T, </span><span class="term">-U</span>
</dt>
<dd>
<p>
TCP/UDP:
By default, <span class="command"><strong>host</strong></span> uses UDP when making
queries. The <code class="option">-T</code> option makes it use a TCP
connection when querying the name server. TCP will be
automatically selected for queries that require it, such
as zone transfer (AXFR) requests. Type ANY queries default
to TCP but can be forced to UDP initially using <code class="option">-U</code>.
</p>
</dd>
<dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
<dd>
<p>
Memory usage debugging: the flag can
be <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em>,
or <em class="parameter"><code>trace</code></em>. You can specify
the <code class="option">-m</code> option more than once to set
multiple flags.
</p>
</dd>
<dt><span class="term">-v</span></dt>
<dd>
<p>
Verbose output.
Equivalent to the <code class="option">-d</code> debug option.
Verbose output can also be enabled by setting
the <em class="parameter"><code>debug</code></em> option
in <code class="filename">/etc/resolv.conf</code>.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Print the version number and exit.
</p>
</dd>
<dt><span class="term">-w</span></dt>
<dd>
<p>
Wait forever: The query timeout is set to the maximum possible.
See also the <code class="option">-W</code> option.
</p>
</dd>
<dt><span class="term">-W <em class="replaceable"><code>wait</code></em></span></dt>
<dd>
<p>
Timeout: Wait for up to <em class="parameter"><code>wait</code></em>
seconds for a reply. If <em class="parameter"><code>wait</code></em> is
less than one, the wait interval is set to one second.
</p>
<p>
By default, <span class="command"><strong>host</strong></span> will wait for 5
seconds for UDP responses and 10 seconds for TCP
connections. These defaults can be overridden by
the <em class="parameter"><code>timeout</code></em> option
in <code class="filename">/etc/resolv.conf</code>.
</p>
<p>
See also the <code class="option">-w</code> option.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>host</strong></span> runs.
</p>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,181 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_host:
host - DNS lookup utility
-------------------------
Synopsis
~~~~~~~~
:program:`host` [**-aACdlnrsTUwv**] [**-c** class] [**-N** ndots] [**-p** port] [**-R** number] [**-t** type] [**-W** wait] [**-m** flag] [ [**-4**] | [**-6**] ] [**-v**] [**-V**] {name} [server]
Description
~~~~~~~~~~~
``host`` is a simple utility for performing DNS lookups. It is normally
used to convert names to IP addresses and vice versa. When no arguments
or options are given, ``host`` prints a short summary of its
command-line arguments and options.
``name`` is the domain name that is to be looked up. It can also be a
dotted-decimal IPv4 address or a colon-delimited IPv6 address, in which
case ``host`` by default performs a reverse lookup for that address.
``server`` is an optional argument which is either the name or IP
address of the name server that ``host`` should query instead of the
server or servers listed in ``/etc/resolv.conf``.
Options
~~~~~~~
``-4``
This option specifies that only IPv4 should be used for query transport. See also the ``-6`` option.
``-6``
This option specifies that only IPv6 should be used for query transport. See also the ``-4`` option.
``-a``
The ``-a`` ("all") option is normally equivalent to ``-v -t ANY``. It
also affects the behavior of the ``-l`` list zone option.
``-A``
The ``-A`` ("almost all") option is equivalent to ``-a``, except that RRSIG,
NSEC, and NSEC3 records are omitted from the output.
``-c class``
This option specifies the query class, which can be used to lookup HS (Hesiod) or CH (Chaosnet)
class resource records. The default class is IN (Internet).
``-C``
This option indicates that ``named`` should check consistency, meaning that ``host`` queries the SOA records for zone
``name`` from all the listed authoritative name servers for that
zone. The list of name servers is defined by the NS records that are
found for the zone.
``-d``
This option prints debugging traces, and is equivalent to the ``-v`` verbose option.
``-l``
This option tells ``named` to list the zone, meaning the ``host`` command performs a zone transfer of zone
``name`` and prints out the NS, PTR, and address records (A/AAAA).
Together, the ``-l -a`` options print all records in the zone.
``-N ndots``
This option specifies the number of dots (``ndots``) that have to be in ``name`` for it to be
considered absolute. The default value is that defined using the
``ndots`` statement in ``/etc/resolv.conf``, or 1 if no ``ndots`` statement
is present. Names with fewer dots are interpreted as relative names,
and are searched for in the domains listed in the ``search`` or
``domain`` directive in ``/etc/resolv.conf``.
``-p port``
This option specifies the port to query on the server. The default is 53.
``-r``
This option specifies a non-recursive query; setting this option clears the RD (recursion
desired) bit in the query. This means that the name server
receiving the query does not attempt to resolve ``name``. The ``-r``
option enables ``host`` to mimic the behavior of a name server by
making non-recursive queries, and expecting to receive answers to
those queries that can be referrals to other name servers.
``-R number``
This option specifies the number of retries for UDP queries. If ``number`` is negative or zero,
the number of retries is silently set to 1. The default value is 1, or
the value of the ``attempts`` option in ``/etc/resolv.conf``, if set.
``-s``
This option tells ``named`` *not* to send the query to the next nameserver if any server responds
with a SERVFAIL response, which is the reverse of normal stub
resolver behavior.
``-t type``
This option specifies the query type. The ``type`` argument can be any recognized query type:
CNAME, NS, SOA, TXT, DNSKEY, AXFR, etc.
When no query type is specified, ``host`` automatically selects an
appropriate query type. By default, it looks for A, AAAA, and MX
records. If the ``-C`` option is given, queries are made for SOA
records. If ``name`` is a dotted-decimal IPv4 address or
colon-delimited IPv6 address, ``host`` queries for PTR records.
If a query type of IXFR is chosen, the starting serial number can be
specified by appending an equals sign (=), followed by the starting serial
number, e.g., ``-t IXFR=12345678``.
``-T``; ``-U``
This option specifies TCP or UDP. By default, ``host`` uses UDP when making queries; the
``-T`` option makes it use a TCP connection when querying the name
server. TCP is automatically selected for queries that require
it, such as zone transfer (AXFR) requests. Type ``ANY`` queries default
to TCP, but can be forced to use UDP initially via ``-U``.
``-m flag``
This option sets memory usage debugging: the flag can be ``record``, ``usage``, or
``trace``. The ``-m`` option can be specified more than once to set
multiple flags.
``-v``
This option sets verbose output, and is equivalent to the ``-d`` debug option. Verbose output
can also be enabled by setting the ``debug`` option in
``/etc/resolv.conf``.
``-V``
This option prints the version number and exits.
``-w``
This option sets "wait forever": the query timeout is set to the maximum possible. See
also the ``-W`` option.
``-W wait``
This options sets the length of the wait timeout, indicating that ``named`` should wait for up to ``wait`` seconds for a reply. If ``wait`` is
less than 1, the wait interval is set to 1 second.
By default, ``host`` waits for 5 seconds for UDP responses and 10
seconds for TCP connections. These defaults can be overridden by the
``timeout`` option in ``/etc/resolv.conf``.
See also the ``-w`` option.
IDN Support
~~~~~~~~~~~
If ``host`` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. ``host``
appropriately converts character encoding of a domain name before sending
a request to a DNS server or displaying a reply from the server.
To turn off IDN support, define the ``IDN_DISABLE``
environment variable. IDN support is disabled if the variable is set
when ``host`` runs.
Files
~~~~~
``/etc/resolv.conf``
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`named(8)`.

308
bin/dig/nslookup.1 Normal file
View File

@@ -0,0 +1,308 @@
.\" Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
.\"
.hy 0
.ad l
'\" t
.\" Title: nslookup
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: 2014-01-24
.\" Manual: BIND9
.\" Source: ISC
.\" Language: English
.\"
.TH "NSLOOKUP" "1" "2014\-01\-24" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
nslookup \- query Internet name servers interactively
.SH "SYNOPSIS"
.HP \w'\fBnslookup\fR\ 'u
\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
.SH "DESCRIPTION"
.PP
\fBNslookup\fR
is a program to query Internet domain name servers\&.
\fBNslookup\fR
has two modes: interactive and non\-interactive\&. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain\&. Non\-interactive mode is used to print just the name and requested information for a host or domain\&.
.SH "ARGUMENTS"
.PP
Interactive mode is entered in the following cases:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
when no arguments are given (the default name server will be used)
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server\&.
.RE
.PP
Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument\&. The optional second argument specifies the host name or address of a name server\&.
.PP
Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen\&. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
.sp
.if n \{\
.RS 4
.\}
.nf
nslookup \-query=hinfo \-timeout=10
.fi
.if n \{\
.RE
.\}
.PP
The
\fB\-version\fR
option causes
\fBnslookup\fR
to print the version number and immediately exits\&.
.SH "INTERACTIVE COMMANDS"
.PP
\fBhost\fR [server]
.RS 4
Look up information for host using the current default server or using server, if specified\&. If host is an Internet address and the query type is A or PTR, the name of the host is returned\&. If host is a name and does not have a trailing period, the search list is used to qualify the name\&.
.sp
To look up a host not in the current domain, append a period to the name\&.
.RE
.PP
\fBserver\fR \fIdomain\fR
.RS 4
.RE
.PP
\fBlserver\fR \fIdomain\fR
.RS 4
Change the default server to
\fIdomain\fR;
\fBlserver\fR
uses the initial server to look up information about
\fIdomain\fR, while
\fBserver\fR
uses the current default server\&. If an authoritative answer can\*(Aqt be found, the names of servers that might have the answer are returned\&.
.RE
.PP
\fBroot\fR
.RS 4
not implemented
.RE
.PP
\fBfinger\fR
.RS 4
not implemented
.RE
.PP
\fBls\fR
.RS 4
not implemented
.RE
.PP
\fBview\fR
.RS 4
not implemented
.RE
.PP
\fBhelp\fR
.RS 4
not implemented
.RE
.PP
\fB?\fR
.RS 4
not implemented
.RE
.PP
\fBexit\fR
.RS 4
Exits the program\&.
.RE
.PP
\fBset\fR \fIkeyword\fR\fI[=value]\fR
.RS 4
This command is used to change state information that affects the lookups\&. Valid keywords are:
.PP
\fBall\fR
.RS 4
Prints the current values of the frequently used options to
\fBset\fR\&. Information about the current default server and host is also printed\&.
.RE
.PP
\fBclass=\fR\fIvalue\fR
.RS 4
Change the query class to one of:
.PP
\fBIN\fR
.RS 4
the Internet class
.RE
.PP
\fBCH\fR
.RS 4
the Chaos class
.RE
.PP
\fBHS\fR
.RS 4
the Hesiod class
.RE
.PP
\fBANY\fR
.RS 4
wildcard
.RE
.sp
The class specifies the protocol group of the information\&.
.sp
(Default = IN; abbreviation = cl)
.RE
.PP
\fB\fI[no]\fR\fR\fBdebug\fR
.RS 4
Turn on or off the display of the full response packet and any intermediate response packets when searching\&.
.sp
(Default = nodebug; abbreviation =
[no]deb)
.RE
.PP
\fB\fI[no]\fR\fR\fBd2\fR
.RS 4
Turn debugging mode on or off\&. This displays more about what nslookup is doing\&.
.sp
(Default = nod2)
.RE
.PP
\fBdomain=\fR\fIname\fR
.RS 4
Sets the search list to
\fIname\fR\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBsearch\fR
.RS 4
If the lookup request contains at least one period but doesn\*(Aqt end with a trailing period, append the domain names in the domain search list to the request until an answer is received\&.
.sp
(Default = search)
.RE
.PP
\fBport=\fR\fIvalue\fR
.RS 4
Change the default TCP/UDP name server port to
\fIvalue\fR\&.
.sp
(Default = 53; abbreviation = po)
.RE
.PP
\fBquerytype=\fR\fIvalue\fR
.RS 4
.RE
.PP
\fBtype=\fR\fIvalue\fR
.RS 4
Change the type of the information query\&.
.sp
(Default = A and then AAAA; abbreviations = q, ty)
.sp
\fBNote:\fR
It is only possible to specify one query type, only the default behavior looks up both when an alternative is not specified\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBrecurse\fR
.RS 4
Tell the name server to query other servers if it does not have the information\&.
.sp
(Default = recurse; abbreviation = [no]rec)
.RE
.PP
\fBndots=\fR\fInumber\fR
.RS 4
Set the number of dots (label separators) in a domain that will disable searching\&. Absolute names always stop searching\&.
.RE
.PP
\fBretry=\fR\fInumber\fR
.RS 4
Set the number of retries to number\&.
.RE
.PP
\fBtimeout=\fR\fInumber\fR
.RS 4
Change the initial timeout interval for waiting for a reply to number seconds\&.
.RE
.PP
\fB\fI[no]\fR\fR\fBvc\fR
.RS 4
Always use a virtual circuit when sending requests to the server\&.
.sp
(Default = novc)
.RE
.PP
\fB\fI[no]\fR\fR\fBfail\fR
.RS 4
Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response\&.
.sp
(Default = nofail)
.RE
.sp
.RE
.SH "RETURN VALUES"
.PP
\fBnslookup\fR
returns with an exit status of 1 if any query failed, and 0 otherwise\&.
.SH "IDN SUPPORT"
.PP
If
\fBnslookup\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names\&.
\fBnslookup\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server\&. If you\*(Aqd like to turn off the IDN support for some reason, define the
\fBIDN_DISABLE\fR
environment variable\&. The IDN support is disabled if the variable is set when
\fBnslookup\fR
runs or when the standard output is not a tty\&.
.SH "FILES"
.PP
/etc/resolv\&.conf
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBhost\fR(1),
\fBnamed\fR(8)\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
.SH "COPYRIGHT"
.br
Copyright \(co 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
.br

View File

@@ -3,7 +3,7 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
@@ -15,6 +15,7 @@
#include <unistd.h>
#include <isc/app.h>
#include <isc/attributes.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/event.h>
@@ -35,7 +36,7 @@
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dig/dig.h>
#include "dighost.h"
#if defined(HAVE_READLINE)
#if defined(HAVE_EDIT_READLINE_READLINE_H)
@@ -46,11 +47,6 @@
#elif defined(HAVE_EDITLINE_READLINE_H)
#include <editline/readline.h>
#elif defined(HAVE_READLINE_READLINE_H)
/* Prevent deprecated functions being declared. */
#define _FUNCTION_DEF 1
/* Ensure rl_message() gets prototype. */
#define USE_VARARGS 1
#define PREFER_STDARG 1
#include <readline/readline.h>
#if defined(HAVE_READLINE_HISTORY_H)
#include <readline/history.h>
@@ -634,7 +630,7 @@ set_ndots(const char *value) {
static void
version(void) {
fputs("nslookup " VERSION "\n", stderr);
fprintf(stderr, "nslookup %s\n", PACKAGE_VERSION);
}
static void
@@ -791,6 +787,7 @@ addlookup(char *opt) {
lookup->recurse = recurse;
lookup->aaonly = aaonly;
lookup->retries = tries;
lookup->udpsize = 0;
lookup->comments = comments;
if (lookup->rdtype == dns_rdatatype_any && !tcpmode_set) {
lookup->tcp_mode = true;
@@ -883,8 +880,8 @@ get_next_command(void) {
isc_mem_free(mctx, buf);
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
ISC_NORETURN static void
usage(void);
static void
usage(void) {
@@ -963,7 +960,7 @@ flush_lookup_list(void) {
isc_mem_free(mctx, sp);
}
if (l->sendmsg != NULL) {
dns_message_detach(&l->sendmsg);
dns_message_destroy(&l->sendmsg);
}
lp = l;
l = ISC_LIST_NEXT(l, link);

524
bin/dig/nslookup.docbook Normal file
View File

@@ -0,0 +1,524 @@
<!--
- Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
- See the COPYRIGHT file distributed with this work for additional
- information regarding copyright ownership.
-->
<!--
- Copyright (c) 1985, 1989
- The Regents of the University of California. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
- 3. Neither the name of the University nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.nslookup">
<info>
<date>2014-01-24</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
<corpauthor>Internet Systems Consortium, Inc.</corpauthor>
</refentryinfo>
<refmeta>
<refentrytitle>nslookup</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>nslookup</refname>
<refpurpose>query Internet name servers interactively</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2010</year>
<year>2013</year>
<year>2014</year>
<year>2015</year>
<year>2016</year>
<year>2017</year>
<year>2018</year>
<year>2019</year>
<year>2020</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis sepchar=" ">
<command>nslookup</command>
<arg choice="opt" rep="norepeat"><option>-option</option></arg>
<arg choice="opt" rep="norepeat">name | -</arg>
<arg choice="opt" rep="norepeat">server</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
<para><command>Nslookup</command>
is a program to query Internet domain name servers. <command>Nslookup</command>
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
domains or to print a list of hosts in a domain. Non-interactive mode
is
used to print just the name and requested information for a host or
domain.
</para>
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
<para>
Interactive mode is entered in the following cases:
<orderedlist numeration="loweralpha" inheritnum="ignore" continuation="restarts">
<listitem>
<para>
when no arguments are given (the default name server will be used)
</para>
</listitem>
<listitem>
<para>
when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
</para>
</listitem>
</orderedlist>
</para>
<para>
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
</para>
<para>
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to
change the default query type to host information, and the initial
timeout to 10 seconds, type:
<!-- <informalexample> produces bad nroff. -->
<programlisting>
nslookup -query=hinfo -timeout=10
</programlisting>
<!-- </informalexample> -->
</para>
<para>
The <option>-version</option> option causes
<command>nslookup</command> to print the version
number and immediately exits.
</para>
</refsection>
<refsection><info><title>INTERACTIVE COMMANDS</title></info>
<variablelist>
<varlistentry>
<term><constant>host</constant> <optional>server</optional></term>
<listitem>
<para>
Look up information for host using the current default server or
using server, if specified. If host is an Internet address and
the query type is A or PTR, the name of the host is returned.
If host is a name and does not have a trailing period, the
search list is used to qualify the name.
</para>
<para>
To look up a host not in the current domain, append a period to
the name.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para/>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
the current default server. If an authoritative answer can't be
found, the names of servers that might have the answer are
returned.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>root</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>finger</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ls</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>view</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>help</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>?</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>exit</constant></term>
<listitem>
<para>
Exits the program.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>set</constant>
<replaceable>keyword<optional>=value</optional></replaceable></term>
<listitem>
<para>
This command is used to change state information that affects
the lookups. Valid keywords are:
<variablelist>
<varlistentry>
<term><constant>all</constant></term>
<listitem>
<para>
Prints the current values of the frequently used
options to <command>set</command>.
Information about the current default
server and host is also printed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>class=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the query class to one of:
<variablelist>
<varlistentry>
<term><constant>IN</constant></term>
<listitem>
<para>
the Internet class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>CH</constant></term>
<listitem>
<para>
the Chaos class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>HS</constant></term>
<listitem>
<para>
the Hesiod class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ANY</constant></term>
<listitem>
<para>
wildcard
</para>
</listitem>
</varlistentry>
</variablelist>
The class specifies the protocol group of the information.
</para>
<para>
(Default = IN; abbreviation = cl)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
<listitem>
<para>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</para>
<para>
(Default = nodebug; abbreviation = <optional>no</optional>deb)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
<listitem>
<para>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</para>
<para>
(Default = nod2)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>domain=</constant><replaceable>name</replaceable></term>
<listitem>
<para>
Sets the search list to <replaceable>name</replaceable>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
<listitem>
<para>
If the lookup request contains at least one period but
doesn't end with a trailing period, append the domain
names in the domain search list to the request until an
answer is received.
</para>
<para>
(Default = search)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>port=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
</para>
<para>
(Default = 53; abbreviation = po)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>querytype=</constant><replaceable>value</replaceable></term>
<listitem>
<para/>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>type=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the type of the information query.
</para>
<para>
(Default = A and then AAAA; abbreviations = q, ty)
</para>
<para>
<emphasis role="bold">Note:</emphasis> It is
only possible to specify one query type, only
the default behavior looks up both when an
alternative is not specified.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
<listitem>
<para>
Tell the name server to query other servers if it does not
have the
information.
</para>
<para>
(Default = recurse; abbreviation = [no]rec)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ndots=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>retry=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Set the number of retries to number.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>timeout=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Change the initial timeout interval for waiting for a
reply to number seconds.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
<listitem>
<para>
Always use a virtual circuit when sending requests to the
server.
</para>
<para>
(Default = novc)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant><replaceable><optional>no</optional></replaceable>fail</constant></term>
<listitem>
<para>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</para>
<para>
(Default = nofail)
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
<para>
<command>nslookup</command> returns with an exit status of 1
if any query failed, and 0 otherwise.
</para>
</refsection>
<refsection><info><title>IDN SUPPORT</title></info>
<para>
If <command>nslookup</command> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<command>nslookup</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>nslookup</command> runs or when the standard output is not
a tty.
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/resolv.conf</filename>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsection>
</refentry>

409
bin/dig/nslookup.html Normal file
View File

@@ -0,0 +1,409 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- Copyright (C) 2004-2007, 2010, 2013-2020 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
- file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>nslookup</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
<a name="man.nslookup"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>
nslookup
&#8212; query Internet name servers interactively
</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p>
<code class="command">nslookup</code>
[<code class="option">-option</code>]
[name | -]
[server]
</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>Nslookup</strong></span>
is a program to query Internet domain name servers. <span class="command"><strong>Nslookup</strong></span>
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
domains or to print a list of hosts in a domain. Non-interactive mode
is
used to print just the name and requested information for a host or
domain.
</p>
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>ARGUMENTS</h2>
<p>
Interactive mode is entered in the following cases:
</p>
<div class="orderedlist"><ol class="orderedlist" type="a">
<li class="listitem">
<p>
when no arguments are given (the default name server will be used)
</p>
</li>
<li class="listitem">
<p>
when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
</p>
</li>
</ol></div>
<p>
</p>
<p>
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
</p>
<p>
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to
change the default query type to host information, and the initial
timeout to 10 seconds, type:
</p>
<pre class="programlisting">
nslookup -query=hinfo -timeout=10
</pre>
<p>
</p>
<p>
The <code class="option">-version</code> option causes
<span class="command"><strong>nslookup</strong></span> to print the version
number and immediately exits.
</p>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>INTERACTIVE COMMANDS</h2>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
<dd>
<p>
Look up information for host using the current default server or
using server, if specified. If host is an Internet address and
the query type is A or PTR, the name of the host is returned.
If host is a name and does not have a trailing period, the
search list is used to qualify the name.
</p>
<p>
To look up a host not in the current domain, append a period to
the name.
</p>
</dd>
<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p></p>
</dd>
<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
<dd>
<p>
Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
the current default server. If an authoritative answer can't be
found, the names of servers that might have the answer are
returned.
</p>
</dd>
<dt><span class="term"><code class="constant">root</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">finger</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">ls</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">view</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">help</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">?</code></span></dt>
<dd>
<p>
not implemented
</p>
</dd>
<dt><span class="term"><code class="constant">exit</code></span></dt>
<dd>
<p>
Exits the program.
</p>
</dd>
<dt><span class="term"><code class="constant">set</code>
<em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
<dd>
<p>
This command is used to change state information that affects
the lookups. Valid keywords are:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">all</code></span></dt>
<dd>
<p>
Prints the current values of the frequently used
options to <span class="command"><strong>set</strong></span>.
Information about the current default
server and host is also printed.
</p>
</dd>
<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the query class to one of:
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term"><code class="constant">IN</code></span></dt>
<dd>
<p>
the Internet class
</p>
</dd>
<dt><span class="term"><code class="constant">CH</code></span></dt>
<dd>
<p>
the Chaos class
</p>
</dd>
<dt><span class="term"><code class="constant">HS</code></span></dt>
<dd>
<p>
the Hesiod class
</p>
</dd>
<dt><span class="term"><code class="constant">ANY</code></span></dt>
<dd>
<p>
wildcard
</p>
</dd>
</dl></div>
<p>
The class specifies the protocol group of the information.
</p>
<p>
(Default = IN; abbreviation = cl)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
<dd>
<p>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</p>
<p>
(Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
<dd>
<p>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</p>
<p>
(Default = nod2)
</p>
</dd>
<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
<dd>
<p>
Sets the search list to <em class="replaceable"><code>name</code></em>.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
<dd>
<p>
If the lookup request contains at least one period but
doesn't end with a trailing period, append the domain
names in the domain search list to the request until an
answer is received.
</p>
<p>
(Default = search)
</p>
</dd>
<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
</p>
<p>
(Default = 53; abbreviation = po)
</p>
</dd>
<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p></p>
</dd>
<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the type of the information query.
</p>
<p>
(Default = A and then AAAA; abbreviations = q, ty)
</p>
<p>
<span class="bold"><strong>Note:</strong></span> It is
only possible to specify one query type, only
the default behavior looks up both when an
alternative is not specified.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
<dd>
<p>
Tell the name server to query other servers if it does not
have the
information.
</p>
<p>
(Default = recurse; abbreviation = [no]rec)
</p>
</dd>
<dt><span class="term"><code class="constant">ndots=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Set the number of dots (label separators) in a domain
that will disable searching. Absolute names always
stop searching.
</p>
</dd>
<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Set the number of retries to number.
</p>
</dd>
<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd>
<p>
Change the initial timeout interval for waiting for a
reply to number seconds.
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
<dd>
<p>
Always use a virtual circuit when sending requests to the
server.
</p>
<p>
(Default = novc)
</p>
</dd>
<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
<dd>
<p>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</p>
<p>
(Default = nofail)
</p>
</dd>
</dl></div>
<p>
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>RETURN VALUES</h2>
<p>
<span class="command"><strong>nslookup</strong></span> returns with an exit status of 1
if any query failed, and 0 otherwise.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>IDN SUPPORT</h2>
<p>
If <span class="command"><strong>nslookup</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span class="command"><strong>nslookup</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, define
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span class="command"><strong>nslookup</strong></span> runs or when the standard output is not
a tty.
</p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsection">
<a name="id-1.13"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dig</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">host</span>(1)
</span>,
<span class="citerefentry">
<span class="refentrytitle">named</span>(8)
</span>.
</p>
</div>
</div></body>
</html>

View File

@@ -1,216 +0,0 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at http://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
.. highlight: console
.. _man_nslookup:
nslookup - query Internet name servers interactively
----------------------------------------------------
Synopsis
~~~~~~~~
:program:`nslookup` [-option] [name | -] [server]
Description
~~~~~~~~~~~
``nslookup`` is a program to query Internet domain name servers.
``nslookup`` has two modes: interactive and non-interactive. Interactive
mode allows the user to query name servers for information about various
hosts and domains or to print a list of hosts in a domain.
Non-interactive mode prints just the name and requested
information for a host or domain.
Arguments
~~~~~~~~~
Interactive mode is entered in the following cases:
a. when no arguments are given (the default name server is used);
b. when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to change the
default query type to host information, with an initial timeout of 10
seconds, type:
::
nslookup -query=hinfo -timeout=10
The ``-version`` option causes ``nslookup`` to print the version number
and immediately exit.
Interactive Commands
~~~~~~~~~~~~~~~~~~~~
``host [server]``
This command looks up information for ``host`` using the current default server or
using ``server``, if specified. If ``host`` is an Internet address and the
query type is A or PTR, the name of the host is returned. If ``host`` is
a name and does not have a trailing period (``.``), the search list is used
to qualify the name.
To look up a host not in the current domain, append a period to the
name.
``server domain`` | ``lserver domain``
These commands change the default server to ``domain``; ``lserver`` uses the initial
server to look up information about ``domain``, while ``server`` uses the
current default server. If an authoritative answer cannot be found,
the names of servers that might have the answer are returned.
``root``
This command is not implemented.
``finger``
This command is not implemented.
``ls``
This command is not implemented.
``view``
This command is not implemented.
``help``
This command is not implemented.
``?``
This command is not implemented.
``exit``
This command exits the program.
``set keyword[=value]``
This command is used to change state information that affects the
lookups. Valid keywords are:
``all``
This keyword prints the current values of the frequently used options to
``set``. Information about the current default server and host is
also printed.
``class=value``
This keyword changes the query class to one of:
``IN``
the Internet class
``CH``
the Chaos class
``HS``
the Hesiod class
``ANY``
wildcard
The class specifies the protocol group of the information. The default
is ``IN``; the abbreviation for this keyword is ``cl``.
``nodebug``
This keyword turns on or off the display of the full response packet, and any
intermediate response packets, when searching. The default for this keyword is
``nodebug``; the abbreviation for this keyword is ``[no]deb``.
``nod2``
This keyword turns debugging mode on or off. This displays more about what
nslookup is doing. The default is ``nod2``.
``domain=name``
This keyword sets the search list to ``name``.
``nosearch``
If the lookup request contains at least one period, but does not end
with a trailing period, this keyword appends the domain names in the domain
search list to the request until an answer is received. The default is ``search``.
``port=value``
This keyword changes the default TCP/UDP name server port to ``value`` from
its default, port 53. The abbreviation for this keyword is ``po``.
``querytype=value`` | ``type=value``
This keyword changes the type of the information query to ``value``. The
defaults are A and then AAAA; the abbreviations for these keywords are
``q`` and ``ty``.
Please note that it is only possible to specify one query type. Only the default
behavior looks up both when an alternative is not specified.
``norecurse``
This keyword tells the name server to query other servers if it does not have
the information. The default is ``recurse``; the abbreviation for this
keyword is ``[no]rec``.
``ndots=number``
This keyword sets the number of dots (label separators) in a domain that
disables searching. Absolute names always stop searching.
``retry=number``
This keyword sets the number of retries to ``number``.
``timeout=number``
This keyword changes the initial timeout interval to wait for a reply to
``number``, in seconds.
``novc``
This keyword indicates that a virtual circuit should always be used when sending requests to the server.
``novc`` is the default.
``nofail``
This keyword tries the next nameserver if a nameserver responds with SERVFAIL or
a referral (nofail), or terminates the query (fail) on such a response. The
default is ``nofail``.
Return Values
~~~~~~~~~~~~~
``nslookup`` returns with an exit status of 1 if any query failed, and 0
otherwise.
IDN Support
~~~~~~~~~~~
If ``nslookup`` has been built with IDN (internationalized domain name)
support, it can accept and display non-ASCII domain names. ``nslookup``
appropriately converts character encoding of a domain name before sending
a request to a DNS server or displaying a reply from the server.
To turn off IDN support, define the ``IDN_DISABLE``
environment variable. IDN support is disabled if the variable is set
when ``nslookup`` runs, or when the standard output is not a tty.
Files
~~~~~
``/etc/resolv.conf``
See Also
~~~~~~~~
:manpage:`dig(1)`, :manpage:`host(1)`, :manpage:`named(8)`.

Some files were not shown because too many files have changed in this diff Show More