2 * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: server.c,v 1.556.8.12 2010/05/18 00:29:31 marka Exp $ */
29 #include <isc/base64.h>
31 #include <isc/entropy.h>
34 #include <isc/httpd.h>
36 #include <isc/parseint.h>
37 #include <isc/portset.h>
38 #include <isc/print.h>
39 #include <isc/resource.h>
41 #include <isc/socket.h>
43 #include <isc/stats.h>
44 #include <isc/stdio.h>
45 #include <isc/string.h>
47 #include <isc/timer.h>
51 #include <isccfg/namedconf.h>
53 #include <bind9/check.h>
55 #include <dns/acache.h>
57 #include <dns/cache.h>
59 #include <dns/dispatch.h>
63 #include <dns/forward.h>
64 #include <dns/journal.h>
65 #include <dns/keytable.h>
66 #include <dns/keyvalues.h>
68 #include <dns/master.h>
69 #include <dns/masterdump.h>
70 #include <dns/order.h>
72 #include <dns/portlist.h>
74 #include <dns/rdataclass.h>
75 #include <dns/rdataset.h>
76 #include <dns/rdatastruct.h>
77 #include <dns/resolver.h>
78 #include <dns/rootns.h>
79 #include <dns/secalg.h>
80 #include <dns/stats.h>
88 #include <dst/result.h>
90 #include <named/client.h>
91 #include <named/config.h>
92 #include <named/control.h>
93 #include <named/interfacemgr.h>
94 #include <named/log.h>
95 #include <named/logconf.h>
96 #include <named/lwresd.h>
97 #include <named/main.h>
99 #include <named/server.h>
100 #include <named/statschannel.h>
101 #include <named/tkeyconf.h>
102 #include <named/tsigconf.h>
103 #include <named/zoneconf.h>
105 #include <named/ns_smf_globals.h>
110 #define PATH_MAX 1024
114 * Check an operation for failure. Assumes that the function
115 * using it has a 'result' variable and a 'cleanup' label.
118 do { result = (op); \
119 if (result != ISC_R_SUCCESS) goto cleanup; \
122 #define CHECKM(op, msg) \
123 do { result = (op); \
124 if (result != ISC_R_SUCCESS) { \
125 isc_log_write(ns_g_lctx, \
126 NS_LOGCATEGORY_GENERAL, \
127 NS_LOGMODULE_SERVER, \
130 isc_result_totext(result)); \
135 #define CHECKMF(op, msg, file) \
136 do { result = (op); \
137 if (result != ISC_R_SUCCESS) { \
138 isc_log_write(ns_g_lctx, \
139 NS_LOGCATEGORY_GENERAL, \
140 NS_LOGMODULE_SERVER, \
142 "%s '%s': %s", msg, file, \
143 isc_result_totext(result)); \
148 #define CHECKFATAL(op, msg) \
149 do { result = (op); \
150 if (result != ISC_R_SUCCESS) \
151 fatal(msg, result); \
155 * Maximum ADB size for views that share a cache. Use this limit to suppress
156 * the total of memory footprint, which should be the main reason for sharing
157 * a cache. Only effective when a finite max-cache-size is specified.
158 * This is currently defined to be 8MB.
160 #define MAX_ADB_SIZE_FOR_CACHESHARE 8388608
164 unsigned int dispatchgen;
165 dns_dispatch_t *dispatch;
166 ISC_LINK(struct ns_dispatch) link;
171 dns_view_t *primaryview;
172 isc_boolean_t needflush;
173 isc_boolean_t adbsizeadjusted;
174 ISC_LINK(ns_cache_t) link;
179 isc_boolean_t dumpcache;
180 isc_boolean_t dumpzones;
182 ISC_LIST(struct viewlistentry) viewlist;
183 struct viewlistentry *view;
184 struct zonelistentry *zone;
185 dns_dumpctx_t *mdctx;
189 dns_dbversion_t *version;
192 struct viewlistentry {
194 ISC_LINK(struct viewlistentry) link;
195 ISC_LIST(struct zonelistentry) zonelist;
198 struct zonelistentry {
200 ISC_LINK(struct zonelistentry) link;
204 * These zones should not leak onto the Internet.
206 static const struct {
208 isc_boolean_t rfc1918;
212 { "10.IN-ADDR.ARPA", ISC_TRUE },
213 { "16.172.IN-ADDR.ARPA", ISC_TRUE },
214 { "17.172.IN-ADDR.ARPA", ISC_TRUE },
215 { "18.172.IN-ADDR.ARPA", ISC_TRUE },
216 { "19.172.IN-ADDR.ARPA", ISC_TRUE },
217 { "20.172.IN-ADDR.ARPA", ISC_TRUE },
218 { "21.172.IN-ADDR.ARPA", ISC_TRUE },
219 { "22.172.IN-ADDR.ARPA", ISC_TRUE },
220 { "23.172.IN-ADDR.ARPA", ISC_TRUE },
221 { "24.172.IN-ADDR.ARPA", ISC_TRUE },
222 { "25.172.IN-ADDR.ARPA", ISC_TRUE },
223 { "26.172.IN-ADDR.ARPA", ISC_TRUE },
224 { "27.172.IN-ADDR.ARPA", ISC_TRUE },
225 { "28.172.IN-ADDR.ARPA", ISC_TRUE },
226 { "29.172.IN-ADDR.ARPA", ISC_TRUE },
227 { "30.172.IN-ADDR.ARPA", ISC_TRUE },
228 { "31.172.IN-ADDR.ARPA", ISC_TRUE },
229 { "168.192.IN-ADDR.ARPA", ISC_TRUE },
232 /* RFC 5735 and RFC 5737 */
233 { "0.IN-ADDR.ARPA", ISC_FALSE }, /* THIS NETWORK */
234 { "127.IN-ADDR.ARPA", ISC_FALSE }, /* LOOPBACK */
235 { "254.169.IN-ADDR.ARPA", ISC_FALSE }, /* LINK LOCAL */
236 { "2.0.192.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET */
237 { "100.51.198.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET 2 */
238 { "113.0.203.IN-ADDR.ARPA", ISC_FALSE }, /* TEST NET 3 */
239 { "255.255.255.255.IN-ADDR.ARPA", ISC_FALSE }, /* BROADCAST */
241 /* Local IPv6 Unicast Addresses */
242 { "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
243 { "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
244 /* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */
245 { "D.F.IP6.ARPA", ISC_FALSE },
246 { "8.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
247 { "9.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
248 { "A.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
249 { "B.E.F.IP6.ARPA", ISC_FALSE }, /* LINK LOCAL */
251 /* Example Prefix, RFC 3849. */
252 { "8.B.D.0.1.0.0.2.IP6.ARPA", ISC_FALSE },
254 /* ORCHID Prefix, RFC 4843. */
255 { "0.1.1.0.0.2.IP6.ARPA", ISC_FALSE },
260 ISC_PLATFORM_NORETURN_PRE static void
261 fatal(const char *msg, isc_result_t result) ISC_PLATFORM_NORETURN_POST;
264 ns_server_reload(isc_task_t *task, isc_event_t *event);
267 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
268 cfg_aclconfctx_t *actx,
269 isc_mem_t *mctx, ns_listenelt_t **target);
271 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
272 cfg_aclconfctx_t *actx,
273 isc_mem_t *mctx, ns_listenlist_t **target);
276 configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
277 const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
280 configure_alternates(const cfg_obj_t *config, dns_view_t *view,
281 const cfg_obj_t *alternates);
284 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
285 const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
286 cfg_aclconfctx_t *aclconf);
289 add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
292 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
295 * Configure a single view ACL at '*aclp'. Get its configuration from
296 * 'vconfig' (for per-view configuration) and maybe from 'config'
299 configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
300 const char *aclname, const char *acltuplename,
301 cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp)
304 const cfg_obj_t *maps[3];
305 const cfg_obj_t *aclobj = NULL;
309 dns_acl_detach(aclp);
311 maps[i++] = cfg_tuple_get(vconfig, "options");
312 if (config != NULL) {
313 const cfg_obj_t *options = NULL;
314 (void)cfg_map_get(config, "options", &options);
320 (void)ns_config_get(maps, aclname, &aclobj);
323 * No value available. *aclp == NULL.
325 return (ISC_R_SUCCESS);
327 if (acltuplename != NULL) {
329 * If the ACL is given in an optional tuple, retrieve it.
330 * The parser should have ensured that a valid object be
333 aclobj = cfg_tuple_get(aclobj, acltuplename);
336 result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
337 actx, mctx, 0, aclp);
343 * Configure a sortlist at '*aclp'. Essentially the same as
344 * configure_view_acl() except it calls cfg_acl_fromconfig with a
345 * nest_level value of 2.
348 configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
349 cfg_aclconfctx_t *actx, isc_mem_t *mctx,
353 const cfg_obj_t *maps[3];
354 const cfg_obj_t *aclobj = NULL;
358 dns_acl_detach(aclp);
360 maps[i++] = cfg_tuple_get(vconfig, "options");
361 if (config != NULL) {
362 const cfg_obj_t *options = NULL;
363 (void)cfg_map_get(config, "options", &options);
369 (void)ns_config_get(maps, "sortlist", &aclobj);
371 return (ISC_R_SUCCESS);
374 * Use a nest level of 3 for the "top level" of the sortlist;
375 * this means each entry in the top three levels will be stored
376 * as lists of separate, nested ACLs, rather than merged together
377 * into IP tables as is usually done with ACLs.
379 result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
380 actx, mctx, 3, aclp);
386 configure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
387 const char *confname, const char *conftuplename,
388 isc_mem_t *mctx, dns_rbt_t **rbtp)
391 const cfg_obj_t *maps[3];
392 const cfg_obj_t *obj = NULL;
393 const cfg_listelt_t *element;
395 dns_fixedname_t fixed;
399 const cfg_obj_t *nameobj;
402 dns_rbt_destroy(rbtp);
404 maps[i++] = cfg_tuple_get(vconfig, "options");
405 if (config != NULL) {
406 const cfg_obj_t *options = NULL;
407 (void)cfg_map_get(config, "options", &options);
413 (void)ns_config_get(maps, confname, &obj);
416 * No value available. *rbtp == NULL.
418 return (ISC_R_SUCCESS);
420 if (conftuplename != NULL) {
421 obj = cfg_tuple_get(obj, conftuplename);
422 if (cfg_obj_isvoid(obj))
423 return (ISC_R_SUCCESS);
426 result = dns_rbt_create(mctx, NULL, NULL, rbtp);
427 if (result != ISC_R_SUCCESS)
430 dns_fixedname_init(&fixed);
431 name = dns_fixedname_name(&fixed);
432 for (element = cfg_list_first(obj);
434 element = cfg_list_next(element)) {
435 nameobj = cfg_listelt_value(element);
436 str = cfg_obj_asstring(nameobj);
437 isc_buffer_init(&b, str, strlen(str));
438 isc_buffer_add(&b, strlen(str));
439 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
441 * We don't need the node data, but need to set dummy data to
442 * avoid a partial match with an empty node. For example, if
443 * we have foo.example.com and bar.example.com, we'd get a match
444 * for baz.example.com, which is not the expected result.
445 * We simply use (void *)1 as the dummy data.
447 result = dns_rbt_addname(*rbtp, name, (void *)1);
448 if (result != ISC_R_SUCCESS) {
449 cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR,
450 "failed to add %s for %s: %s",
451 str, confname, isc_result_totext(result));
460 dns_rbt_destroy(rbtp);
466 dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
467 isc_boolean_t managed, dst_key_t **target, isc_mem_t *mctx)
469 dns_rdataclass_t viewclass;
470 dns_rdata_dnskey_t keystruct;
471 isc_uint32_t flags, proto, alg;
472 const char *keystr, *keynamestr;
473 unsigned char keydata[4096];
474 isc_buffer_t keydatabuf;
475 unsigned char rrdata[4096];
476 isc_buffer_t rrdatabuf;
478 dns_fixedname_t fkeyname;
480 isc_buffer_t namebuf;
482 dst_key_t *dstkey = NULL;
484 INSIST(target != NULL && *target == NULL);
486 flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
487 proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
488 alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
489 keyname = dns_fixedname_name(&fkeyname);
490 keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
493 const char *initmethod;
494 initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
496 if (strcasecmp(initmethod, "initial-key") != 0) {
497 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
499 "invalid initialization method '%s'",
500 keynamestr, initmethod);
501 result = ISC_R_FAILURE;
507 viewclass = dns_rdataclass_in;
509 const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
510 CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
513 keystruct.common.rdclass = viewclass;
514 keystruct.common.rdtype = dns_rdatatype_dnskey;
516 * The key data in keystruct is not dynamically allocated.
518 keystruct.mctx = NULL;
520 ISC_LINK_INIT(&keystruct.common, link);
523 CHECKM(ISC_R_RANGE, "key flags");
525 CHECKM(ISC_R_RANGE, "key protocol");
527 CHECKM(ISC_R_RANGE, "key algorithm");
528 keystruct.flags = (isc_uint16_t)flags;
529 keystruct.protocol = (isc_uint8_t)proto;
530 keystruct.algorithm = (isc_uint8_t)alg;
532 isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
533 isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
535 keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
536 CHECK(isc_base64_decodestring(keystr, &keydatabuf));
537 isc_buffer_usedregion(&keydatabuf, &r);
538 keystruct.datalen = r.length;
539 keystruct.data = r.base;
541 if ((keystruct.algorithm == DST_ALG_RSASHA1 ||
542 keystruct.algorithm == DST_ALG_RSAMD5) &&
543 r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
544 cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
545 "%s key '%s' has a weak exponent",
546 managed ? "managed" : "trusted",
549 CHECK(dns_rdata_fromstruct(NULL,
550 keystruct.common.rdclass,
551 keystruct.common.rdtype,
552 &keystruct, &rrdatabuf));
553 dns_fixedname_init(&fkeyname);
554 isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr));
555 isc_buffer_add(&namebuf, strlen(keynamestr));
556 CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
557 CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
561 return (ISC_R_SUCCESS);
564 if (result == DST_R_NOCRYPTO) {
565 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
566 "ignoring %s key for '%s': no crypto support",
567 managed ? "managed" : "trusted",
569 } else if (result == DST_R_UNSUPPORTEDALG) {
570 cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
571 "skipping %s key for '%s': %s",
572 managed ? "managed" : "trusted",
573 keynamestr, isc_result_totext(result));
575 cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
576 "configuring %s key for '%s': %s",
577 managed ? "managed" : "trusted",
578 keynamestr, isc_result_totext(result));
579 result = ISC_R_FAILURE;
583 dst_key_free(&dstkey);
589 load_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
590 dns_view_t *view, isc_boolean_t managed, isc_mem_t *mctx)
592 const cfg_listelt_t *elt, *elt2;
593 const cfg_obj_t *key, *keylist;
594 dst_key_t *dstkey = NULL;
596 dns_keytable_t *secroots = NULL;
598 CHECK(dns_view_getsecroots(view, &secroots));
600 for (elt = cfg_list_first(keys);
602 elt = cfg_list_next(elt)) {
603 keylist = cfg_listelt_value(elt);
605 for (elt2 = cfg_list_first(keylist);
607 elt2 = cfg_list_next(elt2)) {
608 key = cfg_listelt_value(elt2);
609 result = dstkey_fromconfig(vconfig, key, managed,
611 if (result == DST_R_UNSUPPORTEDALG) {
612 result = ISC_R_SUCCESS;
615 if (result != ISC_R_SUCCESS)
618 CHECK(dns_keytable_add(secroots, managed, &dstkey));
623 if (secroots != NULL)
624 dns_keytable_detach(&secroots);
625 if (result == DST_R_NOCRYPTO)
626 result = ISC_R_SUCCESS;
631 * Configure DNSSEC keys for a view.
633 * The per-view configuration values and the server-global defaults are read
634 * from 'vconfig' and 'config'.
637 configure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
638 const cfg_obj_t *config, const cfg_obj_t *bindkeys,
639 isc_boolean_t auto_dlv, isc_mem_t *mctx)
641 isc_result_t result = ISC_R_SUCCESS;
642 const cfg_obj_t *view_keys = NULL;
643 const cfg_obj_t *global_keys = NULL;
644 const cfg_obj_t *view_managed_keys = NULL;
645 const cfg_obj_t *global_managed_keys = NULL;
646 const cfg_obj_t *builtin_keys = NULL;
647 const cfg_obj_t *builtin_managed_keys = NULL;
648 const cfg_obj_t *maps[4];
649 const cfg_obj_t *voptions = NULL;
650 const cfg_obj_t *options = NULL;
651 const cfg_obj_t *obj = NULL;
652 const char *directory;
655 /* We don't need trust anchors for the _bind view */
656 if (strcmp(view->name, "_bind") == 0 &&
657 view->rdclass == dns_rdataclass_chaos) {
658 return (ISC_R_SUCCESS);
661 if (vconfig != NULL) {
662 voptions = cfg_tuple_get(vconfig, "options");
663 if (voptions != NULL) {
664 (void) cfg_map_get(voptions, "trusted-keys",
666 (void) cfg_map_get(voptions, "managed-keys",
668 maps[i++] = voptions;
672 if (config != NULL) {
673 (void)cfg_map_get(config, "trusted-keys", &global_keys);
674 (void)cfg_map_get(config, "managed-keys", &global_managed_keys);
675 (void)cfg_map_get(config, "options", &options);
676 if (options != NULL) {
681 maps[i++] = ns_g_defaults;
684 result = dns_view_initsecroots(view, mctx);
685 if (result != ISC_R_SUCCESS) {
686 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
687 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
688 "couldn't create keytable");
689 return (ISC_R_UNEXPECTED);
692 if (auto_dlv && view->rdclass == dns_rdataclass_in) {
693 isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
694 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
695 "using built-in trusted-keys for view %s",
699 * If bind.keys exists, it overrides the managed-keys
700 * clause hard-coded in ns_g_config.
702 if (bindkeys != NULL) {
703 (void)cfg_map_get(bindkeys, "trusted-keys",
705 (void)cfg_map_get(bindkeys, "managed-keys",
706 &builtin_managed_keys);
708 (void)cfg_map_get(ns_g_config, "trusted-keys",
710 (void)cfg_map_get(ns_g_config, "managed-keys",
711 &builtin_managed_keys);
714 if (builtin_keys != NULL)
715 CHECK(load_view_keys(builtin_keys, vconfig, view,
717 if (builtin_managed_keys != NULL)
718 CHECK(load_view_keys(builtin_managed_keys, vconfig,
719 view, ISC_TRUE, mctx));
722 CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE, mctx));
723 CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE, mctx));
724 if (view->rdclass == dns_rdataclass_in) {
725 CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
727 CHECK(load_view_keys(global_managed_keys, vconfig, view,
732 * Add key zone for managed-keys.
735 (void)ns_config_get(maps, "managed-keys-directory", &obj);
736 directory = obj != NULL ? cfg_obj_asstring(obj) : NULL;
737 CHECK(add_keydata_zone(view, directory, ns_g_mctx));
744 mustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
745 const cfg_listelt_t *element;
746 const cfg_obj_t *obj;
748 dns_fixedname_t fixed;
754 dns_fixedname_init(&fixed);
755 name = dns_fixedname_name(&fixed);
756 for (element = cfg_list_first(mbs);
758 element = cfg_list_next(element))
760 obj = cfg_listelt_value(element);
761 str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
762 isc_buffer_init(&b, str, strlen(str));
763 isc_buffer_add(&b, strlen(str));
764 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
765 value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
766 CHECK(dns_resolver_setmustbesecure(resolver, name, value));
769 result = ISC_R_SUCCESS;
776 * Get a dispatch appropriate for the resolver of a given view.
779 get_view_querysource_dispatch(const cfg_obj_t **maps,
780 int af, dns_dispatch_t **dispatchp,
781 isc_boolean_t is_firstview)
784 dns_dispatch_t *disp;
786 unsigned int attrs, attrmask;
787 const cfg_obj_t *obj = NULL;
788 unsigned int maxdispatchbuffers;
791 * Make compiler happy.
793 result = ISC_R_FAILURE;
797 result = ns_config_get(maps, "query-source", &obj);
798 INSIST(result == ISC_R_SUCCESS);
801 result = ns_config_get(maps, "query-source-v6", &obj);
802 INSIST(result == ISC_R_SUCCESS);
808 sa = *(cfg_obj_assockaddr(obj));
809 INSIST(isc_sockaddr_pf(&sa) == af);
812 * If we don't support this address family, we're done!
816 result = isc_net_probeipv4();
819 result = isc_net_probeipv6();
824 if (result != ISC_R_SUCCESS)
825 return (ISC_R_SUCCESS);
828 * Try to find a dispatcher that we can share.
831 attrs |= DNS_DISPATCHATTR_UDP;
834 attrs |= DNS_DISPATCHATTR_IPV4;
837 attrs |= DNS_DISPATCHATTR_IPV6;
840 if (isc_sockaddr_getport(&sa) == 0) {
841 attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
842 maxdispatchbuffers = 4096;
846 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
847 "using specific query-source port "
848 "suppresses port randomization and can be "
851 maxdispatchbuffers = 1000;
855 attrmask |= DNS_DISPATCHATTR_UDP;
856 attrmask |= DNS_DISPATCHATTR_TCP;
857 attrmask |= DNS_DISPATCHATTR_IPV4;
858 attrmask |= DNS_DISPATCHATTR_IPV6;
861 result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
862 ns_g_taskmgr, &sa, 4096,
863 maxdispatchbuffers, 32768, 16411, 16433,
864 attrs, attrmask, &disp);
865 if (result != ISC_R_SUCCESS) {
867 char buf[ISC_SOCKADDR_FORMATSIZE];
871 isc_sockaddr_any(&any);
874 isc_sockaddr_any6(&any);
877 if (isc_sockaddr_equal(&sa, &any))
878 return (ISC_R_SUCCESS);
879 isc_sockaddr_format(&sa, buf, sizeof(buf));
880 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
881 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
882 "could not get query source dispatcher (%s)",
889 return (ISC_R_SUCCESS);
893 configure_order(dns_order_t *order, const cfg_obj_t *ent) {
894 dns_rdataclass_t rdclass;
895 dns_rdatatype_t rdtype;
896 const cfg_obj_t *obj;
897 dns_fixedname_t fixed;
898 unsigned int mode = 0;
902 isc_boolean_t addroot;
904 result = ns_config_getclass(cfg_tuple_get(ent, "class"),
905 dns_rdataclass_any, &rdclass);
906 if (result != ISC_R_SUCCESS)
909 result = ns_config_gettype(cfg_tuple_get(ent, "type"),
910 dns_rdatatype_any, &rdtype);
911 if (result != ISC_R_SUCCESS)
914 obj = cfg_tuple_get(ent, "name");
915 if (cfg_obj_isstring(obj))
916 str = cfg_obj_asstring(obj);
919 addroot = ISC_TF(strcmp(str, "*") == 0);
920 isc_buffer_init(&b, str, strlen(str));
921 isc_buffer_add(&b, strlen(str));
922 dns_fixedname_init(&fixed);
923 result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
924 dns_rootname, 0, NULL);
925 if (result != ISC_R_SUCCESS)
928 obj = cfg_tuple_get(ent, "ordering");
929 INSIST(cfg_obj_isstring(obj));
930 str = cfg_obj_asstring(obj);
931 if (!strcasecmp(str, "fixed"))
932 mode = DNS_RDATASETATTR_FIXEDORDER;
933 else if (!strcasecmp(str, "random"))
934 mode = DNS_RDATASETATTR_RANDOMIZE;
935 else if (!strcasecmp(str, "cyclic"))
941 * "*" should match everything including the root (BIND 8 compat).
942 * As dns_name_matcheswildcard(".", "*.") returns FALSE add a
943 * explicit entry for "." when the name is "*".
946 result = dns_order_add(order, dns_rootname,
947 rdtype, rdclass, mode);
948 if (result != ISC_R_SUCCESS)
952 return (dns_order_add(order, dns_fixedname_name(&fixed),
953 rdtype, rdclass, mode));
957 configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
960 const cfg_obj_t *obj;
963 unsigned int prefixlen;
965 cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen);
968 result = dns_peer_newprefix(mctx, &na, prefixlen, &peer);
969 if (result != ISC_R_SUCCESS)
973 (void)cfg_map_get(cpeer, "bogus", &obj);
975 CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
978 (void)cfg_map_get(cpeer, "provide-ixfr", &obj);
980 CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
983 (void)cfg_map_get(cpeer, "request-ixfr", &obj);
985 CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
988 (void)cfg_map_get(cpeer, "request-nsid", &obj);
990 CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj)));
993 (void)cfg_map_get(cpeer, "edns", &obj);
995 CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
998 (void)cfg_map_get(cpeer, "edns-udp-size", &obj);
1000 isc_uint32_t udpsize = cfg_obj_asuint32(obj);
1005 CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize));
1009 (void)cfg_map_get(cpeer, "max-udp-size", &obj);
1011 isc_uint32_t udpsize = cfg_obj_asuint32(obj);
1016 CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize));
1020 (void)cfg_map_get(cpeer, "transfers", &obj);
1022 CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
1025 (void)cfg_map_get(cpeer, "transfer-format", &obj);
1027 str = cfg_obj_asstring(obj);
1028 if (strcasecmp(str, "many-answers") == 0)
1029 CHECK(dns_peer_settransferformat(peer,
1031 else if (strcasecmp(str, "one-answer") == 0)
1032 CHECK(dns_peer_settransferformat(peer,
1039 (void)cfg_map_get(cpeer, "keys", &obj);
1041 result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj));
1042 if (result != ISC_R_SUCCESS)
1047 if (na.family == AF_INET)
1048 (void)cfg_map_get(cpeer, "transfer-source", &obj);
1050 (void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
1052 result = dns_peer_settransfersource(peer,
1053 cfg_obj_assockaddr(obj));
1054 if (result != ISC_R_SUCCESS)
1056 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1060 if (na.family == AF_INET)
1061 (void)cfg_map_get(cpeer, "notify-source", &obj);
1063 (void)cfg_map_get(cpeer, "notify-source-v6", &obj);
1065 result = dns_peer_setnotifysource(peer,
1066 cfg_obj_assockaddr(obj));
1067 if (result != ISC_R_SUCCESS)
1069 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1073 if (na.family == AF_INET)
1074 (void)cfg_map_get(cpeer, "query-source", &obj);
1076 (void)cfg_map_get(cpeer, "query-source-v6", &obj);
1078 result = dns_peer_setquerysource(peer,
1079 cfg_obj_assockaddr(obj));
1080 if (result != ISC_R_SUCCESS)
1082 ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
1086 return (ISC_R_SUCCESS);
1089 dns_peer_detach(&peer);
1094 disable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
1095 isc_result_t result;
1096 const cfg_obj_t *algorithms;
1097 const cfg_listelt_t *element;
1099 dns_fixedname_t fixed;
1103 dns_fixedname_init(&fixed);
1104 name = dns_fixedname_name(&fixed);
1105 str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
1106 isc_buffer_init(&b, str, strlen(str));
1107 isc_buffer_add(&b, strlen(str));
1108 CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
1110 algorithms = cfg_tuple_get(disabled, "algorithms");
1111 for (element = cfg_list_first(algorithms);
1113 element = cfg_list_next(element))
1118 DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
1119 r.length = strlen(r.base);
1121 result = dns_secalg_fromtext(&alg, &r);
1122 if (result != ISC_R_SUCCESS) {
1124 result = isc_parse_uint8(&ui, r.base, 10);
1127 if (result != ISC_R_SUCCESS) {
1128 cfg_obj_log(cfg_listelt_value(element),
1129 ns_g_lctx, ISC_LOG_ERROR,
1130 "invalid algorithm");
1133 CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
1139 static isc_boolean_t
1140 on_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
1141 const cfg_listelt_t *element;
1142 dns_fixedname_t fixed;
1144 isc_result_t result;
1145 const cfg_obj_t *value;
1149 dns_fixedname_init(&fixed);
1150 name = dns_fixedname_name(&fixed);
1152 for (element = cfg_list_first(disablelist);
1154 element = cfg_list_next(element))
1156 value = cfg_listelt_value(element);
1157 str = cfg_obj_asstring(value);
1158 isc_buffer_init(&b, str, strlen(str));
1159 isc_buffer_add(&b, strlen(str));
1160 result = dns_name_fromtext(name, &b, dns_rootname,
1162 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1163 if (dns_name_equal(name, zonename))
1170 check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv,
1175 isc_result_t result;
1177 result = dns_zone_getdbtype(*zonep, &argv, mctx);
1178 if (result != ISC_R_SUCCESS) {
1179 dns_zone_detach(zonep);
1184 * Check that all the arguments match.
1186 for (i = 0; i < dbtypec; i++)
1187 if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) {
1188 dns_zone_detach(zonep);
1193 * Check that there are not extra arguments.
1195 if (i == dbtypec && argv[i] != NULL)
1196 dns_zone_detach(zonep);
1197 isc_mem_free(mctx, argv);
1201 setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) {
1202 isc_result_t result;
1203 isc_stats_t *zoneqrystats;
1205 zoneqrystats = NULL;
1207 result = isc_stats_create(mctx, &zoneqrystats,
1208 dns_nsstatscounter_max);
1209 if (result != ISC_R_SUCCESS)
1212 dns_zone_setrequeststats(zone, zoneqrystats);
1213 if (zoneqrystats != NULL)
1214 isc_stats_detach(&zoneqrystats);
1216 return (ISC_R_SUCCESS);
1220 cachelist_find(ns_cachelist_t *cachelist, const char *cachename) {
1223 for (nsc = ISC_LIST_HEAD(*cachelist);
1225 nsc = ISC_LIST_NEXT(nsc, link)) {
1226 if (strcmp(dns_cache_getname(nsc->cache), cachename) == 0)
1233 static isc_boolean_t
1234 cache_reusable(dns_view_t *originview, dns_view_t *view,
1235 isc_boolean_t new_zero_no_soattl)
1237 if (originview->checknames != view->checknames ||
1238 dns_resolver_getzeronosoattl(originview->resolver) !=
1239 new_zero_no_soattl ||
1240 originview->acceptexpired != view->acceptexpired ||
1241 originview->enablevalidation != view->enablevalidation ||
1242 originview->maxcachettl != view->maxcachettl ||
1243 originview->maxncachettl != view->maxncachettl) {
1250 static isc_boolean_t
1251 cache_sharable(dns_view_t *originview, dns_view_t *view,
1252 isc_boolean_t new_zero_no_soattl,
1253 unsigned int new_cleaning_interval,
1254 isc_uint32_t new_max_cache_size)
1257 * If the cache cannot even reused for the same view, it cannot be
1258 * shared with other views.
1260 if (!cache_reusable(originview, view, new_zero_no_soattl))
1264 * Check other cache related parameters that must be consistent among
1265 * the sharing views.
1267 if (dns_cache_getcleaninginterval(originview->cache) !=
1268 new_cleaning_interval ||
1269 dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
1277 * Configure 'view' according to 'vconfig', taking defaults from 'config'
1278 * where values are missing in 'vconfig'.
1280 * When configuring the default view, 'vconfig' will be NULL and the
1281 * global defaults in 'config' used exclusively.
1284 configure_view(dns_view_t *view, const cfg_obj_t *config,
1285 const cfg_obj_t *vconfig, ns_cachelist_t *cachelist,
1286 const cfg_obj_t *bindkeys, isc_mem_t *mctx,
1287 cfg_aclconfctx_t *actx, isc_boolean_t need_hints)
1289 const cfg_obj_t *maps[4];
1290 const cfg_obj_t *cfgmaps[3];
1291 const cfg_obj_t *optionmaps[3];
1292 const cfg_obj_t *options = NULL;
1293 const cfg_obj_t *voptions = NULL;
1294 const cfg_obj_t *forwardtype;
1295 const cfg_obj_t *forwarders;
1296 const cfg_obj_t *alternates;
1297 const cfg_obj_t *zonelist;
1299 const cfg_obj_t *dlz;
1300 unsigned int dlzargc;
1303 const cfg_obj_t *disabled;
1304 const cfg_obj_t *obj;
1305 const cfg_listelt_t *element;
1307 dns_cache_t *cache = NULL;
1308 isc_result_t result;
1309 isc_uint32_t max_adb_size;
1310 unsigned int cleaning_interval;
1311 isc_uint32_t max_cache_size;
1312 isc_uint32_t max_acache_size;
1313 isc_uint32_t lame_ttl;
1314 dns_tsig_keyring_t *ring = NULL;
1315 dns_view_t *pview = NULL; /* Production view */
1317 dns_dispatch_t *dispatch4 = NULL;
1318 dns_dispatch_t *dispatch6 = NULL;
1319 isc_boolean_t reused_cache = ISC_FALSE;
1320 isc_boolean_t shared_cache = ISC_FALSE;
1321 int i = 0, j = 0, k = 0;
1323 const char *cachename = NULL;
1324 dns_order_t *order = NULL;
1325 isc_uint32_t udpsize;
1326 unsigned int resopts = 0;
1327 dns_zone_t *zone = NULL;
1328 isc_uint32_t max_clients_per_query;
1329 const char *sep = ": view ";
1330 const char *viewname = view->name;
1331 const char *forview = " for view ";
1332 isc_boolean_t rfc1918;
1333 isc_boolean_t empty_zones_enable;
1334 const cfg_obj_t *disablelist = NULL;
1335 isc_stats_t *resstats = NULL;
1336 dns_stats_t *resquerystats = NULL;
1337 isc_boolean_t auto_dlv = ISC_FALSE;
1339 isc_boolean_t zero_no_soattl;
1341 REQUIRE(DNS_VIEW_VALID(view));
1346 (void)cfg_map_get(config, "options", &options);
1349 * maps: view options, options, defaults
1350 * cfgmaps: view options, config
1351 * optionmaps: view options, options
1353 if (vconfig != NULL) {
1354 voptions = cfg_tuple_get(vconfig, "options");
1355 maps[i++] = voptions;
1356 optionmaps[j++] = voptions;
1357 cfgmaps[k++] = voptions;
1359 if (options != NULL) {
1360 maps[i++] = options;
1361 optionmaps[j++] = options;
1364 maps[i++] = ns_g_defaults;
1366 optionmaps[j] = NULL;
1368 cfgmaps[k++] = config;
1371 if (!strcmp(viewname, "_default")) {
1378 * Set the view's port number for outgoing queries.
1380 CHECKM(ns_config_getport(config, &port), "port");
1381 dns_view_setdstport(view, port);
1384 * Create additional cache for this view and zones under the view
1385 * if explicitly enabled.
1386 * XXX950 default to on.
1389 (void)ns_config_get(maps, "acache-enable", &obj);
1390 if (obj != NULL && cfg_obj_asboolean(obj)) {
1392 CHECK(isc_mem_create(0, 0, &cmctx));
1393 CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
1395 isc_mem_setname(cmctx, "acache", NULL);
1396 isc_mem_detach(&cmctx);
1398 if (view->acache != NULL) {
1400 result = ns_config_get(maps, "acache-cleaning-interval", &obj);
1401 INSIST(result == ISC_R_SUCCESS);
1402 dns_acache_setcleaninginterval(view->acache,
1403 cfg_obj_asuint32(obj) * 60);
1406 result = ns_config_get(maps, "max-acache-size", &obj);
1407 INSIST(result == ISC_R_SUCCESS);
1408 if (cfg_obj_isstring(obj)) {
1409 str = cfg_obj_asstring(obj);
1410 INSIST(strcasecmp(str, "unlimited") == 0);
1411 max_acache_size = ISC_UINT32_MAX;
1413 isc_resourcevalue_t value;
1415 value = cfg_obj_asuint64(obj);
1416 if (value > ISC_UINT32_MAX) {
1417 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
1419 "%" ISC_PRINT_QUADFORMAT
1422 result = ISC_R_RANGE;
1425 max_acache_size = (isc_uint32_t)value;
1427 dns_acache_setcachesize(view->acache, max_acache_size);
1431 * Configure the zones.
1434 if (voptions != NULL)
1435 (void)cfg_map_get(voptions, "zone", &zonelist);
1437 (void)cfg_map_get(config, "zone", &zonelist);
1438 for (element = cfg_list_first(zonelist);
1440 element = cfg_list_next(element))
1442 const cfg_obj_t *zconfig = cfg_listelt_value(element);
1443 CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
1449 * Create Dynamically Loadable Zone driver.
1452 if (voptions != NULL)
1453 (void)cfg_map_get(voptions, "dlz", &dlz);
1455 (void)cfg_map_get(config, "dlz", &dlz);
1459 (void)cfg_map_get(cfg_tuple_get(dlz, "options"),
1462 char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
1464 result = ISC_R_NOMEMORY;
1468 result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv);
1469 if (result != ISC_R_SUCCESS) {
1470 isc_mem_free(mctx, s);
1474 obj = cfg_tuple_get(dlz, "name");
1475 result = dns_dlzcreate(mctx, cfg_obj_asstring(obj),
1476 dlzargv[0], dlzargc, dlzargv,
1477 &view->dlzdatabase);
1478 isc_mem_free(mctx, s);
1479 isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
1480 if (result != ISC_R_SUCCESS)
1487 * Obtain configuration parameters that affect the decision of whether
1488 * we can reuse/share an existing cache.
1491 result = ns_config_get(maps, "cleaning-interval", &obj);
1492 INSIST(result == ISC_R_SUCCESS);
1493 cleaning_interval = cfg_obj_asuint32(obj) * 60;
1496 result = ns_config_get(maps, "max-cache-size", &obj);
1497 INSIST(result == ISC_R_SUCCESS);
1498 if (cfg_obj_isstring(obj)) {
1499 str = cfg_obj_asstring(obj);
1500 INSIST(strcasecmp(str, "unlimited") == 0);
1501 max_cache_size = ISC_UINT32_MAX;
1503 isc_resourcevalue_t value;
1504 value = cfg_obj_asuint64(obj);
1505 if (value > ISC_UINT32_MAX) {
1506 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
1508 "%" ISC_PRINT_QUADFORMAT "d' is too large",
1510 result = ISC_R_RANGE;
1513 max_cache_size = (isc_uint32_t)value;
1518 result = ns_checknames_get(maps, "response", &obj);
1519 INSIST(result == ISC_R_SUCCESS);
1521 str = cfg_obj_asstring(obj);
1522 if (strcasecmp(str, "fail") == 0) {
1523 resopts |= DNS_RESOLVER_CHECKNAMES |
1524 DNS_RESOLVER_CHECKNAMESFAIL;
1525 view->checknames = ISC_TRUE;
1526 } else if (strcasecmp(str, "warn") == 0) {
1527 resopts |= DNS_RESOLVER_CHECKNAMES;
1528 view->checknames = ISC_FALSE;
1529 } else if (strcasecmp(str, "ignore") == 0) {
1530 view->checknames = ISC_FALSE;
1535 result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
1536 INSIST(result == ISC_R_SUCCESS);
1537 zero_no_soattl = cfg_obj_asboolean(obj);
1540 result = ns_config_get(maps, "dnssec-accept-expired", &obj);
1541 INSIST(result == ISC_R_SUCCESS);
1542 view->acceptexpired = cfg_obj_asboolean(obj);
1545 result = ns_config_get(maps, "dnssec-validation", &obj);
1546 INSIST(result == ISC_R_SUCCESS);
1547 view->enablevalidation = cfg_obj_asboolean(obj);
1550 result = ns_config_get(maps, "max-cache-ttl", &obj);
1551 INSIST(result == ISC_R_SUCCESS);
1552 view->maxcachettl = cfg_obj_asuint32(obj);
1555 result = ns_config_get(maps, "max-ncache-ttl", &obj);
1556 INSIST(result == ISC_R_SUCCESS);
1557 view->maxncachettl = cfg_obj_asuint32(obj);
1558 if (view->maxncachettl > 7 * 24 * 3600)
1559 view->maxncachettl = 7 * 24 * 3600;
1562 * Configure the view's cache.
1564 * First, check to see if there are any attach-cache options. If yes,
1565 * attempt to lookup an existing cache at attach it to the view. If
1566 * there is not one, then try to reuse an existing cache if possible;
1567 * otherwise create a new cache.
1569 * Note that the ADB is not preserved or shared in either case.
1571 * When a matching view is found, the associated statistics are also
1572 * retrieved and reused.
1574 * XXX Determining when it is safe to reuse or share a cache is tricky.
1575 * When the view's configuration changes, the cached data may become
1576 * invalid because it reflects our old view of the world. We check
1577 * some of the configuration parameters that could invalidate the cache
1578 * or otherwise make it unsharable, but there are other configuration
1579 * options that should be checked. For example, if a view uses a
1580 * forwarder, changes in the forwarder configuration may invalidate
1581 * the cache. At the moment, it's the administrator's responsibility to
1582 * ensure these configuration options don't invalidate reusing/sharing.
1585 result = ns_config_get(maps, "attach-cache", &obj);
1586 if (result == ISC_R_SUCCESS)
1587 cachename = cfg_obj_asstring(obj);
1589 cachename = view->name;
1591 nsc = cachelist_find(cachelist, cachename);
1593 if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
1594 cleaning_interval, max_cache_size)) {
1595 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1596 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
1597 "views %s and %s can't share the cache "
1598 "due to configuration parameter mismatch",
1599 nsc->primaryview->name, view->name);
1600 result = ISC_R_FAILURE;
1603 dns_cache_attach(nsc->cache, &cache);
1604 shared_cache = ISC_TRUE;
1606 if (strcmp(cachename, view->name) == 0) {
1607 result = dns_viewlist_find(&ns_g_server->viewlist,
1608 cachename, view->rdclass,
1610 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
1612 if (pview != NULL) {
1613 if (!cache_reusable(pview, view,
1615 isc_log_write(ns_g_lctx,
1616 NS_LOGCATEGORY_GENERAL,
1617 NS_LOGMODULE_SERVER,
1619 "cache cannot be reused "
1620 "for view %s due to "
1621 "configuration parameter "
1622 "mismatch", view->name);
1624 INSIST(pview->cache != NULL);
1625 isc_log_write(ns_g_lctx,
1626 NS_LOGCATEGORY_GENERAL,
1627 NS_LOGMODULE_SERVER,
1629 "reusing existing cache");
1630 reused_cache = ISC_TRUE;
1631 dns_cache_attach(pview->cache, &cache);
1633 dns_view_getresstats(pview, &resstats);
1634 dns_view_getresquerystats(pview,
1636 dns_view_detach(&pview);
1639 if (cache == NULL) {
1641 * Create a cache with the desired name. This normally
1642 * equals the view name, but may also be a forward
1643 * reference to a view that share the cache with this
1644 * view but is not yet configured. If it is not the
1645 * view name but not a forward reference either, then it
1646 * is simply a named cache that is not shared.
1648 CHECK(isc_mem_create(0, 0, &cmctx));
1649 isc_mem_setname(cmctx, "cache", NULL);
1650 CHECK(dns_cache_create2(cmctx, ns_g_taskmgr,
1651 ns_g_timermgr, view->rdclass,
1652 cachename, "rbt", 0, NULL,
1655 nsc = isc_mem_get(mctx, sizeof(*nsc));
1657 result = ISC_R_NOMEMORY;
1661 dns_cache_attach(cache, &nsc->cache);
1662 nsc->primaryview = view;
1663 nsc->needflush = ISC_FALSE;
1664 nsc->adbsizeadjusted = ISC_FALSE;
1665 ISC_LINK_INIT(nsc, link);
1666 ISC_LIST_APPEND(*cachelist, nsc, link);
1668 dns_view_setcache2(view, cache, shared_cache);
1671 * cache-file cannot be inherited if views are present, but this
1672 * should be caught by the configuration checking stage.
1675 result = ns_config_get(maps, "cache-file", &obj);
1676 if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
1677 CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
1678 if (!reused_cache && !shared_cache)
1679 CHECK(dns_cache_load(cache));
1682 dns_cache_setcleaninginterval(cache, cleaning_interval);
1683 dns_cache_setcachesize(cache, max_cache_size);
1685 dns_cache_detach(&cache);
1690 * XXXRTH Hardwired number of tasks.
1692 CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4,
1693 ISC_TF(ISC_LIST_PREV(view, link)
1695 CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6,
1696 ISC_TF(ISC_LIST_PREV(view, link)
1698 if (dispatch4 == NULL && dispatch6 == NULL) {
1699 UNEXPECTED_ERROR(__FILE__, __LINE__,
1700 "unable to obtain neither an IPv4 nor"
1701 " an IPv6 dispatch");
1702 result = ISC_R_UNEXPECTED;
1705 CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
1706 ns_g_socketmgr, ns_g_timermgr,
1707 resopts, ns_g_dispatchmgr,
1708 dispatch4, dispatch6));
1710 if (resstats == NULL) {
1711 CHECK(isc_stats_create(mctx, &resstats,
1712 dns_resstatscounter_max));
1714 dns_view_setresstats(view, resstats);
1715 if (resquerystats == NULL)
1716 CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
1717 dns_view_setresquerystats(view, resquerystats);
1720 * Set the ADB cache size to 1/8th of the max-cache-size or
1721 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
1724 if (max_cache_size != 0) {
1725 max_adb_size = max_cache_size / 8;
1726 if (max_adb_size == 0)
1727 max_adb_size = 1; /* Force minimum. */
1728 if (view != nsc->primaryview &&
1729 max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
1730 max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE;
1731 if (!nsc->adbsizeadjusted) {
1732 dns_adb_setadbsize(nsc->primaryview->adb,
1733 MAX_ADB_SIZE_FOR_CACHESHARE);
1734 nsc->adbsizeadjusted = ISC_TRUE;
1738 dns_adb_setadbsize(view->adb, max_adb_size);
1741 * Set resolver's lame-ttl.
1744 result = ns_config_get(maps, "lame-ttl", &obj);
1745 INSIST(result == ISC_R_SUCCESS);
1746 lame_ttl = cfg_obj_asuint32(obj);
1747 if (lame_ttl > 1800)
1749 dns_resolver_setlamettl(view->resolver, lame_ttl);
1751 /* Specify whether to use 0-TTL for negative response for SOA query */
1752 dns_resolver_setzeronosoattl(view->resolver, zero_no_soattl);
1755 * Set the resolver's EDNS UDP size.
1758 result = ns_config_get(maps, "edns-udp-size", &obj);
1759 INSIST(result == ISC_R_SUCCESS);
1760 udpsize = cfg_obj_asuint32(obj);
1765 dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize);
1768 * Set the maximum UDP response size.
1771 result = ns_config_get(maps, "max-udp-size", &obj);
1772 INSIST(result == ISC_R_SUCCESS);
1773 udpsize = cfg_obj_asuint32(obj);
1778 view->maxudp = udpsize;
1781 * Set supported DNSSEC algorithms.
1783 dns_resolver_reset_algorithms(view->resolver);
1785 (void)ns_config_get(maps, "disable-algorithms", &disabled);
1786 if (disabled != NULL) {
1787 for (element = cfg_list_first(disabled);
1789 element = cfg_list_next(element))
1790 CHECK(disable_algorithms(cfg_listelt_value(element),
1795 * A global or view "forwarders" option, if present,
1796 * creates an entry for "." in the forwarding table.
1800 (void)ns_config_get(maps, "forward", &forwardtype);
1801 (void)ns_config_get(maps, "forwarders", &forwarders);
1802 if (forwarders != NULL)
1803 CHECK(configure_forward(config, view, dns_rootname,
1804 forwarders, forwardtype));
1807 * Dual Stack Servers.
1810 (void)ns_config_get(maps, "dual-stack-servers", &alternates);
1811 if (alternates != NULL)
1812 CHECK(configure_alternates(config, view, alternates));
1815 * We have default hints for class IN if we need them.
1817 if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
1818 dns_view_sethints(view, ns_g_server->in_roothints);
1821 * If we still have no hints, this is a non-IN view with no
1822 * "hints zone" configured. Issue a warning, except if this
1823 * is a root server. Root servers never need to consult
1824 * their hints, so it's no point requiring users to configure
1827 if (view->hints == NULL) {
1828 dns_zone_t *rootzone = NULL;
1829 (void)dns_view_findzone(view, dns_rootname, &rootzone);
1830 if (rootzone != NULL) {
1831 dns_zone_detach(&rootzone);
1832 need_hints = ISC_FALSE;
1835 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1836 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
1837 "no root hints for view '%s'",
1842 * Configure the view's TSIG keys.
1844 CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
1845 if (ns_g_server->sessionkey != NULL) {
1846 CHECK(dns_tsigkeyring_add(ring, ns_g_server->session_keyname,
1847 ns_g_server->sessionkey));
1849 dns_view_setkeyring(view, ring);
1850 ring = NULL; /* ownership transferred */
1853 * Configure the view's peer list.
1856 const cfg_obj_t *peers = NULL;
1857 const cfg_listelt_t *element;
1858 dns_peerlist_t *newpeers = NULL;
1860 (void)ns_config_get(cfgmaps, "server", &peers);
1861 CHECK(dns_peerlist_new(mctx, &newpeers));
1862 for (element = cfg_list_first(peers);
1864 element = cfg_list_next(element))
1866 const cfg_obj_t *cpeer = cfg_listelt_value(element);
1869 CHECK(configure_peer(cpeer, mctx, &peer));
1870 dns_peerlist_addpeer(newpeers, peer);
1871 dns_peer_detach(&peer);
1873 dns_peerlist_detach(&view->peers);
1874 view->peers = newpeers; /* Transfer ownership. */
1878 * Configure the views rrset-order.
1881 const cfg_obj_t *rrsetorder = NULL;
1882 const cfg_listelt_t *element;
1884 (void)ns_config_get(maps, "rrset-order", &rrsetorder);
1885 CHECK(dns_order_create(mctx, &order));
1886 for (element = cfg_list_first(rrsetorder);
1888 element = cfg_list_next(element))
1890 const cfg_obj_t *ent = cfg_listelt_value(element);
1892 CHECK(configure_order(order, ent));
1894 if (view->order != NULL)
1895 dns_order_detach(&view->order);
1896 dns_order_attach(order, &view->order);
1897 dns_order_detach(&order);
1900 * Copy the aclenv object.
1902 dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
1905 * Configure the "match-clients" and "match-destinations" ACL.
1907 CHECK(configure_view_acl(vconfig, config, "match-clients", NULL, actx,
1908 ns_g_mctx, &view->matchclients));
1909 CHECK(configure_view_acl(vconfig, config, "match-destinations", NULL,
1910 actx, ns_g_mctx, &view->matchdestinations));
1913 * Configure the "match-recursive-only" option.
1916 (void)ns_config_get(maps, "match-recursive-only", &obj);
1917 if (obj != NULL && cfg_obj_asboolean(obj))
1918 view->matchrecursiveonly = ISC_TRUE;
1920 view->matchrecursiveonly = ISC_FALSE;
1923 * Configure other configurable data.
1926 result = ns_config_get(maps, "recursion", &obj);
1927 INSIST(result == ISC_R_SUCCESS);
1928 view->recursion = cfg_obj_asboolean(obj);
1931 result = ns_config_get(maps, "auth-nxdomain", &obj);
1932 INSIST(result == ISC_R_SUCCESS);
1933 view->auth_nxdomain = cfg_obj_asboolean(obj);
1936 result = ns_config_get(maps, "minimal-responses", &obj);
1937 INSIST(result == ISC_R_SUCCESS);
1938 view->minimalresponses = cfg_obj_asboolean(obj);
1941 result = ns_config_get(maps, "transfer-format", &obj);
1942 INSIST(result == ISC_R_SUCCESS);
1943 str = cfg_obj_asstring(obj);
1944 if (strcasecmp(str, "many-answers") == 0)
1945 view->transfer_format = dns_many_answers;
1946 else if (strcasecmp(str, "one-answer") == 0)
1947 view->transfer_format = dns_one_answer;
1952 * Set sources where additional data and CNAME/DNAME
1953 * targets for authoritative answers may be found.
1956 result = ns_config_get(maps, "additional-from-auth", &obj);
1957 INSIST(result == ISC_R_SUCCESS);
1958 view->additionalfromauth = cfg_obj_asboolean(obj);
1959 if (view->recursion && ! view->additionalfromauth) {
1960 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
1961 "'additional-from-auth no' is only supported "
1962 "with 'recursion no'");
1963 view->additionalfromauth = ISC_TRUE;
1967 result = ns_config_get(maps, "additional-from-cache", &obj);
1968 INSIST(result == ISC_R_SUCCESS);
1969 view->additionalfromcache = cfg_obj_asboolean(obj);
1970 if (view->recursion && ! view->additionalfromcache) {
1971 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
1972 "'additional-from-cache no' is only supported "
1973 "with 'recursion no'");
1974 view->additionalfromcache = ISC_TRUE;
1978 * Set "allow-query-cache", "allow-query-cache-on",
1979 * "allow-recursion", and "allow-recursion-on" acls if
1980 * configured in named.conf.
1982 CHECK(configure_view_acl(vconfig, config, "allow-query-cache", NULL,
1983 actx, ns_g_mctx, &view->queryacl));
1984 CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", NULL,
1985 actx, ns_g_mctx, &view->queryonacl));
1986 if (view->queryonacl == NULL)
1987 CHECK(configure_view_acl(NULL, ns_g_config,
1988 "allow-query-cache-on", NULL, actx,
1989 ns_g_mctx, &view->queryonacl));
1990 if (strcmp(view->name, "_bind") != 0) {
1991 CHECK(configure_view_acl(vconfig, config, "allow-recursion",
1992 NULL, actx, ns_g_mctx,
1993 &view->recursionacl));
1994 CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
1995 NULL, actx, ns_g_mctx,
1996 &view->recursiononacl));
2000 * "allow-query-cache" inherits from "allow-recursion" if set,
2001 * otherwise from "allow-query" if set.
2002 * "allow-recursion" inherits from "allow-query-cache" if set,
2003 * otherwise from "allow-query" if set.
2005 if (view->queryacl == NULL && view->recursionacl != NULL)
2006 dns_acl_attach(view->recursionacl, &view->queryacl);
2007 if (view->queryacl == NULL && view->recursion)
2008 CHECK(configure_view_acl(vconfig, config, "allow-query", NULL,
2009 actx, ns_g_mctx, &view->queryacl));
2010 if (view->recursion &&
2011 view->recursionacl == NULL && view->queryacl != NULL)
2012 dns_acl_attach(view->queryacl, &view->recursionacl);
2015 * Set default "allow-recursion", "allow-recursion-on" and
2016 * "allow-query-cache" acls.
2018 if (view->recursionacl == NULL && view->recursion)
2019 CHECK(configure_view_acl(NULL, ns_g_config,
2020 "allow-recursion", NULL,
2022 &view->recursionacl));
2023 if (view->recursiononacl == NULL && view->recursion)
2024 CHECK(configure_view_acl(NULL, ns_g_config,
2025 "allow-recursion-on", NULL,
2027 &view->recursiononacl));
2028 if (view->queryacl == NULL) {
2029 if (view->recursion)
2030 CHECK(configure_view_acl(NULL, ns_g_config,
2031 "allow-query-cache", NULL,
2035 if (view->queryacl != NULL)
2036 dns_acl_detach(&view->queryacl);
2037 CHECK(dns_acl_none(ns_g_mctx, &view->queryacl));
2042 * Filter setting on addresses in the answer section.
2044 CHECK(configure_view_acl(vconfig, config, "deny-answer-addresses",
2045 "acl", actx, ns_g_mctx, &view->denyansweracl));
2046 CHECK(configure_view_nametable(vconfig, config, "deny-answer-addresses",
2047 "except-from", ns_g_mctx,
2048 &view->answeracl_exclude));
2051 * Filter setting on names (CNAME/DNAME targets) in the answer section.
2053 CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
2055 &view->denyanswernames));
2056 CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
2057 "except-from", ns_g_mctx,
2058 &view->answernames_exclude));
2061 * Configure sortlist, if set
2063 CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
2067 * Configure default allow-transfer, allow-notify, allow-update
2068 * and allow-update-forwarding ACLs, if set, so they can be
2069 * inherited by zones.
2071 if (view->notifyacl == NULL)
2072 CHECK(configure_view_acl(NULL, ns_g_config,
2073 "allow-notify", NULL, actx,
2074 ns_g_mctx, &view->notifyacl));
2075 if (view->transferacl == NULL)
2076 CHECK(configure_view_acl(NULL, ns_g_config,
2077 "allow-transfer", NULL, actx,
2078 ns_g_mctx, &view->transferacl));
2079 if (view->updateacl == NULL)
2080 CHECK(configure_view_acl(NULL, ns_g_config,
2081 "allow-update", NULL, actx,
2082 ns_g_mctx, &view->updateacl));
2083 if (view->upfwdacl == NULL)
2084 CHECK(configure_view_acl(NULL, ns_g_config,
2085 "allow-update-forwarding", NULL, actx,
2086 ns_g_mctx, &view->upfwdacl));
2089 result = ns_config_get(maps, "request-ixfr", &obj);
2090 INSIST(result == ISC_R_SUCCESS);
2091 view->requestixfr = cfg_obj_asboolean(obj);
2094 result = ns_config_get(maps, "provide-ixfr", &obj);
2095 INSIST(result == ISC_R_SUCCESS);
2096 view->provideixfr = cfg_obj_asboolean(obj);
2099 result = ns_config_get(maps, "request-nsid", &obj);
2100 INSIST(result == ISC_R_SUCCESS);
2101 view->requestnsid = cfg_obj_asboolean(obj);
2104 result = ns_config_get(maps, "max-clients-per-query", &obj);
2105 INSIST(result == ISC_R_SUCCESS);
2106 max_clients_per_query = cfg_obj_asuint32(obj);
2109 result = ns_config_get(maps, "clients-per-query", &obj);
2110 INSIST(result == ISC_R_SUCCESS);
2111 dns_resolver_setclientsperquery(view->resolver,
2112 cfg_obj_asuint32(obj),
2113 max_clients_per_query);
2115 #ifdef ALLOW_FILTER_AAAA_ON_V4
2117 result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
2118 INSIST(result == ISC_R_SUCCESS);
2119 if (cfg_obj_isboolean(obj)) {
2120 if (cfg_obj_asboolean(obj))
2121 view->v4_aaaa = dns_v4_aaaa_filter;
2123 view->v4_aaaa = dns_v4_aaaa_ok;
2125 const char *v4_aaaastr = cfg_obj_asstring(obj);
2126 if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
2127 view->v4_aaaa = dns_v4_aaaa_break_dnssec;
2134 result = ns_config_get(maps, "dnssec-enable", &obj);
2135 INSIST(result == ISC_R_SUCCESS);
2136 view->enablednssec = cfg_obj_asboolean(obj);
2139 result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
2140 if (result == ISC_R_SUCCESS) {
2141 /* If set to "auto", use the version from the defaults */
2142 const cfg_obj_t *dlvobj;
2143 dlvobj = cfg_listelt_value(cfg_list_first(obj));
2144 if (!strcmp(cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain")),
2146 cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
2147 auto_dlv = ISC_TRUE;
2149 result = cfg_map_get(ns_g_defaults,
2150 "dnssec-lookaside", &obj);
2154 if (result == ISC_R_SUCCESS) {
2155 for (element = cfg_list_first(obj);
2157 element = cfg_list_next(element))
2163 obj = cfg_listelt_value(element);
2165 dns_fixedname_t fixed;
2169 * When we support multiple dnssec-lookaside
2170 * entries this is how to find the domain to be
2173 dns_fixedname_init(&fixed);
2174 name = dns_fixedname_name(&fixed);
2175 str = cfg_obj_asstring(cfg_tuple_get(obj,
2177 isc_buffer_init(&b, str, strlen(str));
2178 isc_buffer_add(&b, strlen(str));
2179 CHECK(dns_name_fromtext(name, &b, dns_rootname,
2182 str = cfg_obj_asstring(cfg_tuple_get(obj,
2184 isc_buffer_init(&b, str, strlen(str));
2185 isc_buffer_add(&b, strlen(str));
2186 dlv = dns_fixedname_name(&view->dlv_fixed);
2187 CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
2188 DNS_NAME_DOWNCASE, NULL));
2189 view->dlv = dns_fixedname_name(&view->dlv_fixed);
2195 * For now, there is only one kind of trusted keys, the
2198 CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
2200 dns_resolver_resetmustbesecure(view->resolver);
2202 result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
2203 if (result == ISC_R_SUCCESS)
2204 CHECK(mustbesecure(obj, view->resolver));
2207 result = ns_config_get(maps, "preferred-glue", &obj);
2208 if (result == ISC_R_SUCCESS) {
2209 str = cfg_obj_asstring(obj);
2210 if (strcasecmp(str, "a") == 0)
2211 view->preferred_glue = dns_rdatatype_a;
2212 else if (strcasecmp(str, "aaaa") == 0)
2213 view->preferred_glue = dns_rdatatype_aaaa;
2215 view->preferred_glue = 0;
2217 view->preferred_glue = 0;
2220 result = ns_config_get(maps, "root-delegation-only", &obj);
2221 if (result == ISC_R_SUCCESS) {
2222 dns_view_setrootdelonly(view, ISC_TRUE);
2223 if (!cfg_obj_isvoid(obj)) {
2224 dns_fixedname_t fixed;
2228 const cfg_obj_t *exclude;
2230 dns_fixedname_init(&fixed);
2231 name = dns_fixedname_name(&fixed);
2232 for (element = cfg_list_first(obj);
2234 element = cfg_list_next(element)) {
2235 exclude = cfg_listelt_value(element);
2236 str = cfg_obj_asstring(exclude);
2237 isc_buffer_init(&b, str, strlen(str));
2238 isc_buffer_add(&b, strlen(str));
2239 CHECK(dns_name_fromtext(name, &b, dns_rootname,
2241 CHECK(dns_view_excludedelegationonly(view,
2246 dns_view_setrootdelonly(view, ISC_FALSE);
2249 * Setup automatic empty zones. If recursion is off then
2250 * they are disabled by default.
2253 (void)ns_config_get(maps, "empty-zones-enable", &obj);
2254 (void)ns_config_get(maps, "disable-empty-zone", &disablelist);
2255 if (obj == NULL && disablelist == NULL &&
2256 view->rdclass == dns_rdataclass_in) {
2257 rfc1918 = ISC_FALSE;
2258 empty_zones_enable = view->recursion;
2259 } else if (view->rdclass == dns_rdataclass_in) {
2262 empty_zones_enable = cfg_obj_asboolean(obj);
2264 empty_zones_enable = view->recursion;
2266 rfc1918 = ISC_FALSE;
2267 empty_zones_enable = ISC_FALSE;
2269 if (empty_zones_enable) {
2272 dns_fixedname_t fixed;
2274 isc_buffer_t buffer;
2276 char server[DNS_NAME_FORMATSIZE + 1];
2277 char contact[DNS_NAME_FORMATSIZE + 1];
2278 isc_boolean_t logit;
2279 const char *empty_dbtype[4] =
2280 { "_builtin", "empty", NULL, NULL };
2281 int empty_dbtypec = 4;
2282 isc_boolean_t zonestats_on;
2284 dns_fixedname_init(&fixed);
2285 name = dns_fixedname_name(&fixed);
2288 result = ns_config_get(maps, "empty-server", &obj);
2289 if (result == ISC_R_SUCCESS) {
2290 str = cfg_obj_asstring(obj);
2291 isc_buffer_init(&buffer, str, strlen(str));
2292 isc_buffer_add(&buffer, strlen(str));
2293 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2295 isc_buffer_init(&buffer, server, sizeof(server) - 1);
2296 CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
2297 server[isc_buffer_usedlength(&buffer)] = 0;
2298 empty_dbtype[2] = server;
2300 empty_dbtype[2] = "@";
2303 result = ns_config_get(maps, "empty-contact", &obj);
2304 if (result == ISC_R_SUCCESS) {
2305 str = cfg_obj_asstring(obj);
2306 isc_buffer_init(&buffer, str, strlen(str));
2307 isc_buffer_add(&buffer, strlen(str));
2308 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2310 isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
2311 CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
2312 contact[isc_buffer_usedlength(&buffer)] = 0;
2313 empty_dbtype[3] = contact;
2315 empty_dbtype[3] = ".";
2318 result = ns_config_get(maps, "zone-statistics", &obj);
2319 INSIST(result == ISC_R_SUCCESS);
2320 zonestats_on = cfg_obj_asboolean(obj);
2323 for (empty = empty_zones[empty_zone].zone;
2325 empty = empty_zones[++empty_zone].zone)
2327 dns_forwarders_t *forwarders = NULL;
2328 dns_view_t *pview = NULL;
2330 isc_buffer_init(&buffer, empty, strlen(empty));
2331 isc_buffer_add(&buffer, strlen(empty));
2333 * Look for zone on drop list.
2335 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2337 if (disablelist != NULL &&
2338 on_disable_list(disablelist, name))
2342 * This zone already exists.
2344 (void)dns_view_findzone(view, name, &zone);
2346 CHECK(setquerystats(zone, mctx, zonestats_on));
2347 dns_zone_detach(&zone);
2352 * If we would forward this name don't add a
2353 * empty zone for it.
2355 result = dns_fwdtable_find(view->fwdtable, name,
2357 if (result == ISC_R_SUCCESS &&
2358 forwarders->fwdpolicy == dns_fwdpolicy_only)
2361 if (!rfc1918 && empty_zones[empty_zone].rfc1918) {
2363 isc_log_write(ns_g_lctx,
2364 NS_LOGCATEGORY_GENERAL,
2365 NS_LOGMODULE_SERVER,
2368 "'empty-zones-enable/"
2369 "disable-empty-zone' "
2370 "not set: disabling "
2371 "RFC 1918 empty zones",
2379 * See if we can re-use a existing zone.
2381 result = dns_viewlist_find(&ns_g_server->viewlist,
2382 view->name, view->rdclass,
2384 if (result != ISC_R_NOTFOUND &&
2385 result != ISC_R_SUCCESS)
2388 if (pview != NULL) {
2389 (void)dns_view_findzone(pview, name, &zone);
2390 dns_view_detach(&pview);
2392 check_dbtype(&zone, empty_dbtypec,
2393 empty_dbtype, mctx);
2395 dns_zone_setview(zone, view);
2396 CHECK(dns_view_addzone(view, zone));
2397 CHECK(setquerystats(zone, mctx,
2399 dns_zone_detach(&zone);
2404 CHECK(dns_zone_create(&zone, mctx));
2405 CHECK(dns_zone_setorigin(zone, name));
2406 dns_zone_setview(zone, view);
2407 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
2408 dns_zone_setclass(zone, view->rdclass);
2409 dns_zone_settype(zone, dns_zone_master);
2410 dns_zone_setstats(zone, ns_g_server->zonestats);
2411 CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
2413 if (view->queryacl != NULL)
2414 dns_zone_setqueryacl(zone, view->queryacl);
2415 if (view->queryonacl != NULL)
2416 dns_zone_setqueryonacl(zone, view->queryonacl);
2417 dns_zone_setdialup(zone, dns_dialuptype_no);
2418 dns_zone_setnotifytype(zone, dns_notifytype_no);
2419 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,
2421 CHECK(setquerystats(zone, mctx, zonestats_on));
2422 CHECK(dns_view_addzone(view, zone));
2423 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2424 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
2425 "automatic empty zone%s%s: %s",
2426 sep, viewname, empty);
2427 dns_zone_detach(&zone);
2431 result = ISC_R_SUCCESS;
2435 dns_tsigkeyring_destroy(&ring);
2437 dns_zone_detach(&zone);
2438 if (dispatch4 != NULL)
2439 dns_dispatch_detach(&dispatch4);
2440 if (dispatch6 != NULL)
2441 dns_dispatch_detach(&dispatch6);
2442 if (resstats != NULL)
2443 isc_stats_detach(&resstats);
2444 if (resquerystats != NULL)
2445 dns_stats_detach(&resquerystats);
2447 dns_order_detach(&order);
2449 isc_mem_detach(&cmctx);
2452 dns_cache_detach(&cache);
2458 configure_hints(dns_view_t *view, const char *filename) {
2459 isc_result_t result;
2463 result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
2464 if (result == ISC_R_SUCCESS) {
2465 dns_view_sethints(view, db);
2473 configure_alternates(const cfg_obj_t *config, dns_view_t *view,
2474 const cfg_obj_t *alternates)
2476 const cfg_obj_t *portobj;
2477 const cfg_obj_t *addresses;
2478 const cfg_listelt_t *element;
2479 isc_result_t result = ISC_R_SUCCESS;
2483 * Determine which port to send requests to.
2485 if (ns_g_lwresdonly && ns_g_port != 0)
2488 CHECKM(ns_config_getport(config, &port), "port");
2490 if (alternates != NULL) {
2491 portobj = cfg_tuple_get(alternates, "port");
2492 if (cfg_obj_isuint32(portobj)) {
2493 isc_uint32_t val = cfg_obj_asuint32(portobj);
2494 if (val > ISC_UINT16_MAX) {
2495 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
2496 "port '%u' out of range", val);
2497 return (ISC_R_RANGE);
2499 port = (in_port_t) val;
2504 if (alternates != NULL)
2505 addresses = cfg_tuple_get(alternates, "addresses");
2507 for (element = cfg_list_first(addresses);
2509 element = cfg_list_next(element))
2511 const cfg_obj_t *alternate = cfg_listelt_value(element);
2514 if (!cfg_obj_issockaddr(alternate)) {
2515 dns_fixedname_t fixed;
2517 const char *str = cfg_obj_asstring(cfg_tuple_get(
2518 alternate, "name"));
2519 isc_buffer_t buffer;
2520 in_port_t myport = port;
2522 isc_buffer_init(&buffer, str, strlen(str));
2523 isc_buffer_add(&buffer, strlen(str));
2524 dns_fixedname_init(&fixed);
2525 name = dns_fixedname_name(&fixed);
2526 CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
2529 portobj = cfg_tuple_get(alternate, "port");
2530 if (cfg_obj_isuint32(portobj)) {
2531 isc_uint32_t val = cfg_obj_asuint32(portobj);
2532 if (val > ISC_UINT16_MAX) {
2533 cfg_obj_log(portobj, ns_g_lctx,
2535 "port '%u' out of range",
2537 return (ISC_R_RANGE);
2539 myport = (in_port_t) val;
2541 CHECK(dns_resolver_addalternate(view->resolver, NULL,
2546 sa = *cfg_obj_assockaddr(alternate);
2547 if (isc_sockaddr_getport(&sa) == 0)
2548 isc_sockaddr_setport(&sa, port);
2549 CHECK(dns_resolver_addalternate(view->resolver, &sa,
2558 configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
2559 const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
2561 const cfg_obj_t *portobj;
2562 const cfg_obj_t *faddresses;
2563 const cfg_listelt_t *element;
2564 dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
2565 isc_sockaddrlist_t addresses;
2567 isc_result_t result;
2570 ISC_LIST_INIT(addresses);
2573 * Determine which port to send forwarded requests to.
2575 if (ns_g_lwresdonly && ns_g_port != 0)
2578 CHECKM(ns_config_getport(config, &port), "port");
2580 if (forwarders != NULL) {
2581 portobj = cfg_tuple_get(forwarders, "port");
2582 if (cfg_obj_isuint32(portobj)) {
2583 isc_uint32_t val = cfg_obj_asuint32(portobj);
2584 if (val > ISC_UINT16_MAX) {
2585 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
2586 "port '%u' out of range", val);
2587 return (ISC_R_RANGE);
2589 port = (in_port_t) val;
2594 if (forwarders != NULL)
2595 faddresses = cfg_tuple_get(forwarders, "addresses");
2597 for (element = cfg_list_first(faddresses);
2599 element = cfg_list_next(element))
2601 const cfg_obj_t *forwarder = cfg_listelt_value(element);
2602 sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
2604 result = ISC_R_NOMEMORY;
2607 *sa = *cfg_obj_assockaddr(forwarder);
2608 if (isc_sockaddr_getport(sa) == 0)
2609 isc_sockaddr_setport(sa, port);
2610 ISC_LINK_INIT(sa, link);
2611 ISC_LIST_APPEND(addresses, sa, link);
2614 if (ISC_LIST_EMPTY(addresses)) {
2615 if (forwardtype != NULL)
2616 cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
2617 "no forwarders seen; disabling "
2619 fwdpolicy = dns_fwdpolicy_none;
2621 if (forwardtype == NULL)
2622 fwdpolicy = dns_fwdpolicy_first;
2624 const char *forwardstr = cfg_obj_asstring(forwardtype);
2625 if (strcasecmp(forwardstr, "first") == 0)
2626 fwdpolicy = dns_fwdpolicy_first;
2627 else if (strcasecmp(forwardstr, "only") == 0)
2628 fwdpolicy = dns_fwdpolicy_only;
2634 result = dns_fwdtable_add(view->fwdtable, origin, &addresses,
2636 if (result != ISC_R_SUCCESS) {
2637 char namebuf[DNS_NAME_FORMATSIZE];
2638 dns_name_format(origin, namebuf, sizeof(namebuf));
2639 cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
2640 "could not set up forwarding for domain '%s': %s",
2641 namebuf, isc_result_totext(result));
2645 result = ISC_R_SUCCESS;
2649 while (!ISC_LIST_EMPTY(addresses)) {
2650 sa = ISC_LIST_HEAD(addresses);
2651 ISC_LIST_UNLINK(addresses, sa, link);
2652 isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t));
2659 * Create a new view and add it to the list.
2661 * If 'vconfig' is NULL, create the default view.
2663 * The view created is attached to '*viewp'.
2666 create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
2669 isc_result_t result;
2670 const char *viewname;
2671 dns_rdataclass_t viewclass;
2672 dns_view_t *view = NULL;
2674 if (vconfig != NULL) {
2675 const cfg_obj_t *classobj = NULL;
2677 viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
2678 classobj = cfg_tuple_get(vconfig, "class");
2679 result = ns_config_getclass(classobj, dns_rdataclass_in,
2682 viewname = "_default";
2683 viewclass = dns_rdataclass_in;
2685 result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
2686 if (result == ISC_R_SUCCESS)
2687 return (ISC_R_EXISTS);
2688 if (result != ISC_R_NOTFOUND)
2690 INSIST(view == NULL);
2692 result = dns_view_create(ns_g_mctx, viewclass, viewname, &view);
2693 if (result != ISC_R_SUCCESS)
2696 ISC_LIST_APPEND(*viewlist, view, link);
2697 dns_view_attach(view, viewp);
2698 return (ISC_R_SUCCESS);
2702 * Configure or reconfigure a zone.
2705 configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
2706 const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
2707 cfg_aclconfctx_t *aclconf)
2709 dns_view_t *pview = NULL; /* Production view */
2710 dns_zone_t *zone = NULL; /* New or reused zone */
2711 dns_zone_t *dupzone = NULL;
2712 const cfg_obj_t *options = NULL;
2713 const cfg_obj_t *zoptions = NULL;
2714 const cfg_obj_t *typeobj = NULL;
2715 const cfg_obj_t *forwarders = NULL;
2716 const cfg_obj_t *forwardtype = NULL;
2717 const cfg_obj_t *only = NULL;
2718 isc_result_t result;
2719 isc_result_t tresult;
2720 isc_buffer_t buffer;
2721 dns_fixedname_t fixorigin;
2724 dns_rdataclass_t zclass;
2725 const char *ztypestr;
2728 (void)cfg_map_get(config, "options", &options);
2730 zoptions = cfg_tuple_get(zconfig, "options");
2733 * Get the zone origin as a dns_name_t.
2735 zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
2736 isc_buffer_init(&buffer, zname, strlen(zname));
2737 isc_buffer_add(&buffer, strlen(zname));
2738 dns_fixedname_init(&fixorigin);
2739 CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
2740 &buffer, dns_rootname, 0, NULL));
2741 origin = dns_fixedname_name(&fixorigin);
2743 CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
2744 view->rdclass, &zclass));
2745 if (zclass != view->rdclass) {
2746 const char *vname = NULL;
2747 if (vconfig != NULL)
2748 vname = cfg_obj_asstring(cfg_tuple_get(vconfig,
2751 vname = "<default view>";
2753 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2754 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
2755 "zone '%s': wrong class for view '%s'",
2757 result = ISC_R_FAILURE;
2761 (void)cfg_map_get(zoptions, "type", &typeobj);
2762 if (typeobj == NULL) {
2763 cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
2764 "zone '%s' 'type' not specified", zname);
2765 return (ISC_R_FAILURE);
2767 ztypestr = cfg_obj_asstring(typeobj);
2770 * "hints zones" aren't zones. If we've got one,
2771 * configure it and return.
2773 if (strcasecmp(ztypestr, "hint") == 0) {
2774 const cfg_obj_t *fileobj = NULL;
2775 if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
2776 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2777 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
2778 "zone '%s': 'file' not specified",
2780 result = ISC_R_FAILURE;
2783 if (dns_name_equal(origin, dns_rootname)) {
2784 const char *hintsfile = cfg_obj_asstring(fileobj);
2786 result = configure_hints(view, hintsfile);
2787 if (result != ISC_R_SUCCESS) {
2788 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2789 NS_LOGMODULE_SERVER,
2791 "could not configure root hints "
2792 "from '%s': %s", hintsfile,
2793 isc_result_totext(result));
2797 * Hint zones may also refer to delegation only points.
2800 tresult = cfg_map_get(zoptions, "delegation-only",
2802 if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
2803 CHECK(dns_view_adddelegationonly(view, origin));
2805 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2806 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
2807 "ignoring non-root hint zone '%s'",
2809 result = ISC_R_SUCCESS;
2811 /* Skip ordinary zone processing. */
2816 * "forward zones" aren't zones either. Translate this syntax into
2817 * the appropriate selective forwarding configuration and return.
2819 if (strcasecmp(ztypestr, "forward") == 0) {
2823 (void)cfg_map_get(zoptions, "forward", &forwardtype);
2824 (void)cfg_map_get(zoptions, "forwarders", &forwarders);
2825 result = configure_forward(config, view, origin, forwarders,
2831 * "delegation-only zones" aren't zones either.
2833 if (strcasecmp(ztypestr, "delegation-only") == 0) {
2834 result = dns_view_adddelegationonly(view, origin);
2839 * Check for duplicates in the new zone table.
2841 result = dns_view_findzone(view, origin, &dupzone);
2842 if (result == ISC_R_SUCCESS) {
2844 * We already have this zone!
2846 cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
2847 "zone '%s' already exists", zname);
2848 dns_zone_detach(&dupzone);
2849 result = ISC_R_EXISTS;
2852 INSIST(dupzone == NULL);
2855 * See if we can reuse an existing zone. This is
2856 * only possible if all of these are true:
2857 * - The zone's view exists
2858 * - A zone with the right name exists in the view
2859 * - The zone is compatible with the config
2860 * options (e.g., an existing master zone cannot
2861 * be reused if the options specify a slave zone)
2863 result = dns_viewlist_find(&ns_g_server->viewlist,
2864 view->name, view->rdclass,
2866 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
2869 result = dns_view_findzone(pview, origin, &zone);
2870 if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
2872 if (zone != NULL && !ns_zone_reusable(zone, zconfig))
2873 dns_zone_detach(&zone);
2877 * We found a reusable zone. Make it use the
2880 dns_zone_setview(zone, view);
2881 if (view->acache != NULL)
2882 dns_zone_setacache(zone, view->acache);
2885 * We cannot reuse an existing zone, we have
2886 * to create a new one.
2888 CHECK(dns_zone_create(&zone, mctx));
2889 CHECK(dns_zone_setorigin(zone, origin));
2890 dns_zone_setview(zone, view);
2891 if (view->acache != NULL)
2892 dns_zone_setacache(zone, view->acache);
2893 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
2894 dns_zone_setstats(zone, ns_g_server->zonestats);
2898 * If the zone contains a 'forwarders' statement, configure
2899 * selective forwarding.
2902 if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS)
2905 (void)cfg_map_get(zoptions, "forward", &forwardtype);
2906 CHECK(configure_forward(config, view, origin, forwarders,
2911 * Stub and forward zones may also refer to delegation only points.
2914 if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS)
2916 if (cfg_obj_asboolean(only))
2917 CHECK(dns_view_adddelegationonly(view, origin));
2921 * Configure the zone.
2923 CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone));
2926 * Add the zone to its view in the new view list.
2928 CHECK(dns_view_addzone(view, zone));
2932 dns_zone_detach(&zone);
2934 dns_view_detach(&pview);
2940 * Configure built-in zone for storing managed-key data.
2943 #define KEYZONE "managed-keys.bind"
2944 #define MKEYS ".mkeys"
2947 add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
2948 isc_result_t result;
2949 dns_zone_t *zone = NULL;
2950 dns_acl_t *none = NULL;
2951 char filename[PATH_MAX];
2952 char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(MKEYS)];
2955 REQUIRE(view != NULL);
2957 CHECK(dns_zone_create(&zone, mctx));
2959 CHECK(dns_zone_setorigin(zone, dns_rootname));
2961 isc_sha256_data((void *)view->name, strlen(view->name), buffer);
2962 strcat(buffer, MKEYS);
2963 n = snprintf(filename, sizeof(filename), "%s%s%s",
2964 directory ? directory : "", directory ? "/" : "",
2965 strcmp(view->name, "_default") == 0 ? KEYZONE : buffer);
2966 if (n < 0 || (size_t)n >= sizeof(filename)) {
2967 result = (n < 0) ? ISC_R_FAILURE : ISC_R_NOSPACE;
2970 CHECK(dns_zone_setfile(zone, filename));
2972 dns_zone_setview(zone, view);
2973 dns_zone_settype(zone, dns_zone_key);
2974 dns_zone_setclass(zone, view->rdclass);
2976 CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
2978 if (view->acache != NULL)
2979 dns_zone_setacache(zone, view->acache);
2981 CHECK(dns_acl_none(mctx, &none));
2982 dns_zone_setqueryacl(zone, none);
2983 dns_zone_setqueryonacl(zone, none);
2984 dns_acl_detach(&none);
2986 dns_zone_setdialup(zone, dns_dialuptype_no);
2987 dns_zone_setnotifytype(zone, dns_notifytype_no);
2988 dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
2989 dns_zone_setjournalsize(zone, 0);
2991 dns_zone_setstats(zone, ns_g_server->zonestats);
2992 CHECK(setquerystats(zone, mctx, ISC_FALSE));
2994 if (view->managed_keys != NULL)
2995 dns_zone_detach(&view->managed_keys);
2996 dns_zone_attach(zone, &view->managed_keys);
2998 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
2999 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3000 "set up managed keys zone for view %s, file '%s'",
3001 view->name, filename);
3005 dns_zone_detach(&zone);
3007 dns_acl_detach(&none);
3013 * Configure a single server quota.
3016 configure_server_quota(const cfg_obj_t **maps, const char *name,
3019 const cfg_obj_t *obj = NULL;
3020 isc_result_t result;
3022 result = ns_config_get(maps, name, &obj);
3023 INSIST(result == ISC_R_SUCCESS);
3024 isc_quota_max(quota, cfg_obj_asuint32(obj));
3028 * This function is called as soon as the 'directory' statement has been
3029 * parsed. This can be extended to support other options if necessary.
3032 directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
3033 isc_result_t result;
3034 const char *directory;
3036 REQUIRE(strcasecmp("directory", clausename) == 0);
3044 directory = cfg_obj_asstring(obj);
3046 if (! isc_file_ischdiridempotent(directory))
3047 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
3048 "option 'directory' contains relative path '%s'",
3051 result = isc_dir_chdir(directory);
3052 if (result != ISC_R_SUCCESS) {
3053 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
3054 "change directory to '%s' failed: %s",
3055 directory, isc_result_totext(result));
3059 return (ISC_R_SUCCESS);
3063 scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
3064 isc_boolean_t match_mapped = server->aclenv.match_mapped;
3066 ns_interfacemgr_scan(server->interfacemgr, verbose);
3068 * Update the "localhost" and "localnets" ACLs to match the
3069 * current set of network interfaces.
3071 dns_aclenv_copy(&server->aclenv,
3072 ns_interfacemgr_getaclenv(server->interfacemgr));
3074 server->aclenv.match_mapped = match_mapped;
3078 add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
3079 isc_boolean_t wcardport_ok)
3081 ns_listenelt_t *lelt = NULL;
3082 dns_acl_t *src_acl = NULL;
3083 isc_result_t result;
3084 isc_sockaddr_t any_sa6;
3085 isc_netaddr_t netaddr;
3087 REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
3089 isc_sockaddr_any6(&any_sa6);
3090 if (!isc_sockaddr_equal(&any_sa6, addr) &&
3091 (wcardport_ok || isc_sockaddr_getport(addr) != 0)) {
3092 isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr);
3094 result = dns_acl_create(mctx, 0, &src_acl);
3095 if (result != ISC_R_SUCCESS)
3098 result = dns_iptable_addprefix(src_acl->iptable,
3099 &netaddr, 128, ISC_TRUE);
3100 if (result != ISC_R_SUCCESS)
3103 result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
3105 if (result != ISC_R_SUCCESS)
3107 ISC_LIST_APPEND(list->elts, lelt, link);
3110 return (ISC_R_SUCCESS);
3113 INSIST(lelt == NULL);
3114 dns_acl_detach(&src_acl);
3120 * Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
3121 * to update the listening interfaces accordingly.
3122 * We currently only consider IPv6, because this only affects IPv6 wildcard
3126 adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
3127 isc_result_t result;
3128 ns_listenlist_t *list = NULL;
3130 dns_zone_t *zone, *next;
3131 isc_sockaddr_t addr, *addrp;
3133 result = ns_listenlist_create(mctx, &list);
3134 if (result != ISC_R_SUCCESS)
3137 for (view = ISC_LIST_HEAD(server->viewlist);
3139 view = ISC_LIST_NEXT(view, link)) {
3140 dns_dispatch_t *dispatch6;
3142 dispatch6 = dns_resolver_dispatchv6(view->resolver);
3143 if (dispatch6 == NULL)
3145 result = dns_dispatch_getlocaladdress(dispatch6, &addr);
3146 if (result != ISC_R_SUCCESS)
3150 * We always add non-wildcard address regardless of whether
3151 * the port is 'any' (the fourth arg is TRUE): if the port is
3152 * specific, we need to add it since it may conflict with a
3153 * listening interface; if it's zero, we'll dynamically open
3154 * query ports, and some of them may override an existing
3155 * wildcard IPv6 port.
3157 result = add_listenelt(mctx, list, &addr, ISC_TRUE);
3158 if (result != ISC_R_SUCCESS)
3163 for (result = dns_zone_first(server->zonemgr, &zone);
3164 result == ISC_R_SUCCESS;
3165 next = NULL, result = dns_zone_next(zone, &next), zone = next) {
3166 dns_view_t *zoneview;
3169 * At this point the zone list may contain a stale zone
3170 * just removed from the configuration. To see the validity,
3171 * check if the corresponding view is in our current view list.
3172 * There may also be old zones that are still in the process
3173 * of shutting down and have detached from their old view
3174 * (zoneview == NULL).
3176 zoneview = dns_zone_getview(zone);
3177 if (zoneview == NULL)
3179 for (view = ISC_LIST_HEAD(server->viewlist);
3180 view != NULL && view != zoneview;
3181 view = ISC_LIST_NEXT(view, link))
3186 addrp = dns_zone_getnotifysrc6(zone);
3187 result = add_listenelt(mctx, list, addrp, ISC_FALSE);
3188 if (result != ISC_R_SUCCESS)
3191 addrp = dns_zone_getxfrsource6(zone);
3192 result = add_listenelt(mctx, list, addrp, ISC_FALSE);
3193 if (result != ISC_R_SUCCESS)
3197 ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE);
3200 ns_listenlist_detach(&list);
3205 * Even when we failed the procedure, most of other interfaces
3206 * should work correctly. We therefore just warn it.
3208 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3209 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3210 "could not adjust the listen-on list; "
3211 "some interfaces may not work");
3216 * This event callback is invoked to do periodic network
3217 * interface scanning.
3220 interface_timer_tick(isc_task_t *task, isc_event_t *event) {
3221 isc_result_t result;
3222 ns_server_t *server = (ns_server_t *) event->ev_arg;
3223 INSIST(task == server->task);
3225 isc_event_free(&event);
3227 * XXX should scan interfaces unlocked and get exclusive access
3228 * only to replace ACLs.
3230 result = isc_task_beginexclusive(server->task);
3231 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3232 scan_interfaces(server, ISC_FALSE);
3233 isc_task_endexclusive(server->task);
3237 heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
3238 ns_server_t *server = (ns_server_t *) event->ev_arg;
3242 isc_event_free(&event);
3243 view = ISC_LIST_HEAD(server->viewlist);
3244 while (view != NULL) {
3245 dns_view_dialup(view);
3246 view = ISC_LIST_NEXT(view, link);
3251 pps_timer_tick(isc_task_t *task, isc_event_t *event) {
3252 static unsigned int oldrequests = 0;
3253 unsigned int requests = ns_client_requests;
3256 isc_event_free(&event);
3259 * Don't worry about wrapping as the overflow result will be right.
3261 dns_pps = (requests - oldrequests) / 1200;
3262 oldrequests = requests;
3266 * Replace the current value of '*field', a dynamically allocated
3267 * string or NULL, with a dynamically allocated copy of the
3268 * null-terminated string pointed to by 'value', or NULL.
3271 setstring(ns_server_t *server, char **field, const char *value) {
3274 if (value != NULL) {
3275 copy = isc_mem_strdup(server->mctx, value);
3277 return (ISC_R_NOMEMORY);
3283 isc_mem_free(server->mctx, *field);
3286 return (ISC_R_SUCCESS);
3290 * Replace the current value of '*field', a dynamically allocated
3291 * string or NULL, with another dynamically allocated string
3292 * or NULL if whether 'obj' is a string or void value, respectively.
3295 setoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) {
3296 if (cfg_obj_isvoid(obj))
3297 return (setstring(server, field, NULL));
3299 return (setstring(server, field, cfg_obj_asstring(obj)));
3303 set_limit(const cfg_obj_t **maps, const char *configname,
3304 const char *description, isc_resource_t resourceid,
3305 isc_resourcevalue_t defaultvalue)
3307 const cfg_obj_t *obj = NULL;
3308 const char *resource;
3309 isc_resourcevalue_t value;
3310 isc_result_t result;
3312 if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS)
3315 if (cfg_obj_isstring(obj)) {
3316 resource = cfg_obj_asstring(obj);
3317 if (strcasecmp(resource, "unlimited") == 0)
3318 value = ISC_RESOURCE_UNLIMITED;
3320 INSIST(strcasecmp(resource, "default") == 0);
3321 value = defaultvalue;
3324 value = cfg_obj_asuint64(obj);
3326 result = isc_resource_setlimit(resourceid, value);
3327 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
3328 result == ISC_R_SUCCESS ?
3329 ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
3330 "set maximum %s to %" ISC_PRINT_QUADFORMAT "u: %s",
3331 description, value, isc_result_totext(result));
3334 #define SETLIMIT(cfgvar, resource, description) \
3335 set_limit(maps, cfgvar, description, isc_resource_ ## resource, \
3336 ns_g_init ## resource)
3339 set_limits(const cfg_obj_t **maps) {
3340 SETLIMIT("stacksize", stacksize, "stack size");
3341 SETLIMIT("datasize", datasize, "data size");
3342 SETLIMIT("coresize", coresize, "core size");
3343 SETLIMIT("files", openfiles, "open files");
3347 portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
3348 isc_boolean_t positive)
3350 const cfg_listelt_t *element;
3352 for (element = cfg_list_first(ports);
3354 element = cfg_list_next(element)) {
3355 const cfg_obj_t *obj = cfg_listelt_value(element);
3357 if (cfg_obj_isuint32(obj)) {
3358 in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
3361 isc_portset_add(portset, port);
3363 isc_portset_remove(portset, port);
3365 const cfg_obj_t *obj_loport, *obj_hiport;
3366 in_port_t loport, hiport;
3368 obj_loport = cfg_tuple_get(obj, "loport");
3369 loport = (in_port_t)cfg_obj_asuint32(obj_loport);
3370 obj_hiport = cfg_tuple_get(obj, "hiport");
3371 hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
3374 isc_portset_addrange(portset, loport, hiport);
3376 isc_portset_removerange(portset, loport,
3384 removed(dns_zone_t *zone, void *uap) {
3387 if (dns_zone_getview(zone) != uap)
3388 return (ISC_R_SUCCESS);
3390 switch (dns_zone_gettype(zone)) {
3391 case dns_zone_master:
3394 case dns_zone_slave:
3404 dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type);
3405 return (ISC_R_SUCCESS);
3409 cleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
3410 if (server->session_keyfile != NULL) {
3411 isc_file_remove(server->session_keyfile);
3412 isc_mem_free(mctx, server->session_keyfile);
3413 server->session_keyfile = NULL;
3416 if (server->session_keyname != NULL) {
3417 if (dns_name_dynamic(server->session_keyname))
3418 dns_name_free(server->session_keyname, mctx);
3419 isc_mem_put(mctx, server->session_keyname, sizeof(dns_name_t));
3420 server->session_keyname = NULL;
3423 if (server->sessionkey != NULL)
3424 dns_tsigkey_detach(&server->sessionkey);
3426 server->session_keyalg = DST_ALG_UNKNOWN;
3427 server->session_keybits = 0;
3431 generate_session_key(const char *filename, const char *keynamestr,
3432 dns_name_t *keyname, const char *algstr,
3433 dns_name_t *algname, unsigned int algtype,
3434 isc_uint16_t bits, isc_mem_t *mctx,
3435 dns_tsigkey_t **tsigkeyp)
3437 isc_result_t result = ISC_R_SUCCESS;
3438 dst_key_t *key = NULL;
3439 isc_buffer_t key_txtbuffer;
3440 isc_buffer_t key_rawbuffer;
3441 char key_txtsecret[256];
3442 char key_rawsecret[64];
3443 isc_region_t key_rawregion;
3445 dns_tsigkey_t *tsigkey = NULL;
3448 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3449 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3450 "generating session key for dynamic DNS");
3453 result = dst_key_generate(keyname, algtype, bits, 1, 0,
3454 DNS_KEYPROTO_ANY, dns_rdataclass_in,
3456 if (result != ISC_R_SUCCESS)
3460 * Dump the key to the buffer for later use. Should be done before
3461 * we transfer the ownership of key to tsigkey.
3463 isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
3464 CHECK(dst_key_tobuffer(key, &key_rawbuffer));
3466 isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
3467 isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
3468 CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
3470 /* Store the key in tsigkey. */
3471 isc_stdtime_get(&now);
3472 CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
3473 ISC_FALSE, NULL, now, now, mctx, NULL,
3475 key = NULL; /* ownership of key has been transferred */
3477 /* Dump the key to the key file. */
3478 fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE);
3480 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3481 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3482 "could not create %s", filename);
3483 result = ISC_R_NOPERM;
3487 fprintf(fp, "key \"%s\" {\n"
3489 "\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
3490 (int) isc_buffer_usedlength(&key_txtbuffer),
3491 (char*) isc_buffer_base(&key_txtbuffer));
3493 RUNTIME_CHECK(isc_stdio_flush(fp) == ISC_R_SUCCESS);
3494 RUNTIME_CHECK(isc_stdio_close(fp) == ISC_R_SUCCESS);
3496 *tsigkeyp = tsigkey;
3498 return (ISC_R_SUCCESS);
3501 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3502 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
3503 "failed to generate session key "
3504 "for dynamic DNS: %s", isc_result_totext(result));
3505 if (tsigkey != NULL)
3506 dns_tsigkey_detach(&tsigkey);
3514 configure_session_key(const cfg_obj_t **maps, ns_server_t *server,
3517 const char *keyfile, *keynamestr, *algstr;
3518 unsigned int algtype;
3519 dns_fixedname_t fname;
3520 dns_name_t *keyname, *algname;
3521 isc_buffer_t buffer;
3523 const cfg_obj_t *obj;
3524 isc_boolean_t need_deleteold = ISC_FALSE;
3525 isc_boolean_t need_createnew = ISC_FALSE;
3526 isc_result_t result;
3529 result = ns_config_get(maps, "session-keyfile", &obj);
3530 if (result == ISC_R_SUCCESS) {
3531 if (cfg_obj_isvoid(obj))
3532 keyfile = NULL; /* disable it */
3534 keyfile = cfg_obj_asstring(obj);
3536 keyfile = ns_g_defaultsessionkeyfile;
3539 result = ns_config_get(maps, "session-keyname", &obj);
3540 INSIST(result == ISC_R_SUCCESS);
3541 keynamestr = cfg_obj_asstring(obj);
3542 dns_fixedname_init(&fname);
3543 isc_buffer_init(&buffer, keynamestr, strlen(keynamestr));
3544 isc_buffer_add(&buffer, strlen(keynamestr));
3545 keyname = dns_fixedname_name(&fname);
3546 result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
3547 if (result != ISC_R_SUCCESS)
3551 result = ns_config_get(maps, "session-keyalg", &obj);
3552 INSIST(result == ISC_R_SUCCESS);
3553 algstr = cfg_obj_asstring(obj);
3555 result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
3556 if (result != ISC_R_SUCCESS) {
3557 const char *s = " (keeping current key)";
3559 cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "session-keyalg: "
3560 "unsupported or unknown algorithm '%s'%s",
3562 server->session_keyfile != NULL ? s : "");
3566 /* See if we need to (re)generate a new key. */
3567 if (keyfile == NULL) {
3568 if (server->session_keyfile != NULL)
3569 need_deleteold = ISC_TRUE;
3570 } else if (server->session_keyfile == NULL)
3571 need_createnew = ISC_TRUE;
3572 else if (strcmp(keyfile, server->session_keyfile) != 0 ||
3573 !dns_name_equal(server->session_keyname, keyname) ||
3574 server->session_keyalg != algtype ||
3575 server->session_keybits != bits) {
3576 need_deleteold = ISC_TRUE;
3577 need_createnew = ISC_TRUE;
3580 if (need_deleteold) {
3581 INSIST(server->session_keyfile != NULL);
3582 INSIST(server->session_keyname != NULL);
3583 INSIST(server->sessionkey != NULL);
3585 cleanup_session_key(server, mctx);
3588 if (need_createnew) {
3589 INSIST(server->sessionkey == NULL);
3590 INSIST(server->session_keyfile == NULL);
3591 INSIST(server->session_keyname == NULL);
3592 INSIST(server->session_keyalg == DST_ALG_UNKNOWN);
3593 INSIST(server->session_keybits == 0);
3595 server->session_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
3596 if (server->session_keyname == NULL)
3598 dns_name_init(server->session_keyname, NULL);
3599 CHECK(dns_name_dup(keyname, mctx, server->session_keyname));
3601 server->session_keyfile = isc_mem_strdup(mctx, keyfile);
3602 if (server->session_keyfile == NULL)
3605 server->session_keyalg = algtype;
3606 server->session_keybits = bits;
3608 CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
3609 algname, algtype, bits, mctx,
3610 &server->sessionkey));
3616 cleanup_session_key(server, mctx);
3621 load_configuration(const char *filename, ns_server_t *server,
3622 isc_boolean_t first_time)
3624 cfg_aclconfctx_t aclconfctx;
3625 cfg_obj_t *config = NULL, *bindkeys = NULL;
3626 cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
3627 const cfg_listelt_t *element;
3628 const cfg_obj_t *builtin_views;
3629 const cfg_obj_t *maps[3];
3630 const cfg_obj_t *obj;
3631 const cfg_obj_t *options;
3632 const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
3633 const cfg_obj_t *views;
3634 dns_view_t *view = NULL;
3635 dns_view_t *view_next;
3636 dns_viewlist_t tmpviewlist;
3637 dns_viewlist_t viewlist, builtin_viewlist;
3638 in_port_t listen_port, udpport_low, udpport_high;
3640 isc_interval_t interval;
3641 isc_portset_t *v4portset = NULL;
3642 isc_portset_t *v6portset = NULL;
3643 isc_resourcevalue_t nfiles;
3644 isc_result_t result;
3645 isc_uint32_t heartbeat_interval;
3646 isc_uint32_t interface_interval;
3647 isc_uint32_t reserved;
3648 isc_uint32_t udpsize;
3649 ns_cachelist_t cachelist, tmpcachelist;
3650 unsigned int maxsocks;
3653 cfg_aclconfctx_init(&aclconfctx);
3654 ISC_LIST_INIT(viewlist);
3655 ISC_LIST_INIT(builtin_viewlist);
3656 ISC_LIST_INIT(cachelist);
3658 /* Ensure exclusive access to configuration data. */
3659 result = isc_task_beginexclusive(server->task);
3660 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3663 * Parse the global default pseudo-config file.
3666 CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
3667 RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
3668 &ns_g_defaults) == ISC_R_SUCCESS);
3672 * Parse the configuration file using the new config code.
3674 result = ISC_R_FAILURE;
3678 * Unless this is lwresd with the -C option, parse the config file.
3680 if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) {
3681 isc_log_write(ns_g_lctx,
3682 NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
3683 ISC_LOG_INFO, "loading configuration from '%s'",
3685 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
3686 cfg_parser_setcallback(conf_parser, directory_callback, NULL);
3687 result = cfg_parse_file(conf_parser, filename,
3688 &cfg_type_namedconf, &config);
3692 * If this is lwresd with the -C option, or lwresd with no -C or -c
3693 * option where the above parsing failed, parse resolv.conf.
3695 if (ns_g_lwresdonly &&
3696 (lwresd_g_useresolvconf ||
3697 (!ns_g_conffileset && result == ISC_R_FILENOTFOUND)))
3699 isc_log_write(ns_g_lctx,
3700 NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
3701 ISC_LOG_INFO, "loading configuration from '%s'",
3702 lwresd_g_resolvconffile);
3703 if (conf_parser != NULL)
3704 cfg_parser_destroy(&conf_parser);
3705 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
3706 result = ns_lwresd_parseeresolvconf(ns_g_mctx, conf_parser,
3712 * Check the validity of the configuration.
3714 CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx));
3717 * Fill in the maps array, used for resolving defaults.
3721 result = cfg_map_get(config, "options", &options);
3722 if (result == ISC_R_SUCCESS)
3723 maps[i++] = options;
3724 maps[i++] = ns_g_defaults;
3728 * If bind.keys exists, load it. If "dnssec-lookaside auto"
3729 * is turned on, the keys found there will be used as default
3733 result = ns_config_get(maps, "bindkeys-file", &obj);
3734 INSIST(result == ISC_R_SUCCESS);
3735 CHECKM(setstring(server, &server->bindkeysfile,
3736 cfg_obj_asstring(obj)), "strdup");
3738 if (access(server->bindkeysfile, R_OK) == 0) {
3739 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3740 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3741 "reading built-in trusted "
3742 "keys from file '%s'", server->bindkeysfile);
3744 CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx,
3747 result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
3748 &cfg_type_bindkeys, &bindkeys);
3753 * Set process limits, which (usually) needs to be done as root.
3758 * Check if max number of open sockets that the system allows is
3759 * sufficiently large. Failing this condition is not necessarily fatal,
3760 * but may cause subsequent runtime failures for a busy recursive
3763 result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &maxsocks);
3764 if (result != ISC_R_SUCCESS)
3766 result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles);
3767 if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) {
3768 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3769 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3770 "max open files (%" ISC_PRINT_QUADFORMAT "u)"
3771 " is smaller than max sockets (%u)",
3776 * Set the number of socket reserved for TCP, stdio etc.
3779 result = ns_config_get(maps, "reserved-sockets", &obj);
3780 INSIST(result == ISC_R_SUCCESS);
3781 reserved = cfg_obj_asuint32(obj);
3782 if (maxsocks != 0) {
3783 if (maxsocks < 128U) /* Prevent underflow. */
3785 else if (reserved > maxsocks - 128U) /* Minimum UDP space. */
3786 reserved = maxsocks - 128;
3788 /* Minimum TCP/stdio space. */
3789 if (reserved < 128U)
3791 if (reserved + 128U > maxsocks && maxsocks != 0) {
3792 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3793 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3794 "less than 128 UDP sockets available after "
3795 "applying 'reserved-sockets' and 'maxsockets'");
3797 isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
3800 * Configure various server options.
3802 configure_server_quota(maps, "transfers-out", &server->xfroutquota);
3803 configure_server_quota(maps, "tcp-clients", &server->tcpquota);
3804 configure_server_quota(maps, "recursive-clients",
3805 &server->recursionquota);
3806 if (server->recursionquota.max > 1000)
3807 isc_quota_soft(&server->recursionquota,
3808 server->recursionquota.max - 100);
3810 isc_quota_soft(&server->recursionquota, 0);
3812 CHECK(configure_view_acl(NULL, config, "blackhole", NULL, &aclconfctx,
3813 ns_g_mctx, &server->blackholeacl));
3814 if (server->blackholeacl != NULL)
3815 dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
3816 server->blackholeacl);
3819 result = ns_config_get(maps, "match-mapped-addresses", &obj);
3820 INSIST(result == ISC_R_SUCCESS);
3821 server->aclenv.match_mapped = cfg_obj_asboolean(obj);
3823 CHECKM(ns_statschannels_configure(ns_g_server, config, &aclconfctx),
3824 "configuring statistics server(s)");
3827 * Configure sets of UDP query source ports.
3829 CHECKM(isc_portset_create(ns_g_mctx, &v4portset),
3830 "creating UDP port set");
3831 CHECKM(isc_portset_create(ns_g_mctx, &v6portset),
3832 "creating UDP port set");
3836 avoidv4ports = NULL;
3837 avoidv6ports = NULL;
3839 (void)ns_config_get(maps, "use-v4-udp-ports", &usev4ports);
3840 if (usev4ports != NULL)
3841 portset_fromconf(v4portset, usev4ports, ISC_TRUE);
3843 CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low,
3845 "get the default UDP/IPv4 port range");
3846 if (udpport_low == udpport_high)
3847 isc_portset_add(v4portset, udpport_low);
3849 isc_portset_addrange(v4portset, udpport_low,
3852 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3853 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3854 "using default UDP/IPv4 port range: [%d, %d]",
3855 udpport_low, udpport_high);
3857 (void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
3858 if (avoidv4ports != NULL)
3859 portset_fromconf(v4portset, avoidv4ports, ISC_FALSE);
3861 (void)ns_config_get(maps, "use-v6-udp-ports", &usev6ports);
3862 if (usev6ports != NULL)
3863 portset_fromconf(v6portset, usev6ports, ISC_TRUE);
3865 CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low,
3867 "get the default UDP/IPv6 port range");
3868 if (udpport_low == udpport_high)
3869 isc_portset_add(v6portset, udpport_low);
3871 isc_portset_addrange(v6portset, udpport_low,
3874 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3875 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3876 "using default UDP/IPv6 port range: [%d, %d]",
3877 udpport_low, udpport_high);
3879 (void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
3880 if (avoidv6ports != NULL)
3881 portset_fromconf(v6portset, avoidv6ports, ISC_FALSE);
3883 dns_dispatchmgr_setavailports(ns_g_dispatchmgr, v4portset, v6portset);
3886 * Set the EDNS UDP size when we don't match a view.
3889 result = ns_config_get(maps, "edns-udp-size", &obj);
3890 INSIST(result == ISC_R_SUCCESS);
3891 udpsize = cfg_obj_asuint32(obj);
3896 ns_g_udpsize = (isc_uint16_t)udpsize;
3899 * Configure the zone manager.
3902 result = ns_config_get(maps, "transfers-in", &obj);
3903 INSIST(result == ISC_R_SUCCESS);
3904 dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj));
3907 result = ns_config_get(maps, "transfers-per-ns", &obj);
3908 INSIST(result == ISC_R_SUCCESS);
3909 dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
3912 result = ns_config_get(maps, "serial-query-rate", &obj);
3913 INSIST(result == ISC_R_SUCCESS);
3914 dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj));
3917 * Determine which port to use for listening for incoming connections.
3920 listen_port = ns_g_port;
3922 CHECKM(ns_config_getport(config, &listen_port), "port");
3925 * Find the listen queue depth.
3928 result = ns_config_get(maps, "tcp-listen-queue", &obj);
3929 INSIST(result == ISC_R_SUCCESS);
3930 ns_g_listen = cfg_obj_asuint32(obj);
3931 if (ns_g_listen < 3)
3935 * Configure the interface manager according to the "listen-on"
3939 const cfg_obj_t *clistenon = NULL;
3940 ns_listenlist_t *listenon = NULL;
3944 * Even though listen-on is present in the default
3945 * configuration, we can't use it here, since it isn't
3946 * used if we're in lwresd mode. This way is easier.
3948 if (options != NULL)
3949 (void)cfg_map_get(options, "listen-on", &clistenon);
3950 if (clistenon != NULL) {
3951 result = ns_listenlist_fromconfig(clistenon,
3956 } else if (!ns_g_lwresdonly) {
3958 * Not specified, use default.
3960 CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
3961 ISC_TRUE, &listenon));
3963 if (listenon != NULL) {
3964 ns_interfacemgr_setlistenon4(server->interfacemgr,
3966 ns_listenlist_detach(&listenon);
3973 const cfg_obj_t *clistenon = NULL;
3974 ns_listenlist_t *listenon = NULL;
3976 if (options != NULL)
3977 (void)cfg_map_get(options, "listen-on-v6", &clistenon);
3978 if (clistenon != NULL) {
3979 result = ns_listenlist_fromconfig(clistenon,
3984 } else if (!ns_g_lwresdonly) {
3985 isc_boolean_t enable;
3987 * Not specified, use default.
3989 enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS);
3990 CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
3991 enable, &listenon));
3993 if (listenon != NULL) {
3994 ns_interfacemgr_setlistenon6(server->interfacemgr,
3996 ns_listenlist_detach(&listenon);
4001 * Rescan the interface list to pick up changes in the
4002 * listen-on option. It's important that we do this before we try
4003 * to configure the query source, since the dispatcher we use might
4004 * be shared with an interface.
4006 scan_interfaces(server, ISC_TRUE);
4009 * Arrange for further interface scanning to occur periodically
4010 * as specified by the "interface-interval" option.
4013 result = ns_config_get(maps, "interface-interval", &obj);
4014 INSIST(result == ISC_R_SUCCESS);
4015 interface_interval = cfg_obj_asuint32(obj) * 60;
4016 if (interface_interval == 0) {
4017 CHECK(isc_timer_reset(server->interface_timer,
4018 isc_timertype_inactive,
4019 NULL, NULL, ISC_TRUE));
4020 } else if (server->interface_interval != interface_interval) {
4021 isc_interval_set(&interval, interface_interval, 0);
4022 CHECK(isc_timer_reset(server->interface_timer,
4023 isc_timertype_ticker,
4024 NULL, &interval, ISC_FALSE));
4026 server->interface_interval = interface_interval;
4029 * Configure the dialup heartbeat timer.
4032 result = ns_config_get(maps, "heartbeat-interval", &obj);
4033 INSIST(result == ISC_R_SUCCESS);
4034 heartbeat_interval = cfg_obj_asuint32(obj) * 60;
4035 if (heartbeat_interval == 0) {
4036 CHECK(isc_timer_reset(server->heartbeat_timer,
4037 isc_timertype_inactive,
4038 NULL, NULL, ISC_TRUE));
4039 } else if (server->heartbeat_interval != heartbeat_interval) {
4040 isc_interval_set(&interval, heartbeat_interval, 0);
4041 CHECK(isc_timer_reset(server->heartbeat_timer,
4042 isc_timertype_ticker,
4043 NULL, &interval, ISC_FALSE));
4045 server->heartbeat_interval = heartbeat_interval;
4047 isc_interval_set(&interval, 1200, 0);
4048 CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
4049 &interval, ISC_FALSE));
4052 * Write the PID file.
4055 if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
4056 if (cfg_obj_isvoid(obj))
4057 ns_os_writepidfile(NULL, first_time);
4059 ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
4060 else if (ns_g_lwresdonly)
4061 ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
4063 ns_os_writepidfile(ns_g_defaultpidfile, first_time);
4066 * Configure the server-wide session key. This must be done before
4067 * configure views because zone configuration may need to know
4070 * Failure of session key generation isn't fatal at this time; if it
4071 * turns out that a session key is really needed but doesn't exist,
4072 * we'll treat it as a fatal error then.
4074 (void)configure_session_key(maps, server, ns_g_mctx);
4077 * Configure and freeze all explicit views. Explicit
4078 * views that have zones were already created at parsing
4079 * time, but views with no zones must be created here.
4082 (void)cfg_map_get(config, "view", &views);
4083 for (element = cfg_list_first(views);
4085 element = cfg_list_next(element))
4087 const cfg_obj_t *vconfig = cfg_listelt_value(element);
4090 CHECK(create_view(vconfig, &viewlist, &view));
4091 INSIST(view != NULL);
4092 CHECK(configure_view(view, config, vconfig,
4093 &cachelist, bindkeys,
4094 ns_g_mctx, &aclconfctx, ISC_TRUE));
4095 dns_view_freeze(view);
4096 dns_view_detach(&view);
4100 * Make sure we have a default view if and only if there
4101 * were no explicit views.
4103 if (views == NULL) {
4105 * No explicit views; there ought to be a default view.
4106 * There may already be one created as a side effect
4107 * of zone statements, or we may have to create one.
4108 * In either case, we need to configure and freeze it.
4110 CHECK(create_view(NULL, &viewlist, &view));
4111 CHECK(configure_view(view, config, NULL,
4112 &cachelist, bindkeys,
4113 ns_g_mctx, &aclconfctx, ISC_TRUE));
4114 dns_view_freeze(view);
4115 dns_view_detach(&view);
4119 * Create (or recreate) the built-in views.
4121 builtin_views = NULL;
4122 RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
4123 &builtin_views) == ISC_R_SUCCESS);
4124 for (element = cfg_list_first(builtin_views);
4126 element = cfg_list_next(element))
4128 const cfg_obj_t *vconfig = cfg_listelt_value(element);
4130 CHECK(create_view(vconfig, &builtin_viewlist, &view));
4131 CHECK(configure_view(view, config, vconfig,
4132 &cachelist, bindkeys,
4133 ns_g_mctx, &aclconfctx, ISC_FALSE));
4134 dns_view_freeze(view);
4135 dns_view_detach(&view);
4139 /* Now combine the two viewlists into one */
4140 ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
4142 /* Swap our new view list with the production one. */
4143 tmpviewlist = server->viewlist;
4144 server->viewlist = viewlist;
4145 viewlist = tmpviewlist;
4147 /* Make the view list available to each of the views */
4148 view = ISC_LIST_HEAD(server->viewlist);
4149 while (view != NULL) {
4150 view->viewlist = &server->viewlist;
4151 view = ISC_LIST_NEXT(view, link);
4154 /* Swap our new cache list with the production one. */
4155 tmpcachelist = server->cachelist;
4156 server->cachelist = cachelist;
4157 cachelist = tmpcachelist;
4159 /* Load the TKEY information from the configuration. */
4160 if (options != NULL) {
4161 dns_tkeyctx_t *t = NULL;
4162 CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy,
4164 "configuring TKEY");
4165 if (server->tkeyctx != NULL)
4166 dns_tkeyctx_destroy(&server->tkeyctx);
4167 server->tkeyctx = t;
4171 * Bind the control port(s).
4173 CHECKM(ns_controls_configure(ns_g_server->controls, config,
4175 "binding control channel(s)");
4178 * Bind the lwresd port(s).
4180 CHECKM(ns_lwresd_configure(ns_g_mctx, config),
4181 "binding lightweight resolver ports");
4184 * Open the source of entropy.
4188 result = ns_config_get(maps, "random-device", &obj);
4189 if (result != ISC_R_SUCCESS) {
4190 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4191 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4192 "no source of entropy found");
4194 const char *randomdev = cfg_obj_asstring(obj);
4195 result = isc_entropy_createfilesource(ns_g_entropy,
4197 if (result != ISC_R_SUCCESS)
4198 isc_log_write(ns_g_lctx,
4199 NS_LOGCATEGORY_GENERAL,
4200 NS_LOGMODULE_SERVER,
4202 "could not open entropy source "
4205 isc_result_totext(result));
4206 #ifdef PATH_RANDOMDEV
4207 if (ns_g_fallbackentropy != NULL) {
4208 if (result != ISC_R_SUCCESS) {
4209 isc_log_write(ns_g_lctx,
4210 NS_LOGCATEGORY_GENERAL,
4211 NS_LOGMODULE_SERVER,
4213 "using pre-chroot entropy source "
4216 isc_entropy_detach(&ns_g_entropy);
4217 isc_entropy_attach(ns_g_fallbackentropy,
4220 isc_entropy_detach(&ns_g_fallbackentropy);
4227 * Relinquish root privileges.
4233 * Check that the working directory is writable.
4235 if (access(".", W_OK) != 0) {
4236 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4237 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4238 "the working directory is not writable");
4242 * Configure the logging system.
4244 * Do this after changing UID to make sure that any log
4245 * files specified in named.conf get created by the
4246 * unprivileged user, not root.
4248 if (ns_g_logstderr) {
4249 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4250 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4251 "ignoring config file logging "
4252 "statement due to -g option");
4254 const cfg_obj_t *logobj = NULL;
4255 isc_logconfig_t *logc = NULL;
4257 CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
4258 "creating new logging configuration");
4261 (void)cfg_map_get(config, "logging", &logobj);
4262 if (logobj != NULL) {
4263 CHECKM(ns_log_configure(logc, logobj),
4264 "configuring logging");
4266 CHECKM(ns_log_setdefaultchannels(logc),
4267 "setting up default logging channels");
4268 CHECKM(ns_log_setunmatchedcategory(logc),
4269 "setting up default 'category unmatched'");
4270 CHECKM(ns_log_setdefaultcategory(logc),
4271 "setting up default 'category default'");
4274 result = isc_logconfig_use(ns_g_lctx, logc);
4275 if (result != ISC_R_SUCCESS) {
4276 isc_logconfig_destroy(&logc);
4277 CHECKM(result, "installing logging configuration");
4280 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4281 NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
4282 "now using logging configuration from "
4287 * Set the default value of the query logging flag depending
4288 * whether a "queries" category has been defined. This is
4289 * a disgusting hack, but we need to do this for BIND 8
4293 const cfg_obj_t *logobj = NULL;
4294 const cfg_obj_t *categories = NULL;
4297 if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
4298 server->log_queries = cfg_obj_asboolean(obj);
4301 (void)cfg_map_get(config, "logging", &logobj);
4303 (void)cfg_map_get(logobj, "category",
4305 if (categories != NULL) {
4306 const cfg_listelt_t *element;
4307 for (element = cfg_list_first(categories);
4309 element = cfg_list_next(element))
4311 const cfg_obj_t *catobj;
4314 obj = cfg_listelt_value(element);
4315 catobj = cfg_tuple_get(obj, "name");
4316 str = cfg_obj_asstring(catobj);
4317 if (strcasecmp(str, "queries") == 0)
4318 server->log_queries = ISC_TRUE;
4326 if (options != NULL &&
4327 cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS)
4328 ns_g_memstatistics = cfg_obj_asboolean(obj);
4330 ns_g_memstatistics =
4331 ISC_TF((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0);
4334 if (ns_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS)
4335 ns_main_setmemstats(cfg_obj_asstring(obj));
4336 else if (ns_g_memstatistics)
4337 ns_main_setmemstats("named.memstats");
4339 ns_main_setmemstats(NULL);
4342 result = ns_config_get(maps, "statistics-file", &obj);
4343 INSIST(result == ISC_R_SUCCESS);
4344 CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
4348 result = ns_config_get(maps, "dump-file", &obj);
4349 INSIST(result == ISC_R_SUCCESS);
4350 CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
4354 result = ns_config_get(maps, "recursing-file", &obj);
4355 INSIST(result == ISC_R_SUCCESS);
4356 CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
4360 result = ns_config_get(maps, "version", &obj);
4361 if (result == ISC_R_SUCCESS) {
4362 CHECKM(setoptstring(server, &server->version, obj), "strdup");
4363 server->version_set = ISC_TRUE;
4365 server->version_set = ISC_FALSE;
4369 result = ns_config_get(maps, "hostname", &obj);
4370 if (result == ISC_R_SUCCESS) {
4371 CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
4372 server->hostname_set = ISC_TRUE;
4374 server->hostname_set = ISC_FALSE;
4378 result = ns_config_get(maps, "server-id", &obj);
4379 server->server_usehostname = ISC_FALSE;
4380 if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
4381 /* The parser translates "hostname" to ISC_TRUE */
4382 server->server_usehostname = cfg_obj_asboolean(obj);
4383 result = setstring(server, &server->server_id, NULL);
4384 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4385 } else if (result == ISC_R_SUCCESS) {
4386 /* Found a quoted string */
4387 CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
4389 result = setstring(server, &server->server_id, NULL);
4390 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4394 result = ns_config_get(maps, "flush-zones-on-shutdown", &obj);
4395 if (result == ISC_R_SUCCESS) {
4396 server->flushonshutdown = cfg_obj_asboolean(obj);
4398 server->flushonshutdown = ISC_FALSE;
4401 result = ISC_R_SUCCESS;
4404 if (v4portset != NULL)
4405 isc_portset_destroy(ns_g_mctx, &v4portset);
4407 if (v6portset != NULL)
4408 isc_portset_destroy(ns_g_mctx, &v6portset);
4410 cfg_aclconfctx_destroy(&aclconfctx);
4412 if (conf_parser != NULL) {
4414 cfg_obj_destroy(conf_parser, &config);
4415 cfg_parser_destroy(&conf_parser);
4418 if (bindkeys_parser != NULL) {
4419 if (bindkeys != NULL)
4420 cfg_obj_destroy(bindkeys_parser, &bindkeys);
4421 cfg_parser_destroy(&bindkeys_parser);
4425 dns_view_detach(&view);
4428 * This cleans up either the old production view list
4429 * or our temporary list depending on whether they
4430 * were swapped above or not.
4432 for (view = ISC_LIST_HEAD(viewlist);
4435 view_next = ISC_LIST_NEXT(view, link);
4436 ISC_LIST_UNLINK(viewlist, view, link);
4437 if (result == ISC_R_SUCCESS &&
4438 strcmp(view->name, "_bind") != 0)
4439 (void)dns_zt_apply(view->zonetable, ISC_FALSE,
4441 dns_view_detach(&view);
4444 /* Same cleanup for cache list. */
4445 while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
4446 ISC_LIST_UNLINK(cachelist, nsc, link);
4447 dns_cache_detach(&nsc->cache);
4448 isc_mem_put(server->mctx, nsc, sizeof(*nsc));
4452 * Adjust the listening interfaces in accordance with the source
4453 * addresses specified in views and zones.
4455 if (isc_net_probeipv6() == ISC_R_SUCCESS)
4456 adjust_interfaces(server, ns_g_mctx);
4458 /* Relinquish exclusive access to configuration data. */
4459 isc_task_endexclusive(server->task);
4461 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4462 ISC_LOG_DEBUG(1), "load_configuration: %s",
4463 isc_result_totext(result));
4469 load_zones(ns_server_t *server, isc_boolean_t stop) {
4470 isc_result_t result;
4473 result = isc_task_beginexclusive(server->task);
4474 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4477 * Load zone data from disk.
4479 for (view = ISC_LIST_HEAD(server->viewlist);
4481 view = ISC_LIST_NEXT(view, link))
4483 CHECK(dns_view_load(view, stop));
4484 if (view->managed_keys != NULL)
4485 CHECK(dns_zone_load(view->managed_keys));
4489 * Force zone maintenance. Do this after loading
4490 * so that we know when we need to force AXFR of
4491 * slave zones whose master files are missing.
4493 CHECK(dns_zonemgr_forcemaint(server->zonemgr));
4495 isc_task_endexclusive(server->task);
4500 load_new_zones(ns_server_t *server, isc_boolean_t stop) {
4501 isc_result_t result;
4504 result = isc_task_beginexclusive(server->task);
4505 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4508 * Load zone data from disk.
4510 for (view = ISC_LIST_HEAD(server->viewlist);
4512 view = ISC_LIST_NEXT(view, link))
4514 CHECK(dns_view_loadnew(view, stop));
4517 * Force zone maintenance. Do this after loading
4518 * so that we know when we need to force AXFR of
4519 * slave zones whose master files are missing.
4521 dns_zonemgr_resumexfrs(server->zonemgr);
4523 isc_task_endexclusive(server->task);
4528 run_server(isc_task_t *task, isc_event_t *event) {
4529 isc_result_t result;
4530 ns_server_t *server = (ns_server_t *)event->ev_arg;
4532 INSIST(task == server->task);
4534 isc_event_free(&event);
4536 CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy,
4538 "creating dispatch manager");
4540 dns_dispatchmgr_setstats(ns_g_dispatchmgr, server->resolverstats);
4542 CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
4543 ns_g_socketmgr, ns_g_dispatchmgr,
4544 &server->interfacemgr),
4545 "creating interface manager");
4547 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
4548 NULL, NULL, server->task,
4549 interface_timer_tick,
4550 server, &server->interface_timer),
4551 "creating interface timer");
4553 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
4554 NULL, NULL, server->task,
4555 heartbeat_timer_tick,
4556 server, &server->heartbeat_timer),
4557 "creating heartbeat timer");
4559 CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
4560 NULL, NULL, server->task, pps_timer_tick,
4561 server, &server->pps_timer),
4562 "creating pps timer");
4564 CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser),
4565 "creating default configuration parser");
4567 if (ns_g_lwresdonly)
4568 CHECKFATAL(load_configuration(lwresd_g_conffile, server,
4570 "loading configuration");
4572 CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE),
4573 "loading configuration");
4577 CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones");
4580 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4581 ISC_LOG_NOTICE, "running");
4585 ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) {
4587 REQUIRE(NS_SERVER_VALID(server));
4589 server->flushonshutdown = flush;
4593 shutdown_server(isc_task_t *task, isc_event_t *event) {
4594 isc_result_t result;
4595 dns_view_t *view, *view_next;
4596 ns_server_t *server = (ns_server_t *)event->ev_arg;
4597 isc_boolean_t flush = server->flushonshutdown;
4601 INSIST(task == server->task);
4603 result = isc_task_beginexclusive(server->task);
4604 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4606 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4607 ISC_LOG_INFO, "shutting down%s",
4608 flush ? ": flushing changes" : "");
4610 ns_statschannels_shutdown(server);
4611 ns_controls_shutdown(server->controls);
4612 end_reserved_dispatches(server, ISC_TRUE);
4613 cleanup_session_key(server, server->mctx);
4615 cfg_obj_destroy(ns_g_parser, &ns_g_config);
4616 cfg_parser_destroy(&ns_g_parser);
4618 for (view = ISC_LIST_HEAD(server->viewlist);
4621 view_next = ISC_LIST_NEXT(view, link);
4622 ISC_LIST_UNLINK(server->viewlist, view, link);
4624 dns_view_flushanddetach(&view);
4626 dns_view_detach(&view);
4629 while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
4630 ISC_LIST_UNLINK(server->cachelist, nsc, link);
4631 dns_cache_detach(&nsc->cache);
4632 isc_mem_put(server->mctx, nsc, sizeof(*nsc));
4635 isc_timer_detach(&server->interface_timer);
4636 isc_timer_detach(&server->heartbeat_timer);
4637 isc_timer_detach(&server->pps_timer);
4639 ns_interfacemgr_shutdown(server->interfacemgr);
4640 ns_interfacemgr_detach(&server->interfacemgr);
4642 dns_dispatchmgr_destroy(&ns_g_dispatchmgr);
4644 dns_zonemgr_shutdown(server->zonemgr);
4646 if (ns_g_sessionkey != NULL) {
4647 dns_tsigkey_detach(&ns_g_sessionkey);
4648 dns_name_free(&ns_g_sessionkeyname, server->mctx);
4651 if (server->blackholeacl != NULL)
4652 dns_acl_detach(&server->blackholeacl);
4654 dns_db_detach(&server->in_roothints);
4656 isc_task_endexclusive(server->task);
4658 isc_task_detach(&server->task);
4660 isc_event_free(&event);
4664 ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
4665 isc_result_t result;
4667 ns_server_t *server = isc_mem_get(mctx, sizeof(*server));
4669 fatal("allocating server object", ISC_R_NOMEMORY);
4671 server->mctx = mctx;
4672 server->task = NULL;
4674 /* Initialize configuration data with default values. */
4676 result = isc_quota_init(&server->xfroutquota, 10);
4677 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4678 result = isc_quota_init(&server->tcpquota, 10);
4679 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4680 result = isc_quota_init(&server->recursionquota, 100);
4681 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4683 result = dns_aclenv_init(mctx, &server->aclenv);
4684 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4686 /* Initialize server data structures. */
4687 server->zonemgr = NULL;
4688 server->interfacemgr = NULL;
4689 ISC_LIST_INIT(server->viewlist);
4690 server->in_roothints = NULL;
4691 server->blackholeacl = NULL;
4693 CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
4694 &server->in_roothints),
4695 "setting up root hints");
4697 CHECKFATAL(isc_mutex_init(&server->reload_event_lock),
4698 "initializing reload event lock");
4699 server->reload_event =
4700 isc_event_allocate(ns_g_mctx, server,
4704 sizeof(isc_event_t));
4705 CHECKFATAL(server->reload_event == NULL ?
4706 ISC_R_NOMEMORY : ISC_R_SUCCESS,
4707 "allocating reload event");
4709 CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
4710 ns_g_engine, ISC_ENTROPY_GOODONLY),
4711 "initializing DST");
4713 server->tkeyctx = NULL;
4714 CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
4716 "creating TKEY context");
4719 * Setup the server task, which is responsible for coordinating
4720 * startup and shutdown of the server.
4722 CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
4723 "creating server task");
4724 isc_task_setname(server->task, "server", server);
4725 CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
4726 "isc_task_onshutdown");
4727 CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
4730 server->interface_timer = NULL;
4731 server->heartbeat_timer = NULL;
4732 server->pps_timer = NULL;
4734 server->interface_interval = 0;
4735 server->heartbeat_interval = 0;
4737 CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr,
4738 ns_g_socketmgr, &server->zonemgr),
4739 "dns_zonemgr_create");
4741 server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
4742 CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
4744 server->nsstats = NULL;
4745 server->rcvquerystats = NULL;
4746 server->opcodestats = NULL;
4747 server->zonestats = NULL;
4748 server->resolverstats = NULL;
4749 server->sockstats = NULL;
4750 CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
4751 isc_sockstatscounter_max),
4752 "isc_stats_create");
4753 isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
4755 server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
4756 CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
4760 server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
4761 CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
4764 server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
4765 CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
4768 server->hostname_set = ISC_FALSE;
4769 server->hostname = NULL;
4770 server->version_set = ISC_FALSE;
4771 server->version = NULL;
4772 server->server_usehostname = ISC_FALSE;
4773 server->server_id = NULL;
4775 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats,
4776 dns_nsstatscounter_max),
4777 "dns_stats_create (server)");
4779 CHECKFATAL(dns_rdatatypestats_create(ns_g_mctx,
4780 &server->rcvquerystats),
4781 "dns_stats_create (rcvquery)");
4783 CHECKFATAL(dns_opcodestats_create(ns_g_mctx, &server->opcodestats),
4784 "dns_stats_create (opcode)");
4786 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->zonestats,
4787 dns_zonestatscounter_max),
4788 "dns_stats_create (zone)");
4790 CHECKFATAL(isc_stats_create(ns_g_mctx, &server->resolverstats,
4791 dns_resstatscounter_max),
4792 "dns_stats_create (resolver)");
4794 server->flushonshutdown = ISC_FALSE;
4795 server->log_queries = ISC_FALSE;
4797 server->controls = NULL;
4798 CHECKFATAL(ns_controls_create(server, &server->controls),
4799 "ns_controls_create");
4800 server->dispatchgen = 0;
4801 ISC_LIST_INIT(server->dispatches);
4803 ISC_LIST_INIT(server->statschannels);
4805 ISC_LIST_INIT(server->cachelist);
4807 server->sessionkey = NULL;
4808 server->session_keyfile = NULL;
4809 server->session_keyname = NULL;
4810 server->session_keyalg = DST_ALG_UNKNOWN;
4811 server->session_keybits = 0;
4813 server->magic = NS_SERVER_MAGIC;
4818 ns_server_destroy(ns_server_t **serverp) {
4819 ns_server_t *server = *serverp;
4820 REQUIRE(NS_SERVER_VALID(server));
4822 ns_controls_destroy(&server->controls);
4824 isc_stats_detach(&server->nsstats);
4825 dns_stats_detach(&server->rcvquerystats);
4826 dns_stats_detach(&server->opcodestats);
4827 isc_stats_detach(&server->zonestats);
4828 isc_stats_detach(&server->resolverstats);
4829 isc_stats_detach(&server->sockstats);
4831 isc_mem_free(server->mctx, server->statsfile);
4832 isc_mem_free(server->mctx, server->bindkeysfile);
4833 isc_mem_free(server->mctx, server->dumpfile);
4834 isc_mem_free(server->mctx, server->recfile);
4836 if (server->version != NULL)
4837 isc_mem_free(server->mctx, server->version);
4838 if (server->hostname != NULL)
4839 isc_mem_free(server->mctx, server->hostname);
4840 if (server->server_id != NULL)
4841 isc_mem_free(server->mctx, server->server_id);
4843 dns_zonemgr_detach(&server->zonemgr);
4845 if (server->tkeyctx != NULL)
4846 dns_tkeyctx_destroy(&server->tkeyctx);
4850 isc_event_free(&server->reload_event);
4852 INSIST(ISC_LIST_EMPTY(server->viewlist));
4853 INSIST(ISC_LIST_EMPTY(server->cachelist));
4855 dns_aclenv_destroy(&server->aclenv);
4857 isc_quota_destroy(&server->recursionquota);
4858 isc_quota_destroy(&server->tcpquota);
4859 isc_quota_destroy(&server->xfroutquota);
4862 isc_mem_put(server->mctx, server, sizeof(*server));
4867 fatal(const char *msg, isc_result_t result) {
4868 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4869 ISC_LOG_CRITICAL, "%s: %s", msg,
4870 isc_result_totext(result));
4871 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
4872 ISC_LOG_CRITICAL, "exiting (due to fatal error)");
4877 start_reserved_dispatches(ns_server_t *server) {
4879 REQUIRE(NS_SERVER_VALID(server));
4881 server->dispatchgen++;
4885 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
4886 ns_dispatch_t *dispatch, *nextdispatch;
4888 REQUIRE(NS_SERVER_VALID(server));
4890 for (dispatch = ISC_LIST_HEAD(server->dispatches);
4892 dispatch = nextdispatch) {
4893 nextdispatch = ISC_LIST_NEXT(dispatch, link);
4894 if (!all && server->dispatchgen == dispatch-> dispatchgen)
4896 ISC_LIST_UNLINK(server->dispatches, dispatch, link);
4897 dns_dispatch_detach(&dispatch->dispatch);
4898 isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
4903 ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
4904 ns_dispatch_t *dispatch;
4906 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
4907 isc_result_t result;
4908 unsigned int attrs, attrmask;
4910 REQUIRE(NS_SERVER_VALID(server));
4912 port = isc_sockaddr_getport(addr);
4913 if (port == 0 || port >= 1024)
4916 for (dispatch = ISC_LIST_HEAD(server->dispatches);
4918 dispatch = ISC_LIST_NEXT(dispatch, link)) {
4919 if (isc_sockaddr_equal(&dispatch->addr, addr))
4922 if (dispatch != NULL) {
4923 dispatch->dispatchgen = server->dispatchgen;
4927 dispatch = isc_mem_get(server->mctx, sizeof(*dispatch));
4928 if (dispatch == NULL) {
4929 result = ISC_R_NOMEMORY;
4933 dispatch->addr = *addr;
4934 dispatch->dispatchgen = server->dispatchgen;
4935 dispatch->dispatch = NULL;
4938 attrs |= DNS_DISPATCHATTR_UDP;
4939 switch (isc_sockaddr_pf(addr)) {
4941 attrs |= DNS_DISPATCHATTR_IPV4;
4944 attrs |= DNS_DISPATCHATTR_IPV6;
4947 result = ISC_R_NOTIMPLEMENTED;
4951 attrmask |= DNS_DISPATCHATTR_UDP;
4952 attrmask |= DNS_DISPATCHATTR_TCP;
4953 attrmask |= DNS_DISPATCHATTR_IPV4;
4954 attrmask |= DNS_DISPATCHATTR_IPV6;
4956 result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
4957 ns_g_taskmgr, &dispatch->addr, 4096,
4958 1000, 32768, 16411, 16433,
4959 attrs, attrmask, &dispatch->dispatch);
4960 if (result != ISC_R_SUCCESS)
4963 ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link);
4968 if (dispatch != NULL)
4969 isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
4970 isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
4971 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4972 NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
4973 "unable to create dispatch for reserved port %s: %s",
4974 addrbuf, isc_result_totext(result));
4979 loadconfig(ns_server_t *server) {
4980 isc_result_t result;
4981 start_reserved_dispatches(server);
4982 result = load_configuration(ns_g_lwresdonly ?
4983 lwresd_g_conffile : ns_g_conffile,
4985 if (result == ISC_R_SUCCESS) {
4986 end_reserved_dispatches(server, ISC_FALSE);
4987 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4988 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
4989 "reloading configuration succeeded");
4991 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
4992 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
4993 "reloading configuration failed: %s",
4994 isc_result_totext(result));
5000 reload(ns_server_t *server) {
5001 isc_result_t result;
5002 CHECK(loadconfig(server));
5004 result = load_zones(server, ISC_FALSE);
5005 if (result == ISC_R_SUCCESS)
5006 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5007 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5008 "reloading zones succeeded");
5010 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5011 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5012 "reloading zones failed: %s",
5013 isc_result_totext(result));
5020 reconfig(ns_server_t *server) {
5021 isc_result_t result;
5022 CHECK(loadconfig(server));
5024 result = load_new_zones(server, ISC_FALSE);
5025 if (result == ISC_R_SUCCESS)
5026 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5027 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5028 "any newly configured zones are now loaded");
5030 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5031 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5032 "loading new zones failed: %s",
5033 isc_result_totext(result));
5039 * Handle a reload event (from SIGHUP).
5042 ns_server_reload(isc_task_t *task, isc_event_t *event) {
5043 ns_server_t *server = (ns_server_t *)event->ev_arg;
5045 INSIST(task = server->task);
5048 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5049 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5050 "received SIGHUP signal to reload zones");
5051 (void)reload(server);
5053 LOCK(&server->reload_event_lock);
5054 INSIST(server->reload_event == NULL);
5055 server->reload_event = event;
5056 UNLOCK(&server->reload_event_lock);
5060 ns_server_reloadwanted(ns_server_t *server) {
5061 LOCK(&server->reload_event_lock);
5062 if (server->reload_event != NULL)
5063 isc_task_send(server->task, &server->reload_event);
5064 UNLOCK(&server->reload_event_lock);
5068 next_token(char **stringp, const char *delim) {
5072 res = strsep(stringp, delim);
5075 } while (*res == '\0');
5080 * Find the zone specified in the control channel command 'args',
5081 * if any. If a zone is specified, point '*zonep' at it, otherwise
5082 * set '*zonep' to NULL.
5085 zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
5087 const char *zonetxt;
5089 const char *viewtxt = NULL;
5090 dns_fixedname_t name;
5091 isc_result_t result;
5093 dns_view_t *view = NULL;
5094 dns_rdataclass_t rdclass;
5096 REQUIRE(zonep != NULL && *zonep == NULL);
5100 /* Skip the command name. */
5101 ptr = next_token(&input, " \t");
5103 return (ISC_R_UNEXPECTEDEND);
5105 /* Look for the zone name. */
5106 zonetxt = next_token(&input, " \t");
5107 if (zonetxt == NULL)
5108 return (ISC_R_SUCCESS);
5110 /* Look for the optional class name. */
5111 classtxt = next_token(&input, " \t");
5112 if (classtxt != NULL) {
5113 /* Look for the optional view name. */
5114 viewtxt = next_token(&input, " \t");
5117 isc_buffer_init(&buf, zonetxt, strlen(zonetxt));
5118 isc_buffer_add(&buf, strlen(zonetxt));
5119 dns_fixedname_init(&name);
5120 result = dns_name_fromtext(dns_fixedname_name(&name),
5121 &buf, dns_rootname, 0, NULL);
5122 if (result != ISC_R_SUCCESS)
5125 if (classtxt != NULL) {
5128 r.length = strlen(classtxt);
5129 result = dns_rdataclass_fromtext(&rdclass, &r);
5130 if (result != ISC_R_SUCCESS)
5133 rdclass = dns_rdataclass_in;
5135 if (viewtxt == NULL) {
5136 result = dns_viewlist_findzone(&server->viewlist,
5137 dns_fixedname_name(&name),
5138 ISC_TF(classtxt == NULL),
5141 result = dns_viewlist_find(&server->viewlist, viewtxt,
5143 if (result != ISC_R_SUCCESS)
5146 result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
5148 dns_view_detach(&view);
5151 /* Partial match? */
5152 if (result != ISC_R_SUCCESS && *zonep != NULL)
5153 dns_zone_detach(zonep);
5154 if (result == DNS_R_PARTIALMATCH)
5155 result = ISC_R_NOTFOUND;
5161 * Act on a "retransfer" command from the command channel.
5164 ns_server_retransfercommand(ns_server_t *server, char *args) {
5165 isc_result_t result;
5166 dns_zone_t *zone = NULL;
5167 dns_zonetype_t type;
5169 result = zone_from_args(server, args, &zone);
5170 if (result != ISC_R_SUCCESS)
5173 return (ISC_R_UNEXPECTEDEND);
5174 type = dns_zone_gettype(zone);
5175 if (type == dns_zone_slave || type == dns_zone_stub)
5176 dns_zone_forcereload(zone);
5178 result = ISC_R_NOTFOUND;
5179 dns_zone_detach(&zone);
5184 * Act on a "reload" command from the command channel.
5187 ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
5188 isc_result_t result;
5189 dns_zone_t *zone = NULL;
5190 dns_zonetype_t type;
5191 const char *msg = NULL;
5193 result = zone_from_args(server, args, &zone);
5194 if (result != ISC_R_SUCCESS)
5197 result = reload(server);
5198 if (result == ISC_R_SUCCESS)
5199 msg = "server reload successful";
5201 type = dns_zone_gettype(zone);
5202 if (type == dns_zone_slave || type == dns_zone_stub) {
5203 dns_zone_refresh(zone);
5204 dns_zone_detach(&zone);
5205 msg = "zone refresh queued";
5207 result = dns_zone_load(zone);
5208 dns_zone_detach(&zone);
5211 msg = "zone reload successful";
5213 case DNS_R_CONTINUE:
5214 msg = "zone reload queued";
5215 result = ISC_R_SUCCESS;
5217 case DNS_R_UPTODATE:
5218 msg = "zone reload up-to-date";
5219 result = ISC_R_SUCCESS;
5222 /* failure message will be generated by rndc */
5227 if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
5228 isc_buffer_putmem(text, (const unsigned char *)msg,
5234 * Act on a "reconfig" command from the command channel.
5237 ns_server_reconfigcommand(ns_server_t *server, char *args) {
5241 return (ISC_R_SUCCESS);
5245 * Act on a "notify" command from the command channel.
5248 ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
5249 isc_result_t result;
5250 dns_zone_t *zone = NULL;
5251 const unsigned char msg[] = "zone notify queued";
5253 result = zone_from_args(server, args, &zone);
5254 if (result != ISC_R_SUCCESS)
5257 return (ISC_R_UNEXPECTEDEND);
5259 dns_zone_notify(zone);
5260 dns_zone_detach(&zone);
5261 if (sizeof(msg) <= isc_buffer_availablelength(text))
5262 isc_buffer_putmem(text, msg, sizeof(msg));
5264 return (ISC_R_SUCCESS);
5268 * Act on a "refresh" command from the command channel.
5271 ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
5272 isc_result_t result;
5273 dns_zone_t *zone = NULL;
5274 const unsigned char msg1[] = "zone refresh queued";
5275 const unsigned char msg2[] = "not a slave or stub zone";
5276 dns_zonetype_t type;
5278 result = zone_from_args(server, args, &zone);
5279 if (result != ISC_R_SUCCESS)
5282 return (ISC_R_UNEXPECTEDEND);
5284 type = dns_zone_gettype(zone);
5285 if (type == dns_zone_slave || type == dns_zone_stub) {
5286 dns_zone_refresh(zone);
5287 dns_zone_detach(&zone);
5288 if (sizeof(msg1) <= isc_buffer_availablelength(text))
5289 isc_buffer_putmem(text, msg1, sizeof(msg1));
5290 return (ISC_R_SUCCESS);
5293 dns_zone_detach(&zone);
5294 if (sizeof(msg2) <= isc_buffer_availablelength(text))
5295 isc_buffer_putmem(text, msg2, sizeof(msg2));
5296 return (ISC_R_FAILURE);
5300 ns_server_togglequerylog(ns_server_t *server) {
5301 server->log_queries = server->log_queries ? ISC_FALSE : ISC_TRUE;
5303 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5304 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5305 "query logging is now %s",
5306 server->log_queries ? "on" : "off");
5307 return (ISC_R_SUCCESS);
5311 ns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
5312 cfg_aclconfctx_t *actx,
5313 isc_mem_t *mctx, ns_listenlist_t **target)
5315 isc_result_t result;
5316 const cfg_listelt_t *element;
5317 ns_listenlist_t *dlist = NULL;
5319 REQUIRE(target != NULL && *target == NULL);
5321 result = ns_listenlist_create(mctx, &dlist);
5322 if (result != ISC_R_SUCCESS)
5325 for (element = cfg_list_first(listenlist);
5327 element = cfg_list_next(element))
5329 ns_listenelt_t *delt = NULL;
5330 const cfg_obj_t *listener = cfg_listelt_value(element);
5331 result = ns_listenelt_fromconfig(listener, config, actx,
5333 if (result != ISC_R_SUCCESS)
5335 ISC_LIST_APPEND(dlist->elts, delt, link);
5338 return (ISC_R_SUCCESS);
5341 ns_listenlist_detach(&dlist);
5346 * Create a listen list from the corresponding configuration
5350 ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
5351 cfg_aclconfctx_t *actx,
5352 isc_mem_t *mctx, ns_listenelt_t **target)
5354 isc_result_t result;
5355 const cfg_obj_t *portobj;
5357 ns_listenelt_t *delt = NULL;
5358 REQUIRE(target != NULL && *target == NULL);
5360 portobj = cfg_tuple_get(listener, "port");
5361 if (!cfg_obj_isuint32(portobj)) {
5362 if (ns_g_port != 0) {
5365 result = ns_config_getport(config, &port);
5366 if (result != ISC_R_SUCCESS)
5370 if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
5371 cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
5372 "port value '%u' is out of range",
5373 cfg_obj_asuint32(portobj));
5374 return (ISC_R_RANGE);
5376 port = (in_port_t)cfg_obj_asuint32(portobj);
5379 result = ns_listenelt_create(mctx, port, NULL, &delt);
5380 if (result != ISC_R_SUCCESS)
5383 result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"),
5384 config, ns_g_lctx, actx, mctx, 0,
5386 if (result != ISC_R_SUCCESS) {
5387 ns_listenelt_destroy(delt);
5391 return (ISC_R_SUCCESS);
5395 ns_server_dumpstats(ns_server_t *server) {
5396 isc_result_t result;
5399 CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
5400 "could not open statistics dump file", server->statsfile);
5402 result = ns_stats_dump(server, fp);
5407 (void)isc_stdio_close(fp);
5408 if (result == ISC_R_SUCCESS)
5409 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5410 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5411 "dumpstats complete");
5413 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5414 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5415 "dumpstats failed: %s",
5416 dns_result_totext(result));
5421 add_zone_tolist(dns_zone_t *zone, void *uap) {
5422 struct dumpcontext *dctx = uap;
5423 struct zonelistentry *zle;
5425 zle = isc_mem_get(dctx->mctx, sizeof *zle);
5427 return (ISC_R_NOMEMORY);
5429 dns_zone_attach(zone, &zle->zone);
5430 ISC_LINK_INIT(zle, link);
5431 ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
5432 return (ISC_R_SUCCESS);
5436 add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
5437 struct viewlistentry *vle;
5438 isc_result_t result = ISC_R_SUCCESS;
5441 * Prevent duplicate views.
5443 for (vle = ISC_LIST_HEAD(dctx->viewlist);
5445 vle = ISC_LIST_NEXT(vle, link))
5446 if (vle->view == view)
5447 return (ISC_R_SUCCESS);
5449 vle = isc_mem_get(dctx->mctx, sizeof *vle);
5451 return (ISC_R_NOMEMORY);
5453 dns_view_attach(view, &vle->view);
5454 ISC_LINK_INIT(vle, link);
5455 ISC_LIST_INIT(vle->zonelist);
5456 ISC_LIST_APPEND(dctx->viewlist, vle, link);
5457 if (dctx->dumpzones)
5458 result = dns_zt_apply(view->zonetable, ISC_TRUE,
5459 add_zone_tolist, dctx);
5464 dumpcontext_destroy(struct dumpcontext *dctx) {
5465 struct viewlistentry *vle;
5466 struct zonelistentry *zle;
5468 vle = ISC_LIST_HEAD(dctx->viewlist);
5469 while (vle != NULL) {
5470 ISC_LIST_UNLINK(dctx->viewlist, vle, link);
5471 zle = ISC_LIST_HEAD(vle->zonelist);
5472 while (zle != NULL) {
5473 ISC_LIST_UNLINK(vle->zonelist, zle, link);
5474 dns_zone_detach(&zle->zone);
5475 isc_mem_put(dctx->mctx, zle, sizeof *zle);
5476 zle = ISC_LIST_HEAD(vle->zonelist);
5478 dns_view_detach(&vle->view);
5479 isc_mem_put(dctx->mctx, vle, sizeof *vle);
5480 vle = ISC_LIST_HEAD(dctx->viewlist);
5482 if (dctx->version != NULL)
5483 dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
5484 if (dctx->db != NULL)
5485 dns_db_detach(&dctx->db);
5486 if (dctx->cache != NULL)
5487 dns_db_detach(&dctx->cache);
5488 if (dctx->task != NULL)
5489 isc_task_detach(&dctx->task);
5490 if (dctx->fp != NULL)
5491 (void)isc_stdio_close(dctx->fp);
5492 if (dctx->mdctx != NULL)
5493 dns_dumpctx_detach(&dctx->mdctx);
5494 isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
5498 dumpdone(void *arg, isc_result_t result) {
5499 struct dumpcontext *dctx = arg;
5501 const dns_master_style_t *style;
5503 if (result != ISC_R_SUCCESS)
5505 if (dctx->mdctx != NULL)
5506 dns_dumpctx_detach(&dctx->mdctx);
5507 if (dctx->view == NULL) {
5508 dctx->view = ISC_LIST_HEAD(dctx->viewlist);
5509 if (dctx->view == NULL)
5511 INSIST(dctx->zone == NULL);
5515 fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
5517 if (dctx->dumpcache && dns_view_iscacheshared(dctx->view->view)) {
5519 ";\n; Cache of view '%s' is shared as '%s'\n",
5520 dctx->view->view->name,
5521 dns_cache_getname(dctx->view->view->cache));
5522 } else if (dctx->zone == NULL && dctx->cache == NULL &&
5525 style = &dns_master_style_cache;
5526 /* start cache dump */
5527 if (dctx->view->view->cachedb != NULL)
5528 dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
5529 if (dctx->cache != NULL) {
5531 ";\n; Cache dump of view '%s' (cache %s)\n;\n",
5532 dctx->view->view->name,
5533 dns_cache_getname(dctx->view->view->cache));
5534 result = dns_master_dumptostreaminc(dctx->mctx,
5540 if (result == DNS_R_CONTINUE)
5542 if (result == ISC_R_NOTIMPLEMENTED)
5543 fprintf(dctx->fp, "; %s\n",
5544 dns_result_totext(result));
5545 else if (result != ISC_R_SUCCESS)
5549 if (dctx->cache != NULL) {
5550 dns_adb_dump(dctx->view->view->adb, dctx->fp);
5551 dns_resolver_printbadcache(dctx->view->view->resolver,
5553 dns_db_detach(&dctx->cache);
5555 if (dctx->dumpzones) {
5556 style = &dns_master_style_full;
5558 if (dctx->version != NULL)
5559 dns_db_closeversion(dctx->db, &dctx->version,
5561 if (dctx->db != NULL)
5562 dns_db_detach(&dctx->db);
5563 if (dctx->zone == NULL)
5564 dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
5566 dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
5567 if (dctx->zone != NULL) {
5568 /* start zone dump */
5569 dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
5570 fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
5571 result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
5572 if (result != ISC_R_SUCCESS) {
5573 fprintf(dctx->fp, "; %s\n",
5574 dns_result_totext(result));
5577 dns_db_currentversion(dctx->db, &dctx->version);
5578 result = dns_master_dumptostreaminc(dctx->mctx,
5585 if (result == DNS_R_CONTINUE)
5587 if (result == ISC_R_NOTIMPLEMENTED) {
5588 fprintf(dctx->fp, "; %s\n",
5589 dns_result_totext(result));
5590 result = ISC_R_SUCCESS;
5593 if (result != ISC_R_SUCCESS)
5597 if (dctx->view != NULL)
5598 dctx->view = ISC_LIST_NEXT(dctx->view, link);
5599 if (dctx->view != NULL)
5602 fprintf(dctx->fp, "; Dump complete\n");
5603 result = isc_stdio_flush(dctx->fp);
5604 if (result == ISC_R_SUCCESS)
5605 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5606 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5609 if (result != ISC_R_SUCCESS)
5610 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5611 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5612 "dumpdb failed: %s", dns_result_totext(result));
5613 dumpcontext_destroy(dctx);
5617 ns_server_dumpdb(ns_server_t *server, char *args) {
5618 struct dumpcontext *dctx = NULL;
5620 isc_result_t result;
5624 /* Skip the command name. */
5625 ptr = next_token(&args, " \t");
5627 return (ISC_R_UNEXPECTEDEND);
5629 dctx = isc_mem_get(server->mctx, sizeof(*dctx));
5631 return (ISC_R_NOMEMORY);
5633 dctx->mctx = server->mctx;
5634 dctx->dumpcache = ISC_TRUE;
5635 dctx->dumpzones = ISC_FALSE;
5637 ISC_LIST_INIT(dctx->viewlist);
5645 dctx->version = NULL;
5646 isc_task_attach(server->task, &dctx->task);
5648 CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
5649 "could not open dump file", server->dumpfile);
5651 sep = (args == NULL) ? "" : ": ";
5652 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5653 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5654 "dumpdb started%s%s", sep, (args != NULL) ? args : "");
5656 ptr = next_token(&args, " \t");
5657 if (ptr != NULL && strcmp(ptr, "-all") == 0) {
5658 dctx->dumpzones = ISC_TRUE;
5659 dctx->dumpcache = ISC_TRUE;
5660 ptr = next_token(&args, " \t");
5661 } else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
5662 dctx->dumpzones = ISC_FALSE;
5663 dctx->dumpcache = ISC_TRUE;
5664 ptr = next_token(&args, " \t");
5665 } else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
5666 dctx->dumpzones = ISC_TRUE;
5667 dctx->dumpcache = ISC_FALSE;
5668 ptr = next_token(&args, " \t");
5672 for (view = ISC_LIST_HEAD(server->viewlist);
5674 view = ISC_LIST_NEXT(view, link))
5676 if (ptr != NULL && strcmp(view->name, ptr) != 0)
5678 CHECK(add_view_tolist(dctx, view));
5681 ptr = next_token(&args, " \t");
5685 dumpdone(dctx, ISC_R_SUCCESS);
5686 return (ISC_R_SUCCESS);
5690 dumpcontext_destroy(dctx);
5695 ns_server_dumprecursing(ns_server_t *server) {
5697 isc_result_t result;
5699 CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
5700 "could not open dump file", server->recfile);
5701 fprintf(fp,";\n; Recursing Queries\n;\n");
5702 ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
5703 fprintf(fp, "; Dump complete\n");
5707 result = isc_stdio_close(fp);
5708 if (result == ISC_R_SUCCESS)
5709 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5710 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5711 "dumprecursing complete");
5713 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5714 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5715 "dumprecursing failed: %s",
5716 dns_result_totext(result));
5721 ns_server_setdebuglevel(ns_server_t *server, char *args) {
5729 /* Skip the command name. */
5730 ptr = next_token(&args, " \t");
5732 return (ISC_R_UNEXPECTEDEND);
5734 /* Look for the new level name. */
5735 levelstr = next_token(&args, " \t");
5736 if (levelstr == NULL) {
5737 if (ns_g_debuglevel < 99)
5740 newlevel = strtol(levelstr, &endp, 10);
5741 if (*endp != '\0' || newlevel < 0 || newlevel > 99)
5742 return (ISC_R_RANGE);
5743 ns_g_debuglevel = (unsigned int)newlevel;
5745 isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
5746 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5747 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5748 "debug level is now %d", ns_g_debuglevel);
5749 return (ISC_R_SUCCESS);
5753 ns_server_validation(ns_server_t *server, char *args) {
5754 char *ptr, *viewname;
5756 isc_boolean_t changed = ISC_FALSE;
5757 isc_result_t result;
5758 isc_boolean_t enable;
5760 /* Skip the command name. */
5761 ptr = next_token(&args, " \t");
5763 return (ISC_R_UNEXPECTEDEND);
5765 /* Find out what we are to do. */
5766 ptr = next_token(&args, " \t");
5768 return (ISC_R_UNEXPECTEDEND);
5770 if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
5771 !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
5773 else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
5774 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
5777 return (DNS_R_SYNTAX);
5779 /* Look for the view name. */
5780 viewname = next_token(&args, " \t");
5782 result = isc_task_beginexclusive(server->task);
5783 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5784 for (view = ISC_LIST_HEAD(server->viewlist);
5786 view = ISC_LIST_NEXT(view, link))
5788 if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
5790 result = dns_view_flushcache(view);
5791 if (result != ISC_R_SUCCESS)
5793 view->enablevalidation = enable;
5797 result = ISC_R_SUCCESS;
5799 result = ISC_R_FAILURE;
5801 isc_task_endexclusive(server->task);
5806 ns_server_flushcache(ns_server_t *server, char *args) {
5807 char *ptr, *viewname;
5809 isc_boolean_t flushed;
5810 isc_boolean_t found;
5811 isc_result_t result;
5814 /* Skip the command name. */
5815 ptr = next_token(&args, " \t");
5817 return (ISC_R_UNEXPECTEDEND);
5819 /* Look for the view name. */
5820 viewname = next_token(&args, " \t");
5822 result = isc_task_beginexclusive(server->task);
5823 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5828 * Flushing a cache is tricky when caches are shared by multiple views.
5829 * We first identify which caches should be flushed in the local cache
5830 * list, flush these caches, and then update other views that refer to
5831 * the flushed cache DB.
5833 if (viewname != NULL) {
5835 * Mark caches that need to be flushed. This is an O(#view^2)
5836 * operation in the very worst case, but should be normally
5837 * much more lightweight because only a few (most typically just
5838 * one) views will match.
5840 for (view = ISC_LIST_HEAD(server->viewlist);
5842 view = ISC_LIST_NEXT(view, link))
5844 if (strcasecmp(viewname, view->name) != 0)
5847 for (nsc = ISC_LIST_HEAD(server->cachelist);
5849 nsc = ISC_LIST_NEXT(nsc, link)) {
5850 if (nsc->cache == view->cache)
5853 INSIST(nsc != NULL);
5854 nsc->needflush = ISC_TRUE;
5860 for (nsc = ISC_LIST_HEAD(server->cachelist);
5862 nsc = ISC_LIST_NEXT(nsc, link)) {
5863 if (viewname != NULL && !nsc->needflush)
5865 nsc->needflush = ISC_TRUE;
5866 result = dns_view_flushcache2(nsc->primaryview, ISC_FALSE);
5867 if (result != ISC_R_SUCCESS) {
5868 flushed = ISC_FALSE;
5869 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5870 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5871 "flushing cache in view '%s' failed: %s",
5872 nsc->primaryview->name,
5873 isc_result_totext(result));
5878 * Fix up views that share a flushed cache: let the views update the
5879 * cache DB they're referring to. This could also be an expensive
5880 * operation, but should typically be marginal: the inner loop is only
5881 * necessary for views that share a cache, and if there are many such
5882 * views the number of shared cache should normally be small.
5883 * A worst case is that we have n views and n/2 caches, each shared by
5884 * two views. Then this will be a O(n^2/4) operation.
5886 for (view = ISC_LIST_HEAD(server->viewlist);
5888 view = ISC_LIST_NEXT(view, link))
5890 if (!dns_view_iscacheshared(view))
5892 for (nsc = ISC_LIST_HEAD(server->cachelist);
5894 nsc = ISC_LIST_NEXT(nsc, link)) {
5895 if (!nsc->needflush || nsc->cache != view->cache)
5897 result = dns_view_flushcache2(view, ISC_TRUE);
5898 if (result != ISC_R_SUCCESS) {
5899 flushed = ISC_FALSE;
5900 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5901 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5902 "fixing cache in view '%s' "
5903 "failed: %s", view->name,
5904 isc_result_totext(result));
5909 /* Cleanup the cache list. */
5910 for (nsc = ISC_LIST_HEAD(server->cachelist);
5912 nsc = ISC_LIST_NEXT(nsc, link)) {
5913 nsc->needflush = ISC_FALSE;
5916 if (flushed && found) {
5917 if (viewname != NULL)
5918 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5919 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5920 "flushing cache in view '%s' succeeded",
5923 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5924 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
5925 "flushing caches in all views succeeded");
5926 result = ISC_R_SUCCESS;
5929 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5930 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5931 "flushing cache in view '%s' failed: "
5932 "view not found", viewname);
5933 result = ISC_R_NOTFOUND;
5935 result = ISC_R_FAILURE;
5937 isc_task_endexclusive(server->task);
5942 ns_server_flushname(ns_server_t *server, char *args) {
5943 char *ptr, *target, *viewname;
5945 isc_boolean_t flushed;
5946 isc_boolean_t found;
5947 isc_result_t result;
5949 dns_fixedname_t fixed;
5952 /* Skip the command name. */
5953 ptr = next_token(&args, " \t");
5955 return (ISC_R_UNEXPECTEDEND);
5957 /* Find the domain name to flush. */
5958 target = next_token(&args, " \t");
5960 return (ISC_R_UNEXPECTEDEND);
5962 isc_buffer_init(&b, target, strlen(target));
5963 isc_buffer_add(&b, strlen(target));
5964 dns_fixedname_init(&fixed);
5965 name = dns_fixedname_name(&fixed);
5966 result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
5967 if (result != ISC_R_SUCCESS)
5970 /* Look for the view name. */
5971 viewname = next_token(&args, " \t");
5973 result = isc_task_beginexclusive(server->task);
5974 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5977 for (view = ISC_LIST_HEAD(server->viewlist);
5979 view = ISC_LIST_NEXT(view, link))
5981 if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
5985 * It's a little inefficient to try flushing name for all views
5986 * if some of the views share a single cache. But since the
5987 * operation is lightweight we prefer simplicity here.
5989 result = dns_view_flushname(view, name);
5990 if (result != ISC_R_SUCCESS) {
5991 flushed = ISC_FALSE;
5992 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
5993 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
5994 "flushing name '%s' in cache view '%s' "
5995 "failed: %s", target, view->name,
5996 isc_result_totext(result));
5999 if (flushed && found) {
6000 if (viewname != NULL)
6001 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6002 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6003 "flushing name '%s' in cache view '%s' "
6004 "succeeded", target, viewname);
6006 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6007 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6008 "flushing name '%s' in all cache views "
6009 "succeeded", target);
6010 result = ISC_R_SUCCESS;
6013 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6014 NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
6015 "flushing name '%s' in cache view '%s' "
6016 "failed: view not found", target,
6018 result = ISC_R_FAILURE;
6020 isc_task_endexclusive(server->task);
6025 ns_server_status(ns_server_t *server, isc_buffer_t *text) {
6026 int zonecount, xferrunning, xferdeferred, soaqueries;
6028 const char *ob = "", *cb = "", *alt = "";
6030 if (ns_g_server->version_set) {
6033 if (ns_g_server->version == NULL)
6034 alt = "version.bind/txt/ch disabled";
6036 alt = ns_g_server->version;
6038 zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
6039 xferrunning = dns_zonemgr_getcount(server->zonemgr,
6040 DNS_ZONESTATE_XFERRUNNING);
6041 xferdeferred = dns_zonemgr_getcount(server->zonemgr,
6042 DNS_ZONESTATE_XFERDEFERRED);
6043 soaqueries = dns_zonemgr_getcount(server->zonemgr,
6044 DNS_ZONESTATE_SOAQUERY);
6046 n = snprintf((char *)isc_buffer_used(text),
6047 isc_buffer_availablelength(text),
6048 "version: %s%s%s%s\n"
6049 #ifdef ISC_PLATFORM_USETHREADS
6051 "worker threads: %u\n"
6053 "number of zones: %u\n"
6055 "xfers running: %u\n"
6056 "xfers deferred: %u\n"
6057 "soa queries in progress: %u\n"
6058 "query logging is %s\n"
6059 "recursive clients: %d/%d/%d\n"
6060 "tcp clients: %d/%d\n"
6061 "server is up and running",
6062 ns_g_version, ob, alt, cb,
6063 #ifdef ISC_PLATFORM_USETHREADS
6064 ns_g_cpus_detected, ns_g_cpus,
6066 zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
6067 soaqueries, server->log_queries ? "ON" : "OFF",
6068 server->recursionquota.used, server->recursionquota.soft,
6069 server->recursionquota.max,
6070 server->tcpquota.used, server->tcpquota.max);
6071 if (n >= isc_buffer_availablelength(text))
6072 return (ISC_R_NOSPACE);
6073 isc_buffer_add(text, n);
6074 return (ISC_R_SUCCESS);
6078 delete_keynames(dns_tsig_keyring_t *ring, char *target,
6079 unsigned int *foundkeys)
6081 char namestr[DNS_NAME_FORMATSIZE];
6082 isc_result_t result;
6083 dns_rbtnodechain_t chain;
6084 dns_name_t foundname;
6085 dns_fixedname_t fixedorigin;
6087 dns_rbtnode_t *node;
6088 dns_tsigkey_t *tkey;
6090 dns_name_init(&foundname, NULL);
6091 dns_fixedname_init(&fixedorigin);
6092 origin = dns_fixedname_name(&fixedorigin);
6095 dns_rbtnodechain_init(&chain, ring->mctx);
6096 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
6098 if (result == ISC_R_NOTFOUND) {
6099 dns_rbtnodechain_invalidate(&chain);
6100 return (ISC_R_SUCCESS);
6102 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
6103 dns_rbtnodechain_invalidate(&chain);
6109 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
6113 if (!tkey->generated)
6116 dns_name_format(&tkey->name, namestr, sizeof(namestr));
6117 if (strcmp(namestr, target) == 0) {
6119 dns_rbtnodechain_invalidate(&chain);
6120 (void)dns_rbt_deletename(ring->keys,
6128 result = dns_rbtnodechain_next(&chain, &foundname, origin);
6129 if (result == ISC_R_NOMORE)
6131 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
6132 dns_rbtnodechain_invalidate(&chain);
6137 return (ISC_R_SUCCESS);
6141 ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) {
6142 isc_result_t result;
6145 unsigned int foundkeys = 0;
6149 (void)next_token(&command, " \t"); /* skip command name */
6150 target = next_token(&command, " \t");
6152 return (ISC_R_UNEXPECTEDEND);
6153 viewname = next_token(&command, " \t");
6155 result = isc_task_beginexclusive(server->task);
6156 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6157 for (view = ISC_LIST_HEAD(server->viewlist);
6159 view = ISC_LIST_NEXT(view, link)) {
6160 if (viewname == NULL || strcmp(view->name, viewname) == 0) {
6161 RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
6162 result = delete_keynames(view->dynamickeys, target,
6164 RWUNLOCK(&view->dynamickeys->lock,
6165 isc_rwlocktype_write);
6166 if (result != ISC_R_SUCCESS) {
6167 isc_task_endexclusive(server->task);
6172 isc_task_endexclusive(server->task);
6174 n = snprintf((char *)isc_buffer_used(text),
6175 isc_buffer_availablelength(text),
6176 "%d tsig keys deleted.\n", foundkeys);
6177 if (n >= isc_buffer_availablelength(text))
6178 return (ISC_R_NOSPACE);
6179 isc_buffer_add(text, n);
6181 return (ISC_R_SUCCESS);
6185 list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,
6186 unsigned int *foundkeys)
6188 char namestr[DNS_NAME_FORMATSIZE];
6189 char creatorstr[DNS_NAME_FORMATSIZE];
6190 isc_result_t result;
6191 dns_rbtnodechain_t chain;
6192 dns_name_t foundname;
6193 dns_fixedname_t fixedorigin;
6195 dns_rbtnode_t *node;
6196 dns_tsigkey_t *tkey;
6198 const char *viewname;
6201 viewname = view->name;
6203 viewname = "(global)";
6205 dns_name_init(&foundname, NULL);
6206 dns_fixedname_init(&fixedorigin);
6207 origin = dns_fixedname_name(&fixedorigin);
6208 dns_rbtnodechain_init(&chain, ring->mctx);
6209 result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
6211 if (result == ISC_R_NOTFOUND) {
6212 dns_rbtnodechain_invalidate(&chain);
6213 return (ISC_R_SUCCESS);
6215 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
6216 dns_rbtnodechain_invalidate(&chain);
6222 dns_rbtnodechain_current(&chain, &foundname, origin, &node);
6227 dns_name_format(&tkey->name, namestr, sizeof(namestr));
6228 if (tkey->generated) {
6229 dns_name_format(tkey->creator, creatorstr,
6230 sizeof(creatorstr));
6231 n = snprintf((char *)isc_buffer_used(text),
6232 isc_buffer_availablelength(text),
6233 "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n",
6234 viewname, namestr, creatorstr);
6236 n = snprintf((char *)isc_buffer_used(text),
6237 isc_buffer_availablelength(text),
6238 "view \"%s\"; type \"static\"; key \"%s\";\n",
6241 if (n >= isc_buffer_availablelength(text)) {
6242 dns_rbtnodechain_invalidate(&chain);
6243 return (ISC_R_NOSPACE);
6245 isc_buffer_add(text, n);
6247 result = dns_rbtnodechain_next(&chain, &foundname, origin);
6248 if (result == ISC_R_NOMORE)
6250 if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
6251 dns_rbtnodechain_invalidate(&chain);
6256 return (ISC_R_SUCCESS);
6260 ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
6261 isc_result_t result;
6264 unsigned int foundkeys = 0;
6266 result = isc_task_beginexclusive(server->task);
6267 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6268 for (view = ISC_LIST_HEAD(server->viewlist);
6270 view = ISC_LIST_NEXT(view, link)) {
6271 RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
6272 result = list_keynames(view, view->statickeys, text,
6274 RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
6275 if (result != ISC_R_SUCCESS) {
6276 isc_task_endexclusive(server->task);
6279 RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
6280 result = list_keynames(view, view->dynamickeys, text,
6282 RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
6283 if (result != ISC_R_SUCCESS) {
6284 isc_task_endexclusive(server->task);
6288 isc_task_endexclusive(server->task);
6290 if (foundkeys == 0) {
6291 n = snprintf((char *)isc_buffer_used(text),
6292 isc_buffer_availablelength(text),
6293 "no tsig keys found.\n");
6294 if (n >= isc_buffer_availablelength(text))
6295 return (ISC_R_NOSPACE);
6296 isc_buffer_add(text, n);
6299 return (ISC_R_SUCCESS);
6303 * Act on a "sign" command from the command channel.
6306 ns_server_sign(ns_server_t *server, char *args) {
6307 isc_result_t result;
6308 dns_zone_t *zone = NULL;
6309 dns_zonetype_t type;
6310 isc_uint16_t keyopts;
6312 result = zone_from_args(server, args, &zone);
6313 if (result != ISC_R_SUCCESS)
6316 return (ISC_R_UNEXPECTEDEND); /* XXX: or do all zones? */
6318 type = dns_zone_gettype(zone);
6319 if (type != dns_zone_master) {
6320 dns_zone_detach(&zone);
6321 return (DNS_R_NOTMASTER);
6324 keyopts = dns_zone_getkeyopts(zone);
6325 if ((keyopts & DNS_ZONEKEY_ALLOW) != 0)
6326 dns_zone_rekey(zone);
6328 result = ISC_R_NOPERM;
6330 dns_zone_detach(&zone);
6335 * Act on a "freeze" or "thaw" command from the command channel.
6338 ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
6341 isc_result_t result, tresult;
6342 dns_zone_t *zone = NULL;
6343 dns_zonetype_t type;
6344 char classstr[DNS_RDATACLASS_FORMATSIZE];
6345 char zonename[DNS_NAME_FORMATSIZE];
6348 const char *vname, *sep;
6349 isc_boolean_t frozen;
6350 const char *msg = NULL;
6352 result = zone_from_args(server, args, &zone);
6353 if (result != ISC_R_SUCCESS)
6356 result = isc_task_beginexclusive(server->task);
6357 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6358 tresult = ISC_R_SUCCESS;
6359 for (view = ISC_LIST_HEAD(server->viewlist);
6361 view = ISC_LIST_NEXT(view, link)) {
6362 result = dns_view_freezezones(view, freeze);
6363 if (result != ISC_R_SUCCESS &&
6364 tresult == ISC_R_SUCCESS)
6367 isc_task_endexclusive(server->task);
6368 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6369 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6371 freeze ? "freezing" : "thawing",
6372 isc_result_totext(tresult));
6375 type = dns_zone_gettype(zone);
6376 if (type != dns_zone_master) {
6377 dns_zone_detach(&zone);
6378 return (DNS_R_NOTMASTER);
6381 result = isc_task_beginexclusive(server->task);
6382 RUNTIME_CHECK(result == ISC_R_SUCCESS);
6383 frozen = dns_zone_getupdatedisabled(zone);
6386 msg = "WARNING: The zone was already frozen.\n"
6387 "Someone else may be editing it or "
6388 "it may still be re-loading.";
6389 result = DNS_R_FROZEN;
6391 if (result == ISC_R_SUCCESS) {
6392 result = dns_zone_flush(zone);
6393 if (result != ISC_R_SUCCESS)
6394 msg = "Flushing the zone updates to "
6397 if (result == ISC_R_SUCCESS) {
6398 journal = dns_zone_getjournal(zone);
6399 if (journal != NULL)
6400 (void)isc_file_remove(journal);
6402 if (result == ISC_R_SUCCESS)
6403 dns_zone_setupdatedisabled(zone, freeze);
6406 result = dns_zone_loadandthaw(zone);
6409 case DNS_R_UPTODATE:
6410 msg = "The zone reload and thaw was "
6412 result = ISC_R_SUCCESS;
6414 case DNS_R_CONTINUE:
6415 msg = "A zone reload and thaw was started.\n"
6416 "Check the logs to see the result.";
6417 result = ISC_R_SUCCESS;
6422 isc_task_endexclusive(server->task);
6424 if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
6425 isc_buffer_putmem(text, (const unsigned char *)msg,
6428 view = dns_zone_getview(zone);
6429 if (strcmp(view->name, "_default") == 0 ||
6430 strcmp(view->name, "_bind") == 0)
6438 dns_rdataclass_format(dns_zone_getclass(zone), classstr,
6440 dns_name_format(dns_zone_getorigin(zone),
6441 zonename, sizeof(zonename));
6442 isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
6443 NS_LOGMODULE_SERVER, ISC_LOG_INFO,
6444 "%s zone '%s/%s'%s%s: %s",
6445 freeze ? "freezing" : "thawing",
6446 zonename, classstr, sep, vname,
6447 isc_result_totext(result));
6448 dns_zone_detach(&zone);
6454 * This function adds a message for rndc to echo if named
6455 * is managed by smf and is also running chroot.
6458 ns_smf_add_message(isc_buffer_t *text) {
6461 n = snprintf((char *)isc_buffer_used(text),
6462 isc_buffer_availablelength(text),
6463 "use svcadm(1M) to manage named");
6464 if (n >= isc_buffer_availablelength(text))
6465 return (ISC_R_NOSPACE);
6466 isc_buffer_add(text, n);
6467 return (ISC_R_SUCCESS);
6469 #endif /* HAVE_LIBSCF */