system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 02:37:15 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Remove BIND.

Browse source 
Approved by:	re (gjb)
This commit is contained in:
Dag-Erling Smørgrav 2013-09-30 17:23:45 +00:00
parent 8cdb4d8967
commit 56b72efe82
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=255949
1104 changed files with 231 additions and 487338 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
Makefile.inc1
View file

@ -395,7 +395,7 @@ LIB32WMAKEFLAGS+= \
-DNO_LINT
LIB32WMAKE= ${LIB32WMAKEENV} ${MAKE} ${LIB32WMAKEFLAGS} \
-DWITHOUT_BIND -DWITHOUT_MAN -DWITHOUT_INFO -DWITHOUT_HTML
-DWITHOUT_MAN -DWITHOUT_INFO -DWITHOUT_HTML
LIB32IMAKE= ${LIB32WMAKE:NINSTALL=*:NDESTDIR=*:N_LDSCRIPTROOT=*} -DNO_INCS \
${IMAKE_INSTALL}
.endif
@ -485,10 +485,6 @@ _worldtmp:
mtree -deU -f ${.CURDIR}/etc/mtree/BSD.debug.dist \
-p ${WORLDTMP}/usr/lib >/dev/null
.endif
.if ${MK_BIND_LIBS} != "no"
mtree -deU -f ${.CURDIR}/etc/mtree/BIND.include.dist \
-p ${WORLDTMP}/usr/include >/dev/null
.endif
.for _mtree in ${LOCAL_MTREE}
mtree -deU -f ${.CURDIR}/${_mtree} -p ${WORLDTMP} > /dev/null
.endfor

229
ObsoleteFiles.inc
View file

@ -38,6 +38,235 @@
# xargs -n1 | sort | uniq -d;
# done
# 20130930: BIND removed from base
OLD_FILES+=etc/namedb
OLD_FILES+=etc/periodic/daily/470.status-named
OLD_FILES+=usr/bin/dig
OLD_FILES+=usr/bin/nslookup
OLD_FILES+=usr/bin/nsupdate
OLD_DIRS+=usr/include/lwres
OLD_FILES+=usr/include/lwres/context.h
OLD_FILES+=usr/include/lwres/int.h
OLD_FILES+=usr/include/lwres/ipv6.h
OLD_FILES+=usr/include/lwres/lang.h
OLD_FILES+=usr/include/lwres/list.h
OLD_FILES+=usr/include/lwres/lwbuffer.h
OLD_FILES+=usr/include/lwres/lwpacket.h
OLD_FILES+=usr/include/lwres/lwres.h
OLD_FILES+=usr/include/lwres/net.h
OLD_FILES+=usr/include/lwres/netdb.h
OLD_FILES+=usr/include/lwres/platform.h
OLD_FILES+=usr/include/lwres/result.h
OLD_FILES+=usr/include/lwres/version.h
OLD_FILES+=usr/lib/liblwres.a
OLD_FILES+=usr/lib/liblwres.so
OLD_LIBS+=usr/lib/liblwres.so.50
OLD_FILES+=usr/lib/liblwres_p.a
OLD_FILES+=usr/sbin/arpaname
OLD_FILES+=usr/sbin/ddns-confgen
OLD_FILES+=usr/sbin/dnssec-dsfromkey
OLD_FILES+=usr/sbin/dnssec-keyfromlabel
OLD_FILES+=usr/sbin/dnssec-keygen
OLD_FILES+=usr/sbin/dnssec-revoke
OLD_FILES+=usr/sbin/dnssec-settime
OLD_FILES+=usr/sbin/dnssec-signzone
OLD_FILES+=usr/sbin/genrandom
OLD_FILES+=usr/sbin/isc-hmac-fixup
OLD_FILES+=usr/sbin/lwresd
OLD_FILES+=usr/sbin/named
OLD_FILES+=usr/sbin/named-checkconf
OLD_FILES+=usr/sbin/named-checkzone
OLD_FILES+=usr/sbin/named-compilezone
OLD_FILES+=usr/sbin/named-journalprint
OLD_FILES+=usr/sbin/named.reconfig
OLD_FILES+=usr/sbin/named.reload
OLD_FILES+=usr/sbin/nsec3hash
OLD_FILES+=usr/sbin/rndc
OLD_FILES+=usr/sbin/rndc-confgen
OLD_DIRS+=usr/share/doc/bind9
OLD_FILES+=usr/share/doc/bind9/CHANGES
OLD_FILES+=usr/share/doc/bind9/COPYRIGHT
OLD_FILES+=usr/share/doc/bind9/FAQ
OLD_FILES+=usr/share/doc/bind9/HISTORY
OLD_FILES+=usr/share/doc/bind9/README
OLD_DIRS+=usr/share/doc/bind9/arm
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch01.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch02.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch03.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch04.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch05.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch06.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch07.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch08.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch09.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.ch10.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.html
OLD_FILES+=usr/share/doc/bind9/arm/Bv9ARM.pdf
OLD_FILES+=usr/share/doc/bind9/arm/man.arpaname.html
OLD_FILES+=usr/share/doc/bind9/arm/man.ddns-confgen.html
OLD_FILES+=usr/share/doc/bind9/arm/man.dig.html
OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-dsfromkey.html
OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-keyfromlabel.html
OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-keygen.html
OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-revoke.html
OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-settime.html
OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-signzone.html
OLD_FILES+=usr/share/doc/bind9/arm/man.dnssec-verify.html
OLD_FILES+=usr/share/doc/bind9/arm/man.genrandom.html
OLD_FILES+=usr/share/doc/bind9/arm/man.host.html
OLD_FILES+=usr/share/doc/bind9/arm/man.isc-hmac-fixup.html
OLD_FILES+=usr/share/doc/bind9/arm/man.named-checkconf.html
OLD_FILES+=usr/share/doc/bind9/arm/man.named-checkzone.html
OLD_FILES+=usr/share/doc/bind9/arm/man.named-journalprint.html
OLD_FILES+=usr/share/doc/bind9/arm/man.named.html
OLD_FILES+=usr/share/doc/bind9/arm/man.nsec3hash.html
OLD_FILES+=usr/share/doc/bind9/arm/man.nsupdate.html
OLD_FILES+=usr/share/doc/bind9/arm/man.rndc-confgen.html
OLD_FILES+=usr/share/doc/bind9/arm/man.rndc.conf.html
OLD_FILES+=usr/share/doc/bind9/arm/man.rndc.html
OLD_DIRS+=usr/share/doc/bind9/misc
OLD_FILES+=usr/share/doc/bind9/misc/dnssec
OLD_FILES+=usr/share/doc/bind9/misc/format-options.pl
OLD_FILES+=usr/share/doc/bind9/misc/ipv6
OLD_FILES+=usr/share/doc/bind9/misc/migration
OLD_FILES+=usr/share/doc/bind9/misc/migration-4to9
OLD_FILES+=usr/share/doc/bind9/misc/options
OLD_FILES+=usr/share/doc/bind9/misc/rfc-compliance
OLD_FILES+=usr/share/doc/bind9/misc/roadmap
OLD_FILES+=usr/share/doc/bind9/misc/sdb
OLD_FILES+=usr/share/doc/bind9/misc/sort-options.pl
OLD_FILES+=usr/share/man/man1/arpaname.1.gz
OLD_FILES+=usr/share/man/man1/dig.1.gz
OLD_FILES+=usr/share/man/man1/nslookup.1.gz
OLD_FILES+=usr/share/man/man1/nsupdate.1.gz
OLD_FILES+=usr/share/man/man3/lwres.3.gz
OLD_FILES+=usr/share/man/man3/lwres_addr_parse.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_add.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_back.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_clear.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_first.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_forward.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_getmem.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_getuint16.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_getuint32.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_getuint8.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_init.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_invalidate.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_putmem.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_putuint16.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_putuint32.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_putuint8.3.gz
OLD_FILES+=usr/share/man/man3/lwres_buffer_subtract.3.gz
OLD_FILES+=usr/share/man/man3/lwres_conf_clear.3.gz
OLD_FILES+=usr/share/man/man3/lwres_conf_get.3.gz
OLD_FILES+=usr/share/man/man3/lwres_conf_init.3.gz
OLD_FILES+=usr/share/man/man3/lwres_conf_parse.3.gz
OLD_FILES+=usr/share/man/man3/lwres_conf_print.3.gz
OLD_FILES+=usr/share/man/man3/lwres_config.3.gz
OLD_FILES+=usr/share/man/man3/lwres_context.3.gz
OLD_FILES+=usr/share/man/man3/lwres_context_allocmem.3.gz
OLD_FILES+=usr/share/man/man3/lwres_context_create.3.gz
OLD_FILES+=usr/share/man/man3/lwres_context_destroy.3.gz
OLD_FILES+=usr/share/man/man3/lwres_context_freemem.3.gz
OLD_FILES+=usr/share/man/man3/lwres_context_initserial.3.gz
OLD_FILES+=usr/share/man/man3/lwres_context_nextserial.3.gz
OLD_FILES+=usr/share/man/man3/lwres_context_sendrecv.3.gz
OLD_FILES+=usr/share/man/man3/lwres_endhostent.3.gz
OLD_FILES+=usr/share/man/man3/lwres_endhostent_r.3.gz
OLD_FILES+=usr/share/man/man3/lwres_freeaddrinfo.3.gz
OLD_FILES+=usr/share/man/man3/lwres_freehostent.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gabn.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gabnrequest_free.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gabnrequest_parse.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gabnrequest_render.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gabnresponse_free.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gabnresponse_parse.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gabnresponse_render.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gai_strerror.3.gz
OLD_FILES+=usr/share/man/man3/lwres_getaddrinfo.3.gz
OLD_FILES+=usr/share/man/man3/lwres_getaddrsbyname.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gethostbyaddr.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gethostbyaddr_r.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gethostbyname.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gethostbyname2.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gethostbyname_r.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gethostent.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gethostent_r.3.gz
OLD_FILES+=usr/share/man/man3/lwres_getipnode.3.gz
OLD_FILES+=usr/share/man/man3/lwres_getipnodebyaddr.3.gz
OLD_FILES+=usr/share/man/man3/lwres_getipnodebyname.3.gz
OLD_FILES+=usr/share/man/man3/lwres_getnamebyaddr.3.gz
OLD_FILES+=usr/share/man/man3/lwres_getnameinfo.3.gz
OLD_FILES+=usr/share/man/man3/lwres_getrrsetbyname.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gnba.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gnbarequest_free.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gnbarequest_parse.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gnbarequest_render.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gnbaresponse_free.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gnbaresponse_parse.3.gz
OLD_FILES+=usr/share/man/man3/lwres_gnbaresponse_render.3.gz
OLD_FILES+=usr/share/man/man3/lwres_herror.3.gz
OLD_FILES+=usr/share/man/man3/lwres_hstrerror.3.gz
OLD_FILES+=usr/share/man/man3/lwres_inetntop.3.gz
OLD_FILES+=usr/share/man/man3/lwres_lwpacket_parseheader.3.gz
OLD_FILES+=usr/share/man/man3/lwres_lwpacket_renderheader.3.gz
OLD_FILES+=usr/share/man/man3/lwres_net_ntop.3.gz
OLD_FILES+=usr/share/man/man3/lwres_noop.3.gz
OLD_FILES+=usr/share/man/man3/lwres_nooprequest_free.3.gz
OLD_FILES+=usr/share/man/man3/lwres_nooprequest_parse.3.gz
OLD_FILES+=usr/share/man/man3/lwres_nooprequest_render.3.gz
OLD_FILES+=usr/share/man/man3/lwres_noopresponse_free.3.gz
OLD_FILES+=usr/share/man/man3/lwres_noopresponse_parse.3.gz
OLD_FILES+=usr/share/man/man3/lwres_noopresponse_render.3.gz
OLD_FILES+=usr/share/man/man3/lwres_packet.3.gz
OLD_FILES+=usr/share/man/man3/lwres_resutil.3.gz
OLD_FILES+=usr/share/man/man3/lwres_sethostent.3.gz
OLD_FILES+=usr/share/man/man3/lwres_sethostent_r.3.gz
OLD_FILES+=usr/share/man/man3/lwres_string_parse.3.gz
OLD_FILES+=usr/share/man/man5/named.conf.5.gz
OLD_FILES+=usr/share/man/man5/rndc.conf.5.gz
OLD_FILES+=usr/share/man/man8/ddns-confgen.8.gz
OLD_FILES+=usr/share/man/man8/dnssec-dsfromkey.8.gz
OLD_FILES+=usr/share/man/man8/dnssec-keyfromlabel.8.gz
OLD_FILES+=usr/share/man/man8/dnssec-keygen.8.gz
OLD_FILES+=usr/share/man/man8/dnssec-revoke.8.gz
OLD_FILES+=usr/share/man/man8/dnssec-settime.8.gz
OLD_FILES+=usr/share/man/man8/dnssec-signzone.8.gz
OLD_FILES+=usr/share/man/man8/genrandom.8.gz
OLD_FILES+=usr/share/man/man8/isc-hmac-fixup.8.gz
OLD_FILES+=usr/share/man/man8/lwresd.8.gz
OLD_FILES+=usr/share/man/man8/named-checkconf.8.gz
OLD_FILES+=usr/share/man/man8/named-checkzone.8.gz
OLD_FILES+=usr/share/man/man8/named-compilezone.8.gz
OLD_FILES+=usr/share/man/man8/named-journalprint.8.gz
OLD_FILES+=usr/share/man/man8/named.8.gz
OLD_FILES+=usr/share/man/man8/named.reconfig.8.gz
OLD_FILES+=usr/share/man/man8/named.reload.8.gz
OLD_FILES+=usr/share/man/man8/nsec3hash.8.gz
OLD_FILES+=usr/share/man/man8/rndc-confgen.8.gz
OLD_FILES+=usr/share/man/man8/rndc.8.gz
OLD_DIRS+=var/named/dev
OLD_DIRS+=var/named/etc
OLD_DIRS+=var/named/etc/namedb
OLD_FILES+=var/named/etc/namedb/PROTO.localhost-v6.rev
OLD_FILES+=var/named/etc/namedb/PROTO.localhost.rev
OLD_DIRS+=var/named/etc/namedb/dynamic
OLD_FILES+=var/named/etc/namedb/make-localhost
OLD_DIRS+=var/named/etc/namedb/master
OLD_FILES+=var/named/etc/namedb/master/empty.db
OLD_FILES+=var/named/etc/namedb/master/localhost-forward.db
OLD_FILES+=var/named/etc/namedb/master/localhost-reverse.db
#OLD_FILES+=var/named/etc/namedb/named.conf # intentionally left out
OLD_FILES+=var/named/etc/namedb/named.root
OLD_DIRS+=var/named/etc/namedb/slave
OLD_DIRS+=var/named/var
OLD_DIRS+=var/named/var/dump
OLD_DIRS+=var/named/var/log
OLD_DIRS+=var/named/var/run
OLD_DIRS+=var/named/var/run/named
OLD_DIRS+=var/named/var/stats
OLD_DIRS+=var/run/named
# 20130908: libssh becomes private
OLD_FILES+=usr/lib/libssh.a
OLD_FILES+=usr/lib/libssh.so

11412
contrib/bind9/CHANGES
View file

File diff suppressed because it is too large Load diff

518
contrib/bind9/COPYRIGHT
View file

@ -1,518 +0,0 @@
Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
Copyright (C) 1996-2003 Internet Software Consortium.
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
$Id: COPYRIGHT,v 1.19 2012/01/03 23:46:59 tbox Exp $
Portions of this code release fall under one or more of the
following Copyright notices. Please see individual source
files for details.
For binary releases also see: OpenSSL-LICENSE.
Copyright (C) 1996-2001 Nominum, Inc.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (C) 1995-2000 by Network Associates, Inc.
Permission to use, copy, modify, and/or distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (C) 2002 Stichting NLnet, Netherlands, stichting@nlnet.nl.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all
copies.
THE SOFTWARE IS PROVIDED "AS IS" AND STICHTING NLNET
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
STICHTING NLNET BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF THIS SOFTWARE.
The development of Dynamically Loadable Zones (DLZ) for Bind 9 was
conceived and contributed by Rob Butler.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the
above copyright notice and this permission notice appear in all
copies.
THE SOFTWARE IS PROVIDED "AS IS" AND ROB BUTLER
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
ROB BUTLER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
USE OR PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (c) 1987, 1990, 1993, 1994
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by the University of
California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (C) The Internet Society 2005. This version of
this module is part of RFC 4178; see the RFC itself for
full legal notices.
(The above copyright notice is per RFC 3978 5.6 (a), q.v.)
-----------------------------------------------------------------------------
Copyright (c) 2004 Masarykova universita
(Masaryk University, Brno, Czech Republic)
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the University nor the names of its contributors may
be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the Institute nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (c) 1998 Doug Rabson
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright ((c)) 2002, Rice University
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
* Neither the name of Rice University (RICE) nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
This software is provided by RICE and the contributors on an "as is"
basis, without any representations or warranties of any kind, express
or implied including, but not limited to, representations or
warranties of non-infringement, merchantability or fitness for a
particular purpose. In no event shall RICE or contributors be liable
for any direct, indirect, incidental, special, exemplary, or
consequential damages (including, but not limited to, procurement of
substitute goods or services; loss of use, data, or profits; or
business interruption) however caused and on any theory of liability,
whether in contract, strict liability, or tort (including negligence
or otherwise) arising in any way out of the use of this software, even
if advised of the possibility of such damage.
-----------------------------------------------------------------------------
Copyright (c) 1993 by Digital Equipment Corporation.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies, and that
the name of Digital Equipment Corporation not be used in advertising or
publicity pertaining to distribution of the document or software without
specific, written prior permission.
THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
SOFTWARE.
-----------------------------------------------------------------------------
Copyright 2000 Aaron D. Gifford. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (c) 1998 Doug Rabson.
Copyright (c) 2001 Jake Burkholder.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. Neither the name of the project nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
-----------------------------------------------------------------------------
Copyright (c) 1999-2000 by Nortel Networks Corporation
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NORTEL NETWORKS
BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
SOFTWARE.
-----------------------------------------------------------------------------
Copyright (c) 2000-2002 Japan Network Information Center. All rights reserved.
By using this file, you agree to the terms and conditions set forth bellow.
LICENSE TERMS AND CONDITIONS
The following License Terms and Conditions apply, unless a different
license is obtained from Japan Network Information Center ("JPNIC"),
a Japanese association, Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda,
Chiyoda-ku, Tokyo 101-0047, Japan.
1. Use, Modification and Redistribution (including distribution of any
modified or derived work) in source and/or binary forms is permitted
under this License Terms and Conditions.
2. Redistribution of source code must retain the copyright notices as they
appear in each source code file, this License Terms and Conditions.
3. Redistribution in binary form must reproduce the Copyright Notice,
this License Terms and Conditions, in the documentation and/or other
materials provided with the distribution. For the purposes of binary
distribution the "Copyright Notice" refers to the following language:
"Copyright (c) 2000-2002 Japan Network Information Center. All rights
reserved."
4. The name of JPNIC may not be used to endorse or promote products
derived from this Software without specific prior written approval of
JPNIC.
5. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY JPNIC
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JPNIC BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
-----------------------------------------------------------------------------
Copyright (C) 2004 Nominet, Ltd.
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Portions Copyright RSA Security Inc.
License to copy and use this software is granted provided that it is
identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
(Cryptoki)" in all material mentioning or referencing this software.
License is also granted to make and use derivative works provided that
such works are identified as "derived from the RSA Security Inc. PKCS #11
Cryptographic Token Interface (Cryptoki)" in all material mentioning or
referencing the derived work.
RSA Security Inc. makes no representations concerning either the
merchantability of this software or the suitability of this software for
any particular purpose. It is provided "as is" without express or implied
warranty of any kind.
-----------------------------------------------------------------------------
Copyright (c) 1996, David Mazieres <dm@uun.org>
Copyright (c) 2008, Damien Miller <djm@openbsd.org>
Permission to use, copy, modify, and distribute this software for any
purpose with or without fee is hereby granted, provided that the above
copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-----------------------------------------------------------------------------
Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
endorse or promote products derived from this software without
prior written permission. For written permission, please contact
licensing@OpenSSL.org.
5. Products derived from this software may not be called "OpenSSL"
nor may "OpenSSL" appear in their names without prior written
permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following
acknowledgment:
"This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.

893
contrib/bind9/FAQ
View file

@ -1,893 +0,0 @@
Frequently Asked Questions about BIND 9
Copyright © 2004-2010, 2013 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2000-2003 Internet Software Consortium.
-----------------------------------------------------------------------
1. Compilation and Installation Questions
Q: I'm trying to compile BIND 9, and "make" is failing due to files not
being found. Why?
A: Using a parallel or distributed "make" to build BIND 9 is not
supported, and doesn't work. If you are using one of these, use normal
make or gmake instead.
Q: Isn't "make install" supposed to generate a default named.conf?
A: Short Answer: No.
Long Answer: There really isn't a default configuration which fits any
site perfectly. There are lots of decisions that need to be made and
there is no consensus on what the defaults should be. For example
FreeBSD uses /etc/namedb as the location where the configuration files
for named are stored. Others use /var/named.
What addresses to listen on? For a laptop on the move a lot you may
only want to listen on the loop back interfaces.
Who do you offer recursive service to? Is there are firewall to
consider? If so is it stateless or stateful. Are you directly on the
Internet? Are you on a private network? Are you on a NAT'd network? The
answers to all these questions change how you configure even a caching
name server.
2. Configuration and Setup Questions
Q: Why does named log the warning message "no TTL specified - using SOA
MINTTL instead"?
A: Your zone file is illegal according to RFC1035. It must either have a
line like:
$TTL 86400
at the beginning, or the first record in it must have a TTL field, like
the "84600" in this example:
example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master
file bar: ran out of space"?
A: This is often caused by TXT records with missing close quotes. Check
that all TXT records containing quoted strings have both open and close
quotes.
Q: How do I restrict people from looking up the server version?
A: Put a "version" option containing something other than the real version
in the "options" section of named.conf. Note doing this will not
prevent attacks and may impede people trying to diagnose problems with
your server. Also it is possible to "fingerprint" nameservers to
determine their version.
Q: How do I restrict only remote users from looking up the server version?
A: The following view statement will intercept lookups as the internal
view that holds the version information will be matched last. The
caveats of the previous answer still apply, of course.
view "chaos" chaos {
match-clients { <those to be refused>; };
allow-query { none; };
zone "." {
type hint;
file "/dev/null"; // or any empty file
};
};
Q: What do "no source of entropy found" or "could not open entropy source
foo" mean?
A: The server requires a source of entropy to perform certain operations,
mostly DNSSEC related. These messages indicate that you have no source
of entropy. On systems with /dev/random or an equivalent, it is used by
default. A source of entropy can also be defined using the
random-device option in named.conf.
Q: I'm trying to use TSIG to authenticate dynamic updates or zone
transfers. I'm sure I have the keys set up correctly, but the server is
rejecting the TSIG. Why?
A: This may be a clock skew problem. Check that the the clocks on the
client and server are properly synchronised (e.g., using ntp).
Q: I see a log message like the following. Why?
couldn't open pid file '/var/run/named.pid': Permission denied
A: You are most likely running named as a non-root user, and that user
does not have permission to write in /var/run. The common ways of
fixing this are to create a /var/run/named directory owned by the named
user and set pid-file to "/var/run/named/named.pid", or set pid-file to
"named.pid", which will put the file in the directory specified by the
directory option (which, in this case, must be writable by the named
user).
Q: I can query the nameserver from the nameserver but not from other
machines. Why?
A: This is usually the result of the firewall configuration stopping the
queries and / or the replies.
Q: How can I make a server a slave for both an internal and an external
view at the same time? When I tried, both views on the slave were
transferred from the same view on the master.
A: You will need to give the master and slave multiple IP addresses and
use those to make sure you reach the correct view on the other machine.
Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.1;
transfer-source 10.0.1.1;
query-source address 10.0.1.1;
external:
match-clients { any; };
recursion no; // don't offer recursion to the world
notify-source 10.0.1.2;
transfer-source 10.0.1.2;
query-source address 10.0.1.2;
Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
internal:
match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
notify-source 10.0.1.3;
transfer-source 10.0.1.3;
query-source address 10.0.1.3;
external:
match-clients { any; };
recursion no; // don't offer recursion to the world
notify-source 10.0.1.4;
transfer-source 10.0.1.4;
query-source address 10.0.1.4;
You put the external address on the alias so that all the other dns
clients on these boxes see the internal view by default.
A: BIND 9.3 and later: Use TSIG to select the appropriate view.
Master 10.0.1.1:
key "external" {
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
view "internal" {
match-clients { !key external; // reject message ment for the
// external view.
10.0.1/24; }; // accept from these addresses.
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.2 { keys external; }; // tag messages from the
// external view to the
// other servers for the
// view.
recursion no;
...
};
Slave 10.0.1.2:
key "external" {
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
...
};
view "external" {
match-clients { key external; any; };
server 10.0.1.1 { keys external; };
recursion no;
...
};
Q: I get error messages like "multiple RRs of singleton type" and "CNAME
and other data" when transferring a zone. What does this mean?
A: These indicate a malformed master zone. You can identify the exact
records involved by transferring the zone using dig then running
named-checkzone on it.
dig axfr example.com @master-server > tmp
named-checkzone example.com tmp
A CNAME record cannot exist with the same name as another record except
for the DNSSEC records which prove its existence (NSEC).
RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other
data should be present; this ensures that the data for a canonical name
and its aliases cannot be different. This rule also insures that a
cached CNAME can be used without checking with an authoritative server
for other RR types."
Q: I get error messages like "named.conf:99: unexpected end of input"
where 99 is the last line of named.conf.
A: There are unbalanced quotes in named.conf.
A: Some text editors (notepad and wordpad) fail to put a line title
indication (e.g. CR/LF) on the last line of a text file. This can be
fixed by "adding" a blank line to the end of the file. Named expects to
see EOF immediately after EOL and treats text files where this is not
met as truncated.
Q: How do I share a dynamic zone between multiple views?
A: You choose one view to be master and the second a slave and transfer
the zone between views.
Master 10.0.1.1:
key "external" {
algorithm hmac-sha256;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
key "mykey" {
algorithm hmac-sha256;
secret "yyyyyyyyyyyyyyyyyyyyyyyy";
};
view "internal" {
match-clients { !key external; 10.0.1/24; };
server 10.0.1.1 {
/* Deliver notify messages to external view. */
keys { external; };
};
zone "example.com" {
type master;
file "internal/example.db";
allow-update { key mykey; };
also-notify { 10.0.1.1; };
};
};
view "external" {
match-clients { key external; any; };
zone "example.com" {
type slave;
file "external/example.db";
masters { 10.0.1.1; };
transfer-source 10.0.1.1;
// allow-update-forwarding { any; };
// allow-notify { ... };
};
};
Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading
master file primaries/wireless.ietf56.ietf.org: no owner".
A: This error is produced when a line in the master file contains leading
white space (tab/space) but the is no current record owner name to
inherit the name from. Usually this is the result of putting white
space before a comment, forgetting the "@" for the SOA record, or
indenting the master file.
Q: Why are my logs in GMT (UTC).
A: You are running chrooted (-t) and have not supplied local timezone
information in the chroot area.
FreeBSD: /etc/localtime
Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
OSF: /etc/zoneinfo/localtime
See also tzset(3) and zic(8).
Q: I get "rndc: connect failed: connection refused" when I try to run
rndc.
A: This is usually a configuration error.
First ensure that named is running and no errors are being reported at
startup (/var/log/messages or equivalent). Running "named -g <usual
arguments>" from a title can help at this point.
Secondly ensure that named is configured to use rndc either by
"rndc-confgen -a", rndc-confgen or manually. The Administrators
Reference manual has details on how to do this.
Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /
etc/rndc.conf for the default server. Update /etc/rndc.conf if
necessary so that the default server listed in /etc/rndc.conf matches
the addresses used in named.conf. "localhost" has two address
(127.0.0.1 and ::1).
If you use "rndc-confgen -a" and named is running with -t or -u ensure
that /etc/rndc.conf has the correct ownership and that a copy is in the
chroot area. You can do this by re-running "rndc-confgen -a" with
appropriate -t and -u arguments.
Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
receiving responses: permission denied" error messages.
A: These indicate a filesystem permission error preventing named creating
/ renaming the temporary file. These will usually also have other
associated error messages like
"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
Named needs write permission on the directory containing the file.
Named writes the new cache file to a temporary file then renames it to
the name specified in named.conf to ensure that the contents are always
complete. This is to prevent named loading a partial zone in the event
of power failure or similar interrupting the write of the master file.
Note file names are relative to the directory specified in options and
any chroot directory ([<chroot dir>/][<options dir>]).
If named is invoked as "named -t /chroot/DNS" with the following
named.conf then "/chroot/DNS/var/named/sl" needs to be writable by the
user named is running as.
options {
directory "/var/named";
};
zone "example.net" {
type slave;
file "sl/example.net";
masters { 192.168.4.12; };
};
Q: I want to forward all DNS queries from my caching nameserver to another
server. But there are some domains which have to be served locally, via
rbldnsd.
How do I achieve this ?
A: options {
forward only;
forwarders { <ip.of.primary.nameserver>; };
};
zone "sbl-xbl.spamhaus.org" {
type forward; forward only;
forwarders { <ip.of.rbldns.server> port 530; };
};
zone "list.dsbl.org" {
type forward; forward only;
forwarders { <ip.of.rbldns.server> port 530; };
};
Q: Can you help me understand how BIND 9 uses memory to store DNS zones?
Some times it seems to take several times the amount of memory it needs
to store the zone.
A: When reloading a zone named my have multiple copies of the zone in
memory at one time. The zone it is serving and the one it is loading.
If reloads are ultra fast it can have more still.
e.g. Ones that are transferring out, the one that it is serving and the
one that is loading.
BIND 8 destroyed the zone before loading and also killed off outgoing
transfers of the zone.
The new strategy allows slaves to get copies of the new zone regardless
of how often the master is loaded compared to the transfer time. The
slave might skip some intermediate versions but the transfers will
complete and it will keep reasonably in sync with the master.
The new strategy also allows the master to recover from syntax and
other errors in the master file as it still has an in-core copy of the
old contents.
Q: I want to use IPv6 locally but I don't have a external IPv6 connection.
External lookups are slow.
A: You can use server clauses to stop named making external lookups over
IPv6.
server fd81:ec6c:bd62::/48 { bogus no; }; // site ULA prefix
server ::/0 { bogus yes; };
3. Operations Questions
Q: How to change the nameservers for a zone?
A: Step 1: Ensure all nameservers, new and old, are serving the same zone
content.
Step 2: Work out the maximum TTL of the NS RRset in the parent and
child zones. This is the time it will take caches to be clear of a
particular version of the NS RRset. If you are just removing
nameservers you can skip to Step 6.
Step 3: Add new nameservers to the NS RRset for the zone and wait until
all the servers for the zone are answering with this new NS RRset.
Step 4: Inform the parent zone of the new NS RRset then wait for all
the parent servers to be answering with the new NS RRset.
Step 5: Wait for cache to be clear of the old NS RRset. See Step 2 for
how long. If you are just adding nameservers you are done.
Step 6: Remove any old nameservers from the zones NS RRset and wait for
all the servers for the zone to be serving the new NS RRset.
Step 7: Inform the parent zone of the new NS RRset then wait for all
the parent servers to be answering with the new NS RRset.
Step 8: Wait for cache to be clear of the old NS RRset. See Step 2 for
how long.
Step 9: Turn off the old nameservers or remove the zone entry from the
configuration of the old nameservers.
Step 10: Increment the serial number and wait for the change to be
visible in all nameservers for the zone. This ensures that zone
transfers are still working after the old servers are decommissioned.
Note: the above procedure is designed to be transparent to dns clients.
Decommissioning the old servers too early will result in some clients
not being able to look up answers in the zone.
Note: while it is possible to run the addition and removal stages
together it is not recommended.
4. General Questions
Q: I keep getting log messages like the following. Why?
Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
update failed: 'RRset exists (value dependent)' prerequisite not
satisfied (NXRRSET)
A: DNS updates allow the update request to test to see if certain
conditions are met prior to proceeding with the update. The message
above is saying that conditions were not met and the update is not
proceeding. See doc/rfc/rfc2136.txt for more details on prerequisites.
Q: I keep getting log messages like the following. Why?
Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
A: Someone is trying to update your DNS data using the RFC2136 Dynamic
Update protocol. Windows 2000 machines have a habit of sending dynamic
update requests to DNS servers without being specifically configured to
do so. If the update requests are coming from a Windows 2000 machine,
see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
for information about how to turn them off.
Q: When I do a "dig . ns", many of the A records for the root servers are
missing. Why?
A: This is normal and harmless. It is a somewhat confusing side effect of
the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
makes to avoid promoting glue into answers.
When BIND 9 first starts up and primes its cache, it receives the root
server addresses as additional data in an authoritative response from a
root server, and these records are eligible for inclusion as additional
data in responses. Subsequently it receives a subset of the root server
addresses as additional data in a non-authoritative (referral) response
from a root server. This causes the addresses to now be considered
non-authoritative (glue) data, which is not eligible for inclusion in
responses.
The server does have a complete set of root server addresses cached at
all times, it just may not include all of them as additional data,
depending on whether they were last received as answers or as glue. You
can always look up the addresses with explicit queries like "dig
a.root-servers.net A".
Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
A: A zone can be updated either by editing zone files and reloading the
server or by dynamic update, but not both. If you have enabled dynamic
update for a zone using the "allow-update" option, you are not supposed
to edit the zone file by hand, and the server will not attempt to
reload it.
Q: Why is named listening on UDP port other than 53?
A: Named uses a system selected port to make queries of other nameservers.
This behaviour can be overridden by using query-source to lock down the
port and/or address. See also notify-source and transfer-source.
Q: I get warning messages like "zone example.com/IN: refresh: failure
trying master 1.2.3.4#53: timed out".
A: Check that you can make UDP queries from the slave to the master
dig +norec example.com soa @1.2.3.4
You could be generating queries faster than the slave can cope with.
Lower the serial query rate.
serial-query-rate 5; // default 20
Q: I don't get RRSIG's returned when I use "dig +dnssec".
A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
Q: Can a NS record refer to a CNAME.
A: No. The rules for glue (copies of the *address* records in the parent
zones) and additional section processing do not allow it to work.
You would have to add both the CNAME and address records (A/AAAA) as
glue to the parent zone and have CNAMEs be followed when doing
additional section processing to make it work. No nameserver
implementation supports either of these requirements.
Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA"
mean?
A: If the IN-ADDR.ARPA name covered refers to a internal address space you
are using then you have failed to follow RFC 1918 usage rules and are
leaking queries to the Internet. You should establish your own zones
for these addresses to prevent you querying the Internet's name servers
for these addresses. Please see <http://as112.net/> for details of the
problems you are causing and the counter measures that have had to be
deployed.
If you are not using these private addresses then a client has queried
for them. You can just ignore the messages, get the offending client to
stop sending you these messages as they are most probably leaking them
or setup your own zones empty zones to serve answers to these queries.
zone "10.IN-ADDR.ARPA" {
type master;
file "empty";
};
zone "16.172.IN-ADDR.ARPA" {
type master;
file "empty";
};
...
zone "31.172.IN-ADDR.ARPA" {
type master;
file "empty";
};
zone "168.192.IN-ADDR.ARPA" {
type master;
file "empty";
};
empty:
@ 10800 IN SOA <name-of-server>. <contact-email>. (
1 3600 1200 604800 10800 )
@ 10800 IN NS <name-of-server>.
Note
Future versions of named are likely to do this automatically.
Q: Will named be affected by the 2007 changes to daylight savings rules in
the US.
A: No, so long as the machines internal clock (as reported by "date -u")
remains at UTC. The only visible change if you fail to upgrade your OS,
if you are in a affected area, will be that log messages will be a hour
out during the period where the old rules do not match the new rules.
For most OS's this change just means that you need to update the
conversion rules from UTC to local time. Normally this involves
updating a file in /etc (which sets the default timezone for the
machine) and possibly a directory which has all the conversion rules
for the world (e.g. /usr/share/zoneinfo). When updating the OS do not
forget to update any chroot areas as well. See your OS's documentation
for more details.
The local timezone conversion rules can also be done on a individual
basis by setting the TZ environment variable appropriately. See your
OS's documentation for more details.
Q: Is there a bugzilla (or other tool) database that mere mortals can have
(read-only) access to for bind?
A: No. The BIND 9 bug database is kept closed for a number of reasons.
These include, but are not limited to, that the database contains
proprietory information from people reporting bugs. The database has in
the past and may in future contain unfixed bugs which are capable of
bringing down most of the Internet's DNS infrastructure.
The release pages for each version contain up to date lists of bugs
that have been fixed post release. That is as close as we can get to
providing a bug database.
Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
A: NSEC3 records are strictly meta data and can only be returned in the
authority section. This is done so that signing the zone using NSEC3
records does not bring names into existence that do not exist in the
unsigned version of the zone.
5. Operating-System Specific Questions
5.1. HPUX
Q: I get the following error trying to configure BIND:
checking if unistd.h or sys/types.h defines fd_set... no
configure: error: need either working unistd.h or sys/select.h
A: You have attempted to configure BIND with the bundled C compiler. This
compiler does not meet the minimum compiler requirements to for
building BIND. You need to install a ANSI C compiler and / or teach
configure how to find the ANSI C compiler. The later can be done by
adjusting the PATH environment variable and / or specifying the
compiler via CC.
./configure CC=<compiler> ...
5.2. Linux
Q: Why do I get the following errors:
general: errno2result.c:109: unexpected error:
general: unable to convert errno to isc_result: 14: Bad address
client: UDP client handler shutting down due to fatal receive error: unexpected error
A: This is the result of a Linux kernel bug.
See: <http://marc.theaimsgroup.com/?l=linux-netdev&m=113081708031466&w=
2>
Q: Why does named lock up when it attempts to connect over IPSEC tunnels?
A: This is due to a kernel bug where the fact that a socket is marked
non-blocking is ignored. It is reported that setting xfrm_larval_drop
to 1 helps but this may have negative side effects. See: <https://
bugzilla.redhat.com/show_bug.cgi?id=427629> and <http://lkml.org/lkml/
2007/12/4/260>.
xfrm_larval_drop can be set to 1 by the following procedure:
echo "1" > proc/sys/net/core/xfrm_larval_drop
Q: Why do I see 5 (or more) copies of named on Linux?
A: Linux threads each show up as a process under ps. The approximate
number of threads running is n+4, where n is the number of CPUs. Note
that the amount of memory used is not cumulative; if each process is
using 10M of memory, only a total of 10M is used.
Newer versions of Linux's ps command hide the individual threads and
require -L to display them.
Q: Why does BIND 9 log "permission denied" errors accessing its
configuration files or zones on my Linux system even though it is
running as root?
A: On Linux, BIND 9 drops most of its root privileges on startup. This
including the privilege to open files owned by other users. Therefore,
if the server is running as root, the configuration files and zone
files should also be owned by root.
Q: I get the error message "named: capset failed: Operation not permitted"
when starting named.
A: The capability module, part of "Linux Security Modules/LSM", has not
been loaded into the kernel. See insmod(8), modprobe(8).
The relevant modules can be loaded by running:
modprobe commoncap
modprobe capability
Q: I'm running BIND on Red Hat Enterprise Linux or Fedora Core -
Why can't named update slave zone database files?
Why can't named create DDNS journal files or update the master zones
from journals?
Why can't named create custom log files?
A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
Red Hat have adopted the National Security Agency's SELinux security
policy (see <http://www.nsa.gov/selinux>) and recommendations for BIND
security , which are more secure than running named in a chroot and
make use of the bind-chroot environment unnecessary .
By default, named is not allowed by the SELinux policy to write, create
or delete any files EXCEPT in these directories:
$ROOTDIR/var/named/slaves
$ROOTDIR/var/named/data
$ROOTDIR/var/tmp
where $ROOTDIR may be set in /etc/sysconfig/named if bind-chroot is
installed.
The SELinux policy particularly does NOT allow named to modify the
$ROOTDIR/var/named directory, the default location for master zone
database files.
SELinux policy overrules file access permissions - so even if all the
files under /var/named have ownership named:named and mode rw-rw-r--,
named will still not be able to write or create files except in the
directories above, with SELinux in Enforcing mode.
So, to allow named to update slave or DDNS zone files, it is best to
locate them in $ROOTDIR/var/named/slaves, with named.conf zone
statements such as:
zone "slave.zone." IN {
type slave;
file "slaves/slave.zone.db";
...
};
zone "ddns.zone." IN {
type master;
allow-updates {...};
file "slaves/ddns.zone.db";
};
To allow named to create its cache dump and statistics files, for
example, you could use named.conf options statements such as:
options {
...
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
...
};
You can also tell SELinux to allow named to update any zone database
files, by setting the SELinux tunable boolean parameter
'named_write_master_zones=1', using the system-config-securitylevel
GUI, using the 'setsebool' command, or in /etc/selinux/targeted/
booleans.
You can disable SELinux protection for named entirely by setting the
'named_disable_trans=1' SELinux tunable boolean parameter.
The SELinux named policy defines these SELinux contexts for named:
named_zone_t : for zone database files - $ROOTDIR/var/named/*
named_conf_t : for named configuration files - $ROOTDIR/etc/{named,rndc}.*
named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,data}}
If you want to retain use of the SELinux policy for named, and put
named files in different locations, you can do so by changing the
context of the custom file locations .
To create a custom configuration file location, e.g. '/root/
named.conf', to use with the 'named -c' option, do:
# chcon system_u:object_r:named_conf_t /root/named.conf
To create a custom modifiable named data location, e.g. '/var/log/
named' for a log file, do:
# chcon system_u:object_r:named_cache_t /var/log/named
To create a custom zone file location, e.g. /root/zones/, do:
# chcon system_u:object_r:named_zone_t /root/zones/{.,*}
See these man-pages for more information : selinux(8), named_selinux
(8), chcon(1), setsebool(8)
Q: I'm running BIND on Ubuntu -
Why can't named update slave zone database files?
Why can't named create DDNS journal files or update the master zones
from journals?
Why can't named create custom log files?
A: Ubuntu uses AppArmor <http://en.wikipedia.org/wiki/AppArmor> in
addition to normal file system permissions to protect the system.
Adjust the paths to use those specified in /etc/apparmor.d/
usr.sbin.named or adjust /etc/apparmor.d/usr.sbin.named to allow named
to write at the location specified in named.conf.
Q: Listening on individual IPv6 interfaces does not work.
A: This is usually due to "/proc/net/if_inet6" not being available in the
chroot file system. Mount another instance of "proc" in the chroot file
system.
This can be be made permanent by adding a second instance to /etc/
fstab.
proc /proc proc defaults 0 0
proc /var/named/proc proc defaults 0 0
5.3. Windows
Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail.
Why?
A: This may be caused by a bug in the Windows 2000 DNS server where DNS
messages larger than 16K are not handled properly. This can be worked
around by setting the option "transfer-format one-answer;". Also check
whether your zone contains domain names with embedded spaces or other
special characters, like "John\032Doe\213s\032Computer", since such
names have been known to cause Windows 2000 slaves to incorrectly
reject the zone.
Q: I get "Error 1067" when starting named under Windows.
A: This is the service manager saying that named exited. You need to
examine the Application log in the EventViewer to find out why.
Common causes are that you failed to create "named.conf" (usually "C:\
windows\dns\etc\named.conf") or failed to specify the directory in
named.conf.
options {
Directory "C:\windows\dns\etc";
};
5.4. FreeBSD
Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
use certain interrupts as a source of random events. You can make this
permanent by setting rand_irqs in /etc/rc.conf.
rand_irqs="3 14 15"
See also <http://people.freebsd.org/~dougb/randomness.html>.
5.5. Solaris
Q: How do I integrate BIND 9 and Solaris SMF
A: Sun has a blog entry describing how to do this.
<http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris>
5.6. Apple Mac OS X
Q: How do I run BIND 9 on Apple Mac OS X?
A: If you run Tiger(Mac OS 10.4) or later then this is all you need to do:
% sudo rndc-confgen > /etc/rndc.conf
Copy the key statement from /etc/rndc.conf into /etc/rndc.key, e.g.:
key "rndc-key" {
algorithm hmac-sha256;
secret "uvceheVuqf17ZwIcTydddw==";
};
Then start the relevant service:
% sudo service org.isc.named start
This is persistent upon a reboot, so you will have to do it only once.
A: Alternatively you can just generate /etc/rndc.key by running:
% sudo rndc-confgen -a
Then start the relevant service:
% sudo service org.isc.named start
Named will look for /etc/rndc.key when it starts if it doesn't have a
controls section or the existing controls are missing keys sub-clauses.
This is persistent upon a reboot, so you will have to do it only once.

1613
contrib/bind9/FAQ.xml
View file

File diff suppressed because it is too large Load diff

365
contrib/bind9/HISTORY
View file

@ -1,365 +0,0 @@
Summary of functional enhancements from prior major releases of BIND 9:
BIND 9.8.0
BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
releases. New features include:
- Built-in trust anchor for the root zone, which can be
switched on via "dnssec-validation auto;"
- Support for DNS64.
- Support for response policy zones (RPZ).
- Support for writable DLZ zones.
- Improved ease of configuration of GSS/TSIG for
interoperability with Active Directory
- Support for GOST signing algorithm for DNSSEC.
- Removed RTT Banding from server selection algorithm.
- New "static-stub" zone type.
- Allow configuration of resolver timeouts via
"resolver-query-timeout" option.
- The DLZ "dlopen" driver is now built by default.
- Added a new include file with function typedefs
for the DLZ "dlopen" driver.
- Made "--with-gssapi" default.
- More verbose error reporting from DLZ LDAP.
BIND 9.7.0
BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
releases. Most are intended to simplify DNSSEC configuration.
New features include:
- Fully automatic signing of zones by "named".
- Simplified configuration of DNSSEC Lookaside Validation (DLV).
- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
command line tool or the "local" update-policy option. (As a side
effect, this also makes it easier to configure automatic zone
re-signing.)
- New named option "attach-cache" that allows multiple views to
share a single cache.
- DNS rebinding attack prevention.
- New default values for dnssec-keygen parameters.
- Support for RFC 5011 automated trust anchor maintenance
- Smart signing: simplified tools for zone signing and key
maintenance.
- The "statistics-channels" option is now available on Windows.
- A new DNSSEC-aware libdns API for use by non-BIND9 applications
- On some platforms, named and other binaries can now print out
a stack backtrace on assertion failure, to aid in debugging.
- A "tools only" installation mode on Windows, which only installs
dig, host, nslookup and nsupdate.
- Improved PKCS#11 support, including Keyper support and explicit
OpenSSL engine selection.
BIND 9.6.0
Full NSEC3 support
Automatic zone re-signing
New update-policy methods tcp-self and 6to4-self
The BIND 8 resolver library, libbind, has been removed from the
BIND 9 distribution and is now available as a separate download.
Change the default pid file location from /var/run to
/var/run/{named,lwresd} for improved chroot/setuid support.
BIND 9.5.0
GSS-TSIG support (RFC 3645).
DHCID support.
Experimental http server and statistics support for named via xml.
More detailed statistics counters including those supported in BIND 8.
Faster ACL processing.
Use Doxygen to generate internal documentation.
Efficient LRU cache-cleaning mechanism.
NSID support.
BIND 9.4.0
Implemented "additional section caching (or acache)", an
internal cache framework for additional section content to
improve response performance. Several configuration options
were provided to control the behavior.
New notify type 'master-only'. Enable notify for master
zones only.
Accept 'notify-source' style syntax for query-source.
rndc now allows addresses to be set in the server clauses.
New option "allow-query-cache". This lets "allow-query"
be used to specify the default zone access level rather
than having to have every zone override the global value.
"allow-query-cache" can be set at both the options and view
levels. If "allow-query-cache" is not set then "allow-recursion"
is used if set, otherwise "allow-query" is used if set
unless "recursion no;" is set in which case "none;" is used,
otherwise the default (localhost; localnets;) is used.
rndc: the source address can now be specified.
ixfr-from-differences now takes master and slave in addition
to yes and no at the options and view levels.
Allow the journal's name to be changed via named.conf.
'rndc notify zone [class [view]]' resend the NOTIFY messages
for the specified zone.
'dig +trace' now randomly selects the next servers to try.
Report if there is a bad delegation.
Improve check-names error messages.
Make public the function to read a key file, dst_key_read_public().
dig now returns the byte count for axfr/ixfr.
allow-update is now settable at the options / view level.
named-checkconf now checks the logging configuration.
host now can turn on memory debugging flags with '-m'.
Don't send notify messages to self.
Perform sanity checks on NS records which refer to 'in zone' names.
New zone option "notify-delay". Specify a minimum delay
between sets of NOTIFY messages.
Extend adjusting TTL warning messages.
Named and named-checkzone can now both check for non-terminal
wildcard records.
"rndc freeze/thaw" now freezes/thaws all zones.
named-checkconf now check acls to verify that they only
refer to existing acls.
The server syntax has been extended to support a range of
servers.
Report differences between hints and real NS rrset and
associated address records.
Preserve the case of domain names in rdata during zone
transfers.
Restructured the data locking framework using architecture
dependent atomic operations (when available), improving
response performance on multi-processor machines significantly.
x86, x86_64, alpha, powerpc, and mips are currently supported.
UNIX domain controls are now supported.
Add support for additional zone file formats for improving
loading performance. The masterfile-format option in
named.conf can be used to specify a non-default format. A
separate command named-compilezone was provided to generate
zone files in the new format. Additionally, the -I and -O
options for dnssec-signzone specify the input and output
formats.
dnssec-signzone can now randomize signature end times
(dnssec-signzone -j jitter).
Add support for CH A record.
Add additional zone data constancy checks. named-checkzone
has extended checking of NS, MX and SRV record and the hosts
they reference. named has extended post zone load checks.
New zone options: check-mx and integrity-check.
edns-udp-size can now be overridden on a per server basis.
dig can now specify the EDNS version when making a query.
Added framework for handling multiple EDNS versions.
Additional memory debugging support to track size and mctx
arguments.
Detect duplicates of UDP queries we are recursing on and
drop them. New stats category "duplicates".
"USE INTERNAL MALLOC" is now runtime selectable.
The lame cache is now done on a <qname,qclass,qtype> basis
as some servers only appear to be lame for certain query
types.
Limit the number of recursive clients that can be waiting
for a single query (<qname,qtype,qclass>) to resolve. New
options clients-per-query and max-clients-per-query.
dig: report the number of extra bytes still left in the
packet after processing all the records.
Support for IPSECKEY rdata type.
Raise the UDP recieve buffer size to 32k if it is less than 32k.
x86 and x86_64 now have seperate atomic locking implementations.
named-checkconf now validates update-policy entries.
Attempt to make the amount of work performed in a iteration
self tuning. The covers nodes clean from the cache per
iteration, nodes written to disk when rewriting a master
file and nodes destroyed per iteration when destroying a
zone or a cache.
ISC string copy API.
Automatic empty zone creation for D.F.IP6.ARPA and friends.
Note: RFC 1918 zones are not yet covered by this but are
likely to be in a future release.
New options: empty-server, empty-contact, empty-zones-enable
and disable-empty-zone.
dig now has a '-q queryname' and '+showsearch' options.
host/nslookup now continue (default)/fail on SERVFAIL.
dig now warns if 'RA' is not set in the answer when 'RD'
was set in the query. host/nslookup skip servers that fail
to set 'RA' when 'RD' is set unless a server is explicitly
set.
Integrate contibuted DLZ code into named.
Integrate contibuted IDN code from JPNIC.
libbind: corresponds to that from BIND 8.4.7.
BIND 9.3.0
DNSSEC is now DS based (RFC 3658).
See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
DNSSEC lookaside validation.
check-names is now implemented.
rrset-order in more complete.
IPv4/IPv6 transition support, dual-stack-servers.
IXFR deltas can now be generated when loading master files,
ixfr-from-differences.
It is now possible to specify the size of a journal, max-journal-size.
It is now possible to define a named set of master servers to be
used in masters clause, masters.
The advertised EDNS UDP size can now be set, edns-udp-size.
allow-v6-synthesis has been obsoleted.
NOTE:
* Zones containing MD and MF will now be rejected.
* dig, nslookup name. now report "Not Implemented" as
NOTIMP rather than NOTIMPL. This will have impact on scripts
that are looking for NOTIMPL.
libbind: corresponds to that from BIND 8.4.5.
BIND 9.2.0
The size of the cache can now be limited using the
"max-cache-size" option.
The server can now automatically convert RFC1886-style recursive
lookup requests into RFC2874-style lookups, when enabled using the
new option "allow-v6-synthesis". This allows stub resolvers that
support AAAA records but not A6 record chains or binary labels to
perform lookups in domains that make use of these IPv6 DNS
features.
Performance has been improved.
The man pages now use the more portable "man" macros rather than
the "mandoc" macros, and are installed by "make install".
The named.conf parser has been completely rewritten. It now
supports "include" directives in more places such as inside "view"
statements, and it no longer has any reserved words.
The "rndc status" command is now implemented.
rndc can now be configured automatically.
A BIND 8 compatible stub resolver library is now included in
lib/bind.
OpenSSL has been removed from the distribution. This means that to
use DNSSEC, OpenSSL must be installed and the --with-openssl option
must be supplied to configure. This does not apply to the use of
TSIG, which does not require OpenSSL.
The source distribution now builds on Windows. See
win32utils/readme1.txt and win32utils/win32-build.txt for details.
This distribution also includes a new lightweight stub
resolver library and associated resolver daemon that fully
support forward and reverse lookups of both IPv4 and IPv6
addresses. This library is considered experimental and
is not a complete replacement for the BIND 8 resolver library.
Applications that use the BIND 8 res_* functions to perform
DNS lookups or dynamic updates still need to be linked against
the BIND 8 libraries. For DNS lookups, they can also use the
new "getrrsetbyname()" API.
BIND 9.2 is capable of acting as an authoritative server
for DNSSEC secured zones. This functionality is believed to
be stable and complete except for lacking support for
verifications involving wildcard records in secure zones.
When acting as a caching server, BIND 9.2 can be configured
to perform DNSSEC secure resolution on behalf of its clients.
This part of the DNSSEC implementation is still considered
experimental. For detailed information about the state of the
DNSSEC implementation, see the file doc/misc/dnssec.
There are a few known bugs:
On some systems, IPv6 and IPv4 sockets interact in
unexpected ways. For details, see doc/misc/ipv6.
To reduce the impact of these problems, the server
no longer listens for requests on IPv6 addresses
by default. If you need to accept DNS queries over
IPv6, you must specify "listen-on-v6 { any; };"
in the named.conf options statement.
FreeBSD prior to 4.2 (and 4.2 if running as non-root)
and OpenBSD prior to 2.8 log messages like
"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
This is due to a bug in "/dev/random" and impacts the
server's DNSSEC support.
OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
OS X 10.2 (Darwin 6.0) reports errors like
"fcntl(3, F_SETFL, 4): Operation not supported by device".
This is due to a bug in "/dev/random" and impacts the
server's DNSSEC support.
--with-libtool does not work on AIX.
A bug in some versions of the Microsoft DNS server can cause zone
transfers from a BIND 9 server to a W2K server to fail. For details,
see the "Zone Transfers" section in doc/misc/migration.

90
contrib/bind9/Makefile.in
View file

@ -1,90 +0,0 @@
# Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.62 2011/09/06 04:06:37 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
SUBDIRS = make unit lib bin doc @LIBEXPORT@
TARGETS =
MANPAGES = isc-config.sh.1
HTMLPAGES = isc-config.sh.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
distclean::
rm -f config.cache config.h config.log config.status TAGS
rm -f libtool isc-config.sh configure.lineno
rm -f util/conf.sh docutil/docbook2man-wrapper.sh
# XXX we should clean libtool stuff too. Only do this after we add rules
# to make it.
maintainer-clean::
rm -f configure
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
doc man:: ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: isc-config.sh installdirs
${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
${INSTALL_DATA} ${top_srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
${INSTALL_DATA} ${top_srcdir}/bind.keys ${DESTDIR}${sysconfdir}
tags:
rm -f TAGS
find lib bin -name "*.[ch]" -print | @ETAGS@ -
test check:
@if test -n "`${PERL} ${top_srcdir}/bin/tests/system/testsock.pl 2>&- || echo fail`"; then \
echo I: NOTE: The tests were not run because they require that; \
echo I: the IP addresses 10.53.0.1 through 10.53.0.8 are configured; \
echo I: as alias addresses on the loopback interface. Please run; \
echo I: \'bin/tests/system/ifconfig.sh up\' as root to configure; \
echo I: them, then rerun the tests. Run make force-test to run the; \
echo I: tests anyway.; \
exit 1; \
fi
${MAKE} test-force
force-test: test-force
test-force:
status=0; \
(cd bin/tests && ${MAKE} ${MAKEDEFS} test) || status=1; \
(test -f unit/unittest.sh && $(SHELL) unit/unittest.sh) || status=1; \
exit $$status
FAQ: FAQ.xml
${XSLTPROC} doc/xsl/isc-docbook-text.xsl FAQ.xml | \
LC_ALL=C ${W3M} -T text/html -dump -cols 72 >$@.tmp
mv $@.tmp $@
clean::
rm -f FAQ.tmp

374
contrib/bind9/README
View file

@ -1,374 +0,0 @@
BIND 9
BIND version 9 is a major rewrite of nearly all aspects of the
underlying BIND architecture. Some of the important features of
BIND 9 are:
- DNS Security
DNSSEC (signed zones)
TSIG (signed DNS requests)
- IP version 6
Answers DNS queries on IPv6 sockets
IPv6 resource records (AAAA)
Experimental IPv6 Resolver Library
- DNS Protocol Enhancements
IXFR, DDNS, Notify, EDNS0
Improved standards conformance
- Views
One server process can provide multiple "views" of
the DNS namespace, e.g. an "inside" view to certain
clients, and an "outside" view to others.
- Multiprocessor Support
- Improved Portability Architecture
BIND version 9 development has been underwritten by the following
organizations:
Sun Microsystems, Inc.
Hewlett Packard
Compaq Computer Corporation
IBM
Process Software Corporation
Silicon Graphics, Inc.
Network Associates, Inc.
U.S. Defense Information Systems Agency
USENIX Association
Stichting NLnet - NLnet Foundation
Nominum, Inc.
For a summary of functional enhancements in previous
releases, see the HISTORY file.
For a detailed list of user-visible changes from
previous releases, see the CHANGES file.
For up-to-date release notes and errata, see
http://www.isc.org/software/bind9/releasenotes
BIND 9.9.3
BIND 9.9.3 is a maintenance release and patches the security
flaws described in CVE-2012-5688, CVE-2012-5689 and CVE-2013-2266.
BIND 9.9.2
BIND 9.9.2 is a maintenance release and patches the security
flaw described in CVE-2012-4244.
BIND 9.9.1
BIND 9.9.1 is a maintenance release.
BIND 9.9.0
BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
releases. New features include:
- Inline signing, allowing automatic DNSSEC signing of
master zones without modification of the zonefile, or
"bump in the wire" signing in slaves.
- NXDOMAIN redirection.
- New 'rndc flushtree' command clears all data under a given
name from the DNS cache.
- New 'rndc sync' command dumps pending changes in a dynamic
zone to disk without a freeze/thaw cycle.
- New 'rndc signing' command displays or clears signing status
records in 'auto-dnssec' zones.
- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
to signing, eliminating the need to initially sign with NSEC.
- Startup time improvements on large authoritative servers.
- Slave zones are now saved in raw format by default.
- Several improvements to response policy zones (RPZ).
- Improved hardware scalability by using multiple threads
to listen for queries and using finer-grained client locking
- The 'also-notify' option now takes the same syntax as
'masters', so it can used named masterlists and TSIG keys.
- 'dnssec-signzone -D' writes an output file containing only DNSSEC
data, which can be included by the primary zone file.
- 'dnssec-signzone -R' forces removal of signatures that are
not expired but were created by a key which no longer exists.
- 'dnssec-signzone -X' allows a separate expiration date to
be specified for DNSKEY signatures from other signatures.
- New '-L' option to dnssec-keygen, dnssec-settime, and
dnssec-keyfromlabel sets the default TTL for the key.
- dnssec-dsfromkey now supports reading from standard input,
to make it easier to convert DNSKEY to DS.
- RFC 1918 reverse zones have been added to the empty-zones
table per RFC 6303.
- Dynamic updates can now optionally set the zone's SOA serial
number to the current UNIX time.
- DLZ modules can now retrieve the source IP address of
the querying client.
- 'request-ixfr' option can now be set at the per-zone level.
- 'dig +rrcomments' turns on comments about DNSKEY records,
indicating their key ID, algorithm and function
- Simplified nsupdate syntax and added readline support
Building
BIND 9 currently requires a UNIX system with an ANSI C compiler,
basic POSIX support, and a 64 bit integer type.
We've had successful builds and tests on the following systems:
COMPAQ Tru64 UNIX 5.1B
Fedora Core 6
FreeBSD 4.10, 5.2.1, 6.2
HP-UX 11.11
Mac OS X 10.5
NetBSD 3.x, 4.0-beta, 5.0-beta
OpenBSD 3.3 and up
Solaris 8, 9, 9 (x86), 10
Ubuntu 7.04, 7.10
Windows XP/2003/2008
NOTE: As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
Windows, including Windows NT and Windows 2000, are no longer
supported.
We have recent reports from the user community that a supported
version of BIND will build and run on the following systems:
AIX 4.3, 5L
CentOS 4, 4.5, 5
Darwin 9.0.0d1/ARM
Debian 4, 5, 6
Fedora Core 5, 7, 8
FreeBSD 6, 7, 8
HP-UX 11.23 PA
MacOS X 10.5, 10.6, 10.7
Red Hat Enterprise Linux 4, 5, 6
SCO OpenServer 5.0.6
Slackware 9, 10
SuSE 9, 10
To build, just
./configure
make
Do not use a parallel "make".
Several environment variables that can be set before running
configure will affect compilation:
CC
The C compiler to use. configure tries to figure
out the right one for supported systems.
CFLAGS
C compiler flags. Defaults to include -g and/or -O2
as supported by the compiler. Please include '-g'
if you need to set CFLAGS.
STD_CINCLUDES
System header file directories. Can be used to specify
where add-on thread or IPv6 support is, for example.
Defaults to empty string.
STD_CDEFINES
Any additional preprocessor symbols you want defined.
Defaults to empty string.
Possible settings:
Change the default syslog facility of named/lwresd.
-DISC_FACILITY=LOG_LOCAL0
Enable DNSSEC signature chasing support in dig.
-DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
-DDIG_SIGCHASE_BU=1)
Disable dropping queries from particular well known ports.
-DNS_CLIENT_DROPPORT=0
Sibling glue checking in named-checkzone is enabled by default.
To disable the default check set. -DCHECK_SIBLING=0
named-checkzone checks out-of-zone addresses by default.
To disable this default set. -DCHECK_LOCAL=0
To create the default pid files in ${localstatedir}/run rather
than ${localstatedir}/run/{named,lwresd}/ set.
-DNS_RUN_PID_DIR=0
Enable workaround for Solaris kernel bug about /dev/poll
-DISC_SOCKET_USE_POLLWATCH=1
The watch timeout is also configurable, e.g.,
-DISC_SOCKET_POLLWATCH_TIMEOUT=20
LDFLAGS
Linker flags. Defaults to empty string.
The following need to be set when cross compiling.
BUILD_CC
The native C compiler.
BUILD_CFLAGS (optional)
BUILD_CPPFLAGS (optional)
Possible Settings:
-DNEED_OPTARG=1 (optarg is not declared in <unistd.h>)
BUILD_LDFLAGS (optional)
BUILD_LIBS (optional)
To build shared libraries, specify "--with-libtool" on the
configure command line.
For the server to support DNSSEC, you need to build it
with crypto support. You must have OpenSSL 0.9.5a
or newer installed and specify "--with-openssl" on the
configure command line. If OpenSSL is installed under
a nonstandard prefix, you can tell configure where to
look for it using "--with-openssl=/prefix".
On some platforms it is necessary to explictly request large
file support to handle files bigger than 2GB. This can be
done by "--enable-largefile" on the configure command line.
On some platforms, BIND 9 can be built with multithreading
support, allowing it to take advantage of multiple CPUs.
You can specify whether to build a multithreaded BIND 9
by specifying "--enable-threads" or "--disable-threads"
on the configure command line. The default is operating
system dependent.
Support for the "fixed" rrset-order option can be enabled
or disabled by specifying "--enable-fixed-rrset" or
"--disable-fixed-rrset" on the configure command line.
The default is "disabled", to reduce memory footprint.
If your operating system has integrated support for IPv6, it
will be used automatically. If you have installed KAME IPv6
separately, use "--with-kame[=PATH]" to specify its location.
"make install" will install "named" and the various BIND 9 libraries.
By default, installation is into /usr/local, but this can be changed
with the "--prefix" option when running "configure".
You may specify the option "--sysconfdir" to set the directory
where configuration files like "named.conf" go by default,
and "--localstatedir" to set the default parent directory
of "run/named.pid". For backwards compatibility with BIND 8,
--sysconfdir defaults to "/etc" and --localstatedir defaults to
"/var" if no --prefix option is given. If there is a --prefix
option, sysconfdir defaults to "$prefix/etc" and localstatedir
defaults to "$prefix/var".
To see additional configure options, run "configure --help".
Note that the help message does not reflect the BIND 8
compatibility defaults for sysconfdir and localstatedir.
If you're planning on making changes to the BIND 9 source, you
should also "make depend". If you're using Emacs, you might find
"make tags" helpful.
If you need to re-run configure please run "make distclean" first.
This will ensure that all the option changes take.
Building with gcc is not supported, unless gcc is the vendor's usual
compiler (e.g. the various BSD systems, Linux).
Known compiler issues:
* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
* gcc-3.3.5 powerpc generates incorrect code at -02.
* Irix, MipsPRO 7.4.1m is known to cause problems.
A limited test suite can be run with "make test". Many of
the tests require you to configure a set of virtual IP addresses
on your system, and some require Perl; see bin/tests/system/README
for details.
SunOS 4 requires "printf" to be installed to make the shared
libraries. sh-utils-1.16 provides a "printf" which compiles
on SunOS 4.
Known limitations
Linux requires kernel build 2.6.39 or later to get the
performance benefits from using multiple sockets.
Documentation
The BIND 9 Administrator Reference Manual is included with the
source distribution in DocBook XML and HTML format, in the
doc/arm directory.
Some of the programs in the BIND 9 distribution have man pages
in their directories. In particular, the command line
options of "named" are documented in /bin/named/named.8.
There is now also a set of man pages for the lwres library.
If you are upgrading from BIND 8, please read the migration
notes in doc/misc/migration. If you are upgrading from
BIND 4, read doc/misc/migration-4to9.
Frequently asked questions and their answers can be found in
FAQ.
Additional information on various subjects can be found
in the other README files.
Change Log
A detailed list of all changes to BIND 9 is included in the
file CHANGES, with the most recent changes listed first.
Change notes include tags indicating the category of the
change that was made; these categories are:
[func] New feature
[bug] General bug fix
[security] Fix for a significant security flaw
[experimental] Used for new features when the syntax
or other aspects of the design are still
in flux and may change
[port] Portability enhancement
[maint] Updates to built-in data such as root
server addresses and keys
[tuning] Changes to built-in configuration defaults
and constants to improve performanceo
[protocol] Updates to the DNS protocol such as new
RR types
[test] Changes to the automatic tests, not
affecting server functionality
[cleanup] Minor corrections and refactoring
[doc] Documentation
In general, [func] and [experimental] tags will only appear
in new-feature releases (i.e., those with version numbers
ending in zero). Some new functionality may be backported to
older releases on a case-by-case basis. All other change
types may be applied to all currently-supported releases.
Bug Reports and Mailing Lists
Bugs reports should be sent to
bind9-bugs@isc.org
To join the BIND Users mailing list, send mail to
bind-users-request@isc.org
archives of which can be found via
http://www.isc.org/ops/lists/
If you're planning on making changes to the BIND 9 source
code, you might want to join the BIND Workers mailing list.
Send mail to
bind-workers-request@isc.org

148
contrib/bind9/acconfig.h
View file

@ -1,148 +0,0 @@
/*
* Copyright (C) 2004, 2005, 2007, 2008, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: acconfig.h,v 1.53 2008/12/01 23:47:44 tbox Exp $ */
/*! \file */
/***
*** This file is not to be included by any public header files, because
*** it does not get installed.
***/
@TOP@
/** define on DEC OSF to enable 4.4BSD style sa_len support */
#undef _SOCKADDR_LEN
/** define if your system needs pthread_init() before using pthreads */
#undef NEED_PTHREAD_INIT
/** define if your system has sigwait() */
#undef HAVE_SIGWAIT
/** define if sigwait() is the UnixWare flavor */
#undef HAVE_UNIXWARE_SIGWAIT
/** define on Solaris to get sigwait() to work using pthreads semantics */
#undef _POSIX_PTHREAD_SEMANTICS
/** define if LinuxThreads is in use */
#undef HAVE_LINUXTHREADS
/** define if sysconf() is available */
#undef HAVE_SYSCONF
/** define if sysctlbyname() is available */
#undef HAVE_SYSCTLBYNAME
/** define if catgets() is available */
#undef HAVE_CATGETS
/** define if getifaddrs() exists */
#undef HAVE_GETIFADDRS
/** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
#undef HAVE_IFLIST_SYSCTL
/** define if tzset() is available */
#undef HAVE_TZSET
/** define if struct addrinfo exists */
#undef HAVE_ADDRINFO
/** define if getaddrinfo() exists */
#undef HAVE_GETADDRINFO
/** define if gai_strerror() exists */
#undef HAVE_GAISTRERROR
/** define if arc4random() exists */
#undef HAVE_ARC4RANDOM
/**
* define if pthread_setconcurrency() should be called to tell the
* OS how many threads we might want to run.
*/
#undef CALL_PTHREAD_SETCONCURRENCY
/** define if IPv6 is not disabled */
#undef WANT_IPV6
/** define if flockfile() is available */
#undef HAVE_FLOCKFILE
/** define if getc_unlocked() is available */
#undef HAVE_GETCUNLOCKED
/** Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
#undef SHUTUP_SPUTAUX
#ifdef SHUTUP_SPUTAUX
struct __sFILE;
extern __inline int __sputaux(int _c, struct __sFILE *_p);
#endif
/** Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
#undef SHUTUP_SIGWAIT
#ifdef SHUTUP_SIGWAIT
int sigwait(const unsigned int *set, int *sig);
#endif
/** Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
#undef SHUTUP_STDARG_CAST
#if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
#include <stdarg.h> /** Grr. Must be included *every time*. */
/**
* The silly continuation line is to keep configure from
* commenting out the #undef.
*/
#undef \
va_start
#define va_start(ap, last) \
do { \
union { const void *konst; long *var; } _u; \
_u.konst = &(last); \
ap = (va_list)(_u.var + __va_words(__typeof(last))); \
} while (0)
#endif /** SHUTUP_STDARG_CAST && __GNUC__ */
/** define if the system has a random number generating device */
#undef PATH_RANDOMDEV
/** define if pthread_attr_getstacksize() is available */
#undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
/** define if pthread_attr_setstacksize() is available */
#undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
/** define if you have strerror in the C library. */
#undef HAVE_STRERROR
/** Define if you are running under Compaq TruCluster. */
#undef HAVE_TRUCLUSTER
/* Define if OpenSSL includes DSA support */
#undef HAVE_OPENSSL_DSA
/* Define if OpenSSL includes ECDSA support */
#undef HAVE_OPENSSL_ECDSA
/* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T
/* Define if threads need PTHREAD_SCOPE_SYSTEM */
#undef NEED_PTHREAD_SCOPE_SYSTEM

5
contrib/bind9/aclocal.m4 vendored
View file

@ -1,5 +0,0 @@
sinclude(libtool.m4/libtool.m4)dnl
sinclude(libtool.m4/ltoptions.m4)dnl
sinclude(libtool.m4/ltsugar.m4)dnl
sinclude(libtool.m4/ltversion.m4)dnl
sinclude(libtool.m4/lt~obsolete.m4)dnl

26
contrib/bind9/bin/Makefile.in
View file

@ -1,26 +0,0 @@
# Copyright (C) 2004, 2007, 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2001 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.29 2009/10/05 12:07:08 fdupont Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
SUBDIRS = named rndc dig dnssec tools tests nsupdate \
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
@BIND9_MAKE_RULES@

100
contrib/bind9/bin/check/Makefile.in
View file

@ -1,100 +0,0 @@
# Copyright (C) 2004-2007, 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2003 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.36 2009/12/05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
${ISC_INCLUDES}
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
LIBS = ${ISCLIBS} @LIBS@
NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
SUBDIRS =
# Alphabetically
TARGETS = named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
# Alphabetically
SRCS = named-checkconf.c named-checkzone.c check-tool.c
MANPAGES = named-checkconf.8 named-checkzone.8
HTMLPAGES = named-checkconf.html named-checkzone.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
named-checkconf.@O@: named-checkconf.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-c ${srcdir}/named-checkconf.c
named-checkzone.@O@: named-checkzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-c ${srcdir}/named-checkzone.c
named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}
named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f named-compilezone@EXEEXT@; ${LINK_PROGRAM} named-checkzone@EXEEXT@ named-compilezone@EXEEXT@)
for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
(cd ${DESTDIR}${mandir}/man8; rm -f named-compilezone.8; ${LINK_PROGRAM} named-checkzone.8 named-compilezone.8)
clean distclean::
rm -f ${TARGETS} r1.htm

697
contrib/bind9/bin/check/check-tool.c
View file

@ -1,697 +0,0 @@
/*
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check-tool.c,v 1.44 2011/12/22 07:32:39 each Exp $ */
/*! \file */
#include <config.h>
#include <stdio.h>
#ifdef _WIN32
#include <Winsock2.h>
#endif
#include "check-tool.h"
#include <isc/buffer.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/netdb.h>
#include <isc/net.h>
#include <isc/region.h>
#include <isc/stdio.h>
#include <isc/string.h>
#include <isc/symtab.h>
#include <isc/types.h>
#include <isc/util.h>
#include <dns/fixedname.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/types.h>
#include <dns/zone.h>
#include <isccfg/log.h>
#ifndef CHECK_SIBLING
#define CHECK_SIBLING 1
#endif
#ifndef CHECK_LOCAL
#define CHECK_LOCAL 1
#endif
#ifdef HAVE_ADDRINFO
#ifdef HAVE_GETADDRINFO
#ifdef HAVE_GAISTRERROR
#define USE_GETADDRINFO
#endif
#endif
#endif
#define CHECK(r) \
do { \
result = (r); \
if (result != ISC_R_SUCCESS) \
goto cleanup; \
} while (0)
#define ERR_IS_CNAME 1
#define ERR_NO_ADDRESSES 2
#define ERR_LOOKUP_FAILURE 3
#define ERR_EXTRA_A 4
#define ERR_EXTRA_AAAA 5
#define ERR_MISSING_GLUE 5
#define ERR_IS_MXCNAME 6
#define ERR_IS_SRVCNAME 7
static const char *dbtype[] = { "rbt" };
int debug = 0;
isc_boolean_t nomerge = ISC_TRUE;
#if CHECK_LOCAL
isc_boolean_t docheckmx = ISC_TRUE;
isc_boolean_t dochecksrv = ISC_TRUE;
isc_boolean_t docheckns = ISC_TRUE;
#else
isc_boolean_t docheckmx = ISC_FALSE;
isc_boolean_t dochecksrv = ISC_FALSE;
isc_boolean_t docheckns = ISC_FALSE;
#endif
unsigned int zone_options = DNS_ZONEOPT_CHECKNS |
DNS_ZONEOPT_CHECKMX |
DNS_ZONEOPT_MANYERRORS |
DNS_ZONEOPT_CHECKNAMES |
DNS_ZONEOPT_CHECKINTEGRITY |
#if CHECK_SIBLING
DNS_ZONEOPT_CHECKSIBLING |
#endif
DNS_ZONEOPT_CHECKWILDCARD |
DNS_ZONEOPT_WARNMXCNAME |
DNS_ZONEOPT_WARNSRVCNAME;
/*
* This needs to match the list in bin/named/log.c.
*/
static isc_logcategory_t categories[] = {
{ "", 0 },
{ "client", 0 },
{ "network", 0 },
{ "update", 0 },
{ "queries", 0 },
{ "unmatched", 0 },
{ "update-security", 0 },
{ "query-errors", 0 },
{ NULL, 0 }
};
static isc_symtab_t *symtab = NULL;
static isc_mem_t *sym_mctx;
static void
freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
UNUSED(type);
UNUSED(value);
isc_mem_free(userarg, key);
}
static void
add(char *key, int value) {
isc_result_t result;
isc_symvalue_t symvalue;
if (sym_mctx == NULL) {
result = isc_mem_create(0, 0, &sym_mctx);
if (result != ISC_R_SUCCESS)
return;
}
if (symtab == NULL) {
result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
ISC_FALSE, &symtab);
if (result != ISC_R_SUCCESS)
return;
}
key = isc_mem_strdup(sym_mctx, key);
if (key == NULL)
return;
symvalue.as_pointer = NULL;
result = isc_symtab_define(symtab, key, value, symvalue,
isc_symexists_reject);
if (result != ISC_R_SUCCESS)
isc_mem_free(sym_mctx, key);
}
static isc_boolean_t
logged(char *key, int value) {
isc_result_t result;
if (symtab == NULL)
return (ISC_FALSE);
result = isc_symtab_lookup(symtab, key, value, NULL);
if (result == ISC_R_SUCCESS)
return (ISC_TRUE);
return (ISC_FALSE);
}
static isc_boolean_t
checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
dns_rdataset_t *a, dns_rdataset_t *aaaa)
{
#ifdef USE_GETADDRINFO
dns_rdataset_t *rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
struct addrinfo hints, *ai, *cur;
char namebuf[DNS_NAME_FORMATSIZE + 1];
char ownerbuf[DNS_NAME_FORMATSIZE];
char addrbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:123.123.123.123")];
isc_boolean_t answer = ISC_TRUE;
isc_boolean_t match;
const char *type;
void *ptr = NULL;
int result;
REQUIRE(a == NULL || !dns_rdataset_isassociated(a) ||
a->type == dns_rdatatype_a);
REQUIRE(aaaa == NULL || !dns_rdataset_isassociated(aaaa) ||
aaaa->type == dns_rdatatype_aaaa);
if (a == NULL || aaaa == NULL)
return (answer);
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
/*
* Turn off search.
*/
if (dns_name_countlabels(name) > 1U)
strcat(namebuf, ".");
dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
result = getaddrinfo(namebuf, NULL, &hints, &ai);
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
switch (result) {
case 0:
/*
* Work around broken getaddrinfo() implementations that
* fail to set ai_canonname on first entry.
*/
cur = ai;
while (cur != NULL && cur->ai_canonname == NULL &&
cur->ai_next != NULL)
cur = cur->ai_next;
if (cur != NULL && cur->ai_canonname != NULL &&
strcasecmp(cur->ai_canonname, namebuf) != 0 &&
!logged(namebuf, ERR_IS_CNAME)) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/NS '%s' (out of zone) "
"is a CNAME '%s' (illegal)",
ownerbuf, namebuf,
cur->ai_canonname);
/* XXX950 make fatal for 9.5.0 */
/* answer = ISC_FALSE; */
add(namebuf, ERR_IS_CNAME);
}
break;
case EAI_NONAME:
#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
case EAI_NODATA:
#endif
if (!logged(namebuf, ERR_NO_ADDRESSES)) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/NS '%s' (out of zone) "
"has no addresses records (A or AAAA)",
ownerbuf, namebuf);
add(namebuf, ERR_NO_ADDRESSES);
}
/* XXX950 make fatal for 9.5.0 */
return (ISC_TRUE);
default:
if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
dns_zone_log(zone, ISC_LOG_WARNING,
"getaddrinfo(%s) failed: %s",
namebuf, gai_strerror(result));
add(namebuf, ERR_LOOKUP_FAILURE);
}
return (ISC_TRUE);
}
/*
* Check that all glue records really exist.
*/
if (!dns_rdataset_isassociated(a))
goto checkaaaa;
result = dns_rdataset_first(a);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(a, &rdata);
match = ISC_FALSE;
for (cur = ai; cur != NULL; cur = cur->ai_next) {
if (cur->ai_family != AF_INET)
continue;
ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
if (memcmp(ptr, rdata.data, rdata.length) == 0) {
match = ISC_TRUE;
break;
}
}
if (!match && !logged(namebuf, ERR_EXTRA_A)) {
dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
"extra GLUE A record (%s)",
ownerbuf, namebuf,
inet_ntop(AF_INET, rdata.data,
addrbuf, sizeof(addrbuf)));
add(namebuf, ERR_EXTRA_A);
/* XXX950 make fatal for 9.5.0 */
/* answer = ISC_FALSE; */
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(a);
}
checkaaaa:
if (!dns_rdataset_isassociated(aaaa))
goto checkmissing;
result = dns_rdataset_first(aaaa);
while (result == ISC_R_SUCCESS) {
dns_rdataset_current(aaaa, &rdata);
match = ISC_FALSE;
for (cur = ai; cur != NULL; cur = cur->ai_next) {
if (cur->ai_family != AF_INET6)
continue;
ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
if (memcmp(ptr, rdata.data, rdata.length) == 0) {
match = ISC_TRUE;
break;
}
}
if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) {
dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
"extra GLUE AAAA record (%s)",
ownerbuf, namebuf,
inet_ntop(AF_INET6, rdata.data,
addrbuf, sizeof(addrbuf)));
add(namebuf, ERR_EXTRA_AAAA);
/* XXX950 make fatal for 9.5.0. */
/* answer = ISC_FALSE; */
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(aaaa);
}
checkmissing:
/*
* Check that all addresses appear in the glue.
*/
if (!logged(namebuf, ERR_MISSING_GLUE)) {
isc_boolean_t missing_glue = ISC_FALSE;
for (cur = ai; cur != NULL; cur = cur->ai_next) {
switch (cur->ai_family) {
case AF_INET:
rdataset = a;
ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
type = "A";
break;
case AF_INET6:
rdataset = aaaa;
ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
type = "AAAA";
break;
default:
continue;
}
match = ISC_FALSE;
if (dns_rdataset_isassociated(rdataset))
result = dns_rdataset_first(rdataset);
else
result = ISC_R_FAILURE;
while (result == ISC_R_SUCCESS && !match) {
dns_rdataset_current(rdataset, &rdata);
if (memcmp(ptr, rdata.data, rdata.length) == 0)
match = ISC_TRUE;
dns_rdata_reset(&rdata);
result = dns_rdataset_next(rdataset);
}
if (!match) {
dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
"missing GLUE %s record (%s)",
ownerbuf, namebuf, type,
inet_ntop(cur->ai_family, ptr,
addrbuf, sizeof(addrbuf)));
/* XXX950 make fatal for 9.5.0. */
/* answer = ISC_FALSE; */
missing_glue = ISC_TRUE;
}
}
if (missing_glue)
add(namebuf, ERR_MISSING_GLUE);
}
freeaddrinfo(ai);
return (answer);
#else
return (ISC_TRUE);
#endif
}
static isc_boolean_t
checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
#ifdef USE_GETADDRINFO
struct addrinfo hints, *ai, *cur;
char namebuf[DNS_NAME_FORMATSIZE + 1];
char ownerbuf[DNS_NAME_FORMATSIZE];
int result;
int level = ISC_LOG_ERROR;
isc_boolean_t answer = ISC_TRUE;
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
/*
* Turn off search.
*/
if (dns_name_countlabels(name) > 1U)
strcat(namebuf, ".");
dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
result = getaddrinfo(namebuf, NULL, &hints, &ai);
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
switch (result) {
case 0:
/*
* Work around broken getaddrinfo() implementations that
* fail to set ai_canonname on first entry.
*/
cur = ai;
while (cur != NULL && cur->ai_canonname == NULL &&
cur->ai_next != NULL)
cur = cur->ai_next;
if (cur != NULL && cur->ai_canonname != NULL &&
strcasecmp(cur->ai_canonname, namebuf) != 0) {
if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0)
level = ISC_LOG_WARNING;
if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
if (!logged(namebuf, ERR_IS_MXCNAME)) {
dns_zone_log(zone, level,
"%s/MX '%s' (out of zone)"
" is a CNAME '%s' "
"(illegal)",
ownerbuf, namebuf,
cur->ai_canonname);
add(namebuf, ERR_IS_MXCNAME);
}
if (level == ISC_LOG_ERROR)
answer = ISC_FALSE;
}
}
freeaddrinfo(ai);
return (answer);
case EAI_NONAME:
#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
case EAI_NODATA:
#endif
if (!logged(namebuf, ERR_NO_ADDRESSES)) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/MX '%s' (out of zone) "
"has no addresses records (A or AAAA)",
ownerbuf, namebuf);
add(namebuf, ERR_NO_ADDRESSES);
}
/* XXX950 make fatal for 9.5.0. */
return (ISC_TRUE);
default:
if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
dns_zone_log(zone, ISC_LOG_WARNING,
"getaddrinfo(%s) failed: %s",
namebuf, gai_strerror(result));
add(namebuf, ERR_LOOKUP_FAILURE);
}
return (ISC_TRUE);
}
#else
return (ISC_TRUE);
#endif
}
static isc_boolean_t
checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
#ifdef USE_GETADDRINFO
struct addrinfo hints, *ai, *cur;
char namebuf[DNS_NAME_FORMATSIZE + 1];
char ownerbuf[DNS_NAME_FORMATSIZE];
int result;
int level = ISC_LOG_ERROR;
isc_boolean_t answer = ISC_TRUE;
memset(&hints, 0, sizeof(hints));
hints.ai_flags = AI_CANONNAME;
hints.ai_family = PF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
/*
* Turn off search.
*/
if (dns_name_countlabels(name) > 1U)
strcat(namebuf, ".");
dns_name_format(owner, ownerbuf, sizeof(ownerbuf));
result = getaddrinfo(namebuf, NULL, &hints, &ai);
dns_name_format(name, namebuf, sizeof(namebuf) - 1);
switch (result) {
case 0:
/*
* Work around broken getaddrinfo() implementations that
* fail to set ai_canonname on first entry.
*/
cur = ai;
while (cur != NULL && cur->ai_canonname == NULL &&
cur->ai_next != NULL)
cur = cur->ai_next;
if (cur != NULL && cur->ai_canonname != NULL &&
strcasecmp(cur->ai_canonname, namebuf) != 0) {
if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0)
level = ISC_LOG_WARNING;
if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
if (!logged(namebuf, ERR_IS_SRVCNAME)) {
dns_zone_log(zone, level, "%s/SRV '%s'"
" (out of zone) is a "
"CNAME '%s' (illegal)",
ownerbuf, namebuf,
cur->ai_canonname);
add(namebuf, ERR_IS_SRVCNAME);
}
if (level == ISC_LOG_ERROR)
answer = ISC_FALSE;
}
}
freeaddrinfo(ai);
return (answer);
case EAI_NONAME:
#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
case EAI_NODATA:
#endif
if (!logged(namebuf, ERR_NO_ADDRESSES)) {
dns_zone_log(zone, ISC_LOG_ERROR,
"%s/SRV '%s' (out of zone) "
"has no addresses records (A or AAAA)",
ownerbuf, namebuf);
add(namebuf, ERR_NO_ADDRESSES);
}
/* XXX950 make fatal for 9.5.0. */
return (ISC_TRUE);
default:
if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
dns_zone_log(zone, ISC_LOG_WARNING,
"getaddrinfo(%s) failed: %s",
namebuf, gai_strerror(result));
add(namebuf, ERR_LOOKUP_FAILURE);
}
return (ISC_TRUE);
}
#else
return (ISC_TRUE);
#endif
}
isc_result_t
setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
isc_logdestination_t destination;
isc_logconfig_t *logconfig = NULL;
isc_log_t *log = NULL;
RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
isc_log_registercategories(log, categories);
isc_log_setcontext(log);
dns_log_init(log);
dns_log_setcontext(log);
cfg_log_init(log);
destination.file.stream = errout;
destination.file.name = NULL;
destination.file.versions = ISC_LOG_ROLLNEVER;
destination.file.maximum_size = 0;
RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr",
ISC_LOG_TOFILEDESC,
ISC_LOG_DYNAMIC,
&destination, 0) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
NULL, NULL) == ISC_R_SUCCESS);
*logp = log;
return (ISC_R_SUCCESS);
}
/*% load the zone */
isc_result_t
load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
dns_masterformat_t fileformat, const char *classname,
dns_zone_t **zonep)
{
isc_result_t result;
dns_rdataclass_t rdclass;
isc_textregion_t region;
isc_buffer_t buffer;
dns_fixedname_t fixorigin;
dns_name_t *origin;
dns_zone_t *zone = NULL;
REQUIRE(zonep == NULL || *zonep == NULL);
if (debug)
fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
zonename, filename, classname);
CHECK(dns_zone_create(&zone, mctx));
dns_zone_settype(zone, dns_zone_master);
isc_buffer_constinit(&buffer, zonename, strlen(zonename));
isc_buffer_add(&buffer, strlen(zonename));
dns_fixedname_init(&fixorigin);
origin = dns_fixedname_name(&fixorigin);
CHECK(dns_name_fromtext(origin, &buffer, dns_rootname, 0, NULL));
CHECK(dns_zone_setorigin(zone, origin));
CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
CHECK(dns_zone_setfile2(zone, filename, fileformat));
DE_CONST(classname, region.base);
region.length = strlen(classname);
CHECK(dns_rdataclass_fromtext(&rdclass, &region));
dns_zone_setclass(zone, rdclass);
dns_zone_setoption(zone, zone_options, ISC_TRUE);
dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
if (docheckmx)
dns_zone_setcheckmx(zone, checkmx);
if (docheckns)
dns_zone_setcheckns(zone, checkns);
if (dochecksrv)
dns_zone_setchecksrv(zone, checksrv);
CHECK(dns_zone_load(zone));
if (zonep != NULL) {
*zonep = zone;
zone = NULL;
}
cleanup:
if (zone != NULL)
dns_zone_detach(&zone);
return (result);
}
/*% dump the zone */
isc_result_t
dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
dns_masterformat_t fileformat, const dns_master_style_t *style,
const isc_uint32_t rawversion)
{
isc_result_t result;
FILE *output = stdout;
const char *flags;
flags = (fileformat == dns_masterformat_text) ? "w+" : "wb+";
if (debug) {
if (filename != NULL && strcmp(filename, "-") != 0)
fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
zonename, filename);
else
fprintf(stderr, "dumping \"%s\"\n", zonename);
}
if (filename != NULL && strcmp(filename, "-") != 0) {
result = isc_stdio_open(filename, flags, &output);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "could not open output "
"file \"%s\" for writing\n", filename);
return (ISC_R_FAILURE);
}
}
result = dns_zone_dumptostream3(zone, output, fileformat, style,
rawversion);
if (output != stdout)
(void)isc_stdio_close(output);
return (result);
}
#ifdef _WIN32
void
InitSockets(void) {
WORD wVersionRequested;
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(2, 0);
err = WSAStartup( wVersionRequested, &wsaData );
if (err != 0) {
fprintf(stderr, "WSAStartup() failed: %d\n", err);
exit(1);
}
}
void
DestroySockets(void) {
WSACleanup();
}
#endif

61
contrib/bind9/bin/check/check-tool.h
View file

@ -1,61 +0,0 @@
/*
* Copyright (C) 2004, 2005, 2007, 2010, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check-tool.h,v 1.18 2011/12/09 23:47:02 tbox Exp $ */
#ifndef CHECK_TOOL_H
#define CHECK_TOOL_H
/*! \file */
#include <isc/lang.h>
#include <isc/stdio.h>
#include <isc/types.h>
#include <dns/masterdump.h>
#include <dns/types.h>
ISC_LANG_BEGINDECLS
isc_result_t
setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp);
isc_result_t
load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
dns_masterformat_t fileformat, const char *classname,
dns_zone_t **zonep);
isc_result_t
dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
dns_masterformat_t fileformat, const dns_master_style_t *style,
const isc_uint32_t rawversion);
#ifdef _WIN32
void InitSockets(void);
void DestroySockets(void);
#endif
extern int debug;
extern isc_boolean_t nomerge;
extern isc_boolean_t docheckmx;
extern isc_boolean_t docheckns;
extern isc_boolean_t dochecksrv;
extern unsigned int zone_options;
ISC_LANG_ENDDECLS
#endif

119
contrib/bind9/bin/check/named-checkconf.8
View file

@ -1,119 +0,0 @@
.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: named\-checkconf
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: June 14, 2000
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "NAMED\-CHECKCONF" "8" "June 14, 2000" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
named\-checkconf \- named configuration file syntax checking tool
.SH "SYNOPSIS"
.HP 16
\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-p\fR] [\fB\-z\fR]
.SH "DESCRIPTION"
.PP
\fBnamed\-checkconf\fR
checks the syntax, but not the semantics, of a
\fBnamed\fR
configuration file. The file is parsed and checked for syntax errors, along with all files included by it. If no file is specified,
\fI/etc/named.conf\fR
is read by default.
.PP
Note: files that
\fBnamed\fR
reads in separate parser contexts, such as
\fIrndc.key\fR
and
\fIbind.keys\fR, are not automatically read by
\fBnamed\-checkconf\fR. Configuration errors in these files may cause
\fBnamed\fR
to fail to run, even if
\fBnamed\-checkconf\fR
was successful.
\fBnamed\-checkconf\fR
can be run on these files explicitly, however.
.SH "OPTIONS"
.PP
\-h
.RS 4
Print the usage summary and exit.
.RE
.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
\fIdirectory\fR
so that include directives in the configuration file are processed as if run by a similarly chrooted named.
.RE
.PP
\-v
.RS 4
Print the version of the
\fBnamed\-checkconf\fR
program and exit.
.RE
.PP
\-p
.RS 4
Print out the
\fInamed.conf\fR
and included files in canonical form if no errors were detected.
.RE
.PP
\-z
.RS 4
Perform a test load of all master zones found in
\fInamed.conf\fR.
.RE
.PP
\-j
.RS 4
When loading a zonefile read the journal if it exists.
.RE
.PP
filename
.RS 4
The name of the configuration file to be checked. If not specified, it defaults to
\fI/etc/named.conf\fR.
.RE
.SH "RETURN VALUES"
.PP
\fBnamed\-checkconf\fR
returns an exit status of 1 if errors were detected and 0 otherwise.
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed\-checkzone\fR(8),
BIND 9 Administrator Reference Manual.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
.br

556
contrib/bind9/bin/check/named-checkconf.c
View file

@ -1,556 +0,0 @@
/*
* Copyright (C) 2004-2007, 2009-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2002 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named-checkconf.c,v 1.56 2011/03/12 04:59:46 tbox Exp $ */
/*! \file */
#include <config.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/entropy.h>
#include <isc/hash.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>
#include <isccfg/namedconf.h>
#include <bind9/check.h>
#include <dns/fixedname.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/result.h>
#include <dns/zone.h>
#include "check-tool.h"
static const char *program = "named-checkconf";
isc_log_t *logc = NULL;
#define CHECK(r)\
do { \
result = (r); \
if (result != ISC_R_SUCCESS) \
goto cleanup; \
} while (0)
/*% usage */
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "usage: %s [-h] [-j] [-p] [-v] [-z] [-t directory] "
"[named.conf]\n", program);
exit(1);
}
/*% directory callback */
static isc_result_t
directory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
isc_result_t result;
const char *directory;
REQUIRE(strcasecmp("directory", clausename) == 0);
UNUSED(arg);
UNUSED(clausename);
/*
* Change directory.
*/
directory = cfg_obj_asstring(obj);
result = isc_dir_chdir(directory);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, logc, ISC_LOG_ERROR,
"change directory to '%s' failed: %s\n",
directory, isc_result_totext(result));
return (result);
}
return (ISC_R_SUCCESS);
}
static isc_boolean_t
get_maps(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
int i;
for (i = 0;; i++) {
if (maps[i] == NULL)
return (ISC_FALSE);
if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
return (ISC_TRUE);
}
}
static isc_boolean_t
get_checknames(const cfg_obj_t **maps, const cfg_obj_t **obj) {
const cfg_listelt_t *element;
const cfg_obj_t *checknames;
const cfg_obj_t *type;
const cfg_obj_t *value;
isc_result_t result;
int i;
for (i = 0;; i++) {
if (maps[i] == NULL)
return (ISC_FALSE);
checknames = NULL;
result = cfg_map_get(maps[i], "check-names", &checknames);
if (result != ISC_R_SUCCESS)
continue;
if (checknames != NULL && !cfg_obj_islist(checknames)) {
*obj = checknames;
return (ISC_TRUE);
}
for (element = cfg_list_first(checknames);
element != NULL;
element = cfg_list_next(element)) {
value = cfg_listelt_value(element);
type = cfg_tuple_get(value, "type");
if (strcasecmp(cfg_obj_asstring(type), "master") != 0)
continue;
*obj = cfg_tuple_get(value, "mode");
return (ISC_TRUE);
}
}
}
static isc_result_t
config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
int i;
for (i = 0;; i++) {
if (maps[i] == NULL)
return (ISC_R_NOTFOUND);
if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
return (ISC_R_SUCCESS);
}
}
/*% configure the zone */
static isc_result_t
configure_zone(const char *vclass, const char *view,
const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
const cfg_obj_t *config, isc_mem_t *mctx)
{
int i = 0;
isc_result_t result;
const char *zclass;
const char *zname;
const char *zfile;
const cfg_obj_t *maps[4];
const cfg_obj_t *zoptions = NULL;
const cfg_obj_t *classobj = NULL;
const cfg_obj_t *typeobj = NULL;
const cfg_obj_t *fileobj = NULL;
const cfg_obj_t *dbobj = NULL;
const cfg_obj_t *obj = NULL;
const cfg_obj_t *fmtobj = NULL;
dns_masterformat_t masterformat;
zone_options = DNS_ZONEOPT_CHECKNS | DNS_ZONEOPT_MANYERRORS;
zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
classobj = cfg_tuple_get(zconfig, "class");
if (!cfg_obj_isstring(classobj))
zclass = vclass;
else
zclass = cfg_obj_asstring(classobj);
zoptions = cfg_tuple_get(zconfig, "options");
maps[i++] = zoptions;
if (vconfig != NULL)
maps[i++] = cfg_tuple_get(vconfig, "options");
if (config != NULL) {
cfg_map_get(config, "options", &obj);
if (obj != NULL)
maps[i++] = obj;
}
maps[i] = NULL;
cfg_map_get(zoptions, "type", &typeobj);
if (typeobj == NULL)
return (ISC_R_FAILURE);
if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0)
return (ISC_R_SUCCESS);
cfg_map_get(zoptions, "database", &dbobj);
if (dbobj != NULL)
return (ISC_R_SUCCESS);
cfg_map_get(zoptions, "file", &fileobj);
if (fileobj == NULL)
return (ISC_R_FAILURE);
zfile = cfg_obj_asstring(fileobj);
obj = NULL;
if (get_maps(maps, "check-dup-records", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options |= DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options &= ~DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
} else
INSIST(0);
} else {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
}
obj = NULL;
if (get_maps(maps, "check-mx", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKMX;
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options |= DNS_ZONEOPT_CHECKMX;
zone_options |= DNS_ZONEOPT_CHECKMXFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options &= ~DNS_ZONEOPT_CHECKMX;
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
} else
INSIST(0);
} else {
zone_options |= DNS_ZONEOPT_CHECKMX;
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
}
obj = NULL;
if (get_maps(maps, "check-integrity", &obj)) {
if (cfg_obj_asboolean(obj))
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
else
zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
} else
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
obj = NULL;
if (get_maps(maps, "check-mx-cname", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
} else
INSIST(0);
} else {
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
}
obj = NULL;
if (get_maps(maps, "check-srv-cname", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
} else
INSIST(0);
} else {
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
}
obj = NULL;
if (get_maps(maps, "check-sibling", &obj)) {
if (cfg_obj_asboolean(obj))
zone_options |= DNS_ZONEOPT_CHECKSIBLING;
else
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
}
obj = NULL;
if (get_maps(maps, "check-spf", &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKSPF;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options &= ~DNS_ZONEOPT_CHECKSPF;
} else
INSIST(0);
} else {
zone_options |= DNS_ZONEOPT_CHECKSPF;
}
obj = NULL;
if (get_checknames(maps, &obj)) {
if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
zone_options |= DNS_ZONEOPT_CHECKNAMES;
zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
zone_options |= DNS_ZONEOPT_CHECKNAMES;
zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
zone_options &= ~DNS_ZONEOPT_CHECKNAMES;
zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
} else
INSIST(0);
} else {
zone_options |= DNS_ZONEOPT_CHECKNAMES;
zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
}
masterformat = dns_masterformat_text;
fmtobj = NULL;
result = config_get(maps, "masterfile-format", &fmtobj);
if (result == ISC_R_SUCCESS) {
const char *masterformatstr = cfg_obj_asstring(fmtobj);
if (strcasecmp(masterformatstr, "text") == 0)
masterformat = dns_masterformat_text;
else if (strcasecmp(masterformatstr, "raw") == 0)
masterformat = dns_masterformat_raw;
else
INSIST(0);
}
result = load_zone(mctx, zname, zfile, masterformat, zclass, NULL);
if (result != ISC_R_SUCCESS)
fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
dns_result_totext(result));
return(result);
}
/*% configure a view */
static isc_result_t
configure_view(const char *vclass, const char *view, const cfg_obj_t *config,
const cfg_obj_t *vconfig, isc_mem_t *mctx)
{
const cfg_listelt_t *element;
const cfg_obj_t *voptions;
const cfg_obj_t *zonelist;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
voptions = NULL;
if (vconfig != NULL)
voptions = cfg_tuple_get(vconfig, "options");
zonelist = NULL;
if (voptions != NULL)
(void)cfg_map_get(voptions, "zone", &zonelist);
else
(void)cfg_map_get(config, "zone", &zonelist);
for (element = cfg_list_first(zonelist);
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *zconfig = cfg_listelt_value(element);
tresult = configure_zone(vclass, view, zconfig, vconfig,
config, mctx);
if (tresult != ISC_R_SUCCESS)
result = tresult;
}
return (result);
}
/*% load zones from the configuration */
static isc_result_t
load_zones_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx) {
const cfg_listelt_t *element;
const cfg_obj_t *classobj;
const cfg_obj_t *views;
const cfg_obj_t *vconfig;
const char *vclass;
isc_result_t result = ISC_R_SUCCESS;
isc_result_t tresult;
views = NULL;
(void)cfg_map_get(config, "view", &views);
for (element = cfg_list_first(views);
element != NULL;
element = cfg_list_next(element))
{
const char *vname;
vclass = "IN";
vconfig = cfg_listelt_value(element);
if (vconfig != NULL) {
classobj = cfg_tuple_get(vconfig, "class");
if (cfg_obj_isstring(classobj))
vclass = cfg_obj_asstring(classobj);
}
vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
tresult = configure_view(vclass, vname, config, vconfig, mctx);
if (tresult != ISC_R_SUCCESS)
result = tresult;
}
if (views == NULL) {
tresult = configure_view("IN", "_default", config, NULL, mctx);
if (tresult != ISC_R_SUCCESS)
result = tresult;
}
return (result);
}
static void
output(void *closure, const char *text, int textlen) {
UNUSED(closure);
if (fwrite(text, 1, textlen, stdout) != (size_t)textlen) {
perror("fwrite");
exit(1);
}
}
/*% The main processing routine */
int
main(int argc, char **argv) {
int c;
cfg_parser_t *parser = NULL;
cfg_obj_t *config = NULL;
const char *conffile = NULL;
isc_mem_t *mctx = NULL;
isc_result_t result;
int exit_status = 0;
isc_entropy_t *ectx = NULL;
isc_boolean_t load_zones = ISC_FALSE;
isc_boolean_t print = ISC_FALSE;
isc_commandline_errprint = ISC_FALSE;
while ((c = isc_commandline_parse(argc, argv, "dhjt:pvz")) != EOF) {
switch (c) {
case 'd':
debug++;
break;
case 'j':
nomerge = ISC_FALSE;
break;
case 't':
result = isc_dir_chroot(isc_commandline_argument);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "isc_dir_chroot: %s\n",
isc_result_totext(result));
exit(1);
}
break;
case 'p':
print = ISC_TRUE;
break;
case 'v':
printf(VERSION "\n");
exit(0);
case 'z':
load_zones = ISC_TRUE;
docheckmx = ISC_FALSE;
docheckns = ISC_FALSE;
dochecksrv = ISC_FALSE;
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* FALLTHROUGH */
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (isc_commandline_index + 1 < argc)
usage();
if (argv[isc_commandline_index] != NULL)
conffile = argv[isc_commandline_index];
if (conffile == NULL || conffile[0] == '\0')
conffile = NAMED_CONFFILE;
#ifdef _WIN32
InitSockets();
#endif
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
== ISC_R_SUCCESS);
dns_result_register();
RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
cfg_parser_setcallback(parser, directory_callback, NULL);
if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
ISC_R_SUCCESS)
exit(1);
result = bind9_check_namedconf(config, logc, mctx);
if (result != ISC_R_SUCCESS)
exit_status = 1;
if (result == ISC_R_SUCCESS && load_zones) {
result = load_zones_fromconfig(config, mctx);
if (result != ISC_R_SUCCESS)
exit_status = 1;
}
if (print && exit_status == 0)
cfg_print(config, output, NULL);
cfg_obj_destroy(parser, &config);
cfg_parser_destroy(&parser);
dns_name_destroy();
isc_log_destroy(&logc);
isc_hash_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);
#ifdef _WIN32
DestroySockets();
#endif
return (exit_status);
}

195
contrib/bind9/bin/check/named-checkconf.docbook
View file

@ -1,195 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named-checkconf.docbook,v 1.22 2009/12/28 23:21:16 each Exp $ -->
<refentry id="man.named-checkconf">
<refentryinfo>
<date>June 14, 2000</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>named-checkconf</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refnamediv>
<refname><application>named-checkconf</application></refname>
<refpurpose>named configuration file syntax checking tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>named-checkconf</command>
<arg><option>-h</option></arg>
<arg><option>-v</option></arg>
<arg><option>-j</option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="req">filename</arg>
<arg><option>-p</option></arg>
<arg><option>-z</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>named-checkconf</command>
checks the syntax, but not the semantics, of a
<command>named</command> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <filename>/etc/named.conf</filename> is read
by default.
</para>
<para>
Note: files that <command>named</command> reads in separate
parser contexts, such as <filename>rndc.key</filename> and
<filename>bind.keys</filename>, are not automatically read
by <command>named-checkconf</command>. Configuration
errors in these files may cause <command>named</command> to
fail to run, even if <command>named-checkconf</command> was
successful. <command>named-checkconf</command> can be run
on these files explicitly, however.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Print the usage summary and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Chroot to <filename>directory</filename> so that include
directives in the configuration file are processed as if
run by a similarly chrooted named.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the version of the <command>named-checkconf</command>
program and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Print out the <filename>named.conf</filename> and included files
in canonical form if no errors were detected.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Perform a test load of all master zones found in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j</term>
<listitem>
<para>
When loading a zonefile read the journal if it exists.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filename</term>
<listitem>
<para>
The name of the configuration file to be checked. If not
specified, it defaults to <filename>/etc/named.conf</filename>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>RETURN VALUES</title>
<para><command>named-checkconf</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

113
contrib/bind9/bin/check/named-checkconf.html
View file

@ -1,113 +0,0 @@
<!--
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkconf</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.named-checkconf"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-checkconf</code> [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-p</code>] [<code class="option">-z</code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543396"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkconf</strong></span>
checks the syntax, but not the semantics, of a
<span><strong class="command">named</strong></span> configuration file. The file is parsed
and checked for syntax errors, along with all files included by it.
If no file is specified, <code class="filename">/etc/named.conf</code> is read
by default.
</p>
<p>
Note: files that <span><strong class="command">named</strong></span> reads in separate
parser contexts, such as <code class="filename">rndc.key</code> and
<code class="filename">bind.keys</code>, are not automatically read
by <span><strong class="command">named-checkconf</strong></span>. Configuration
errors in these files may cause <span><strong class="command">named</strong></span> to
fail to run, even if <span><strong class="command">named-checkconf</strong></span> was
successful. <span><strong class="command">named-checkconf</strong></span> can be run
on these files explicitly, however.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543445"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
Print the usage summary and exit.
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Chroot to <code class="filename">directory</code> so that include
directives in the configuration file are processed as if
run by a similarly chrooted named.
</p></dd>
<dt><span class="term">-v</span></dt>
<dd><p>
Print the version of the <span><strong class="command">named-checkconf</strong></span>
program and exit.
</p></dd>
<dt><span class="term">-p</span></dt>
<dd><p>
Print out the <code class="filename">named.conf</code> and included files
in canonical form if no errors were detected.
</p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
Perform a test load of all master zones found in
<code class="filename">named.conf</code>.
</p></dd>
<dt><span class="term">-j</span></dt>
<dd><p>
When loading a zonefile read the journal if it exists.
</p></dd>
<dt><span class="term">filename</span></dt>
<dd><p>
The name of the configuration file to be checked. If not
specified, it defaults to <code class="filename">/etc/named.conf</code>.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543569"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkconf</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543580"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543610"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

308
contrib/bind9/bin/check/named-checkzone.8
View file

@ -1,308 +0,0 @@
.\" Copyright (C) 2004-2007, 2009-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: named\-checkzone
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: June 13, 2000
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "NAMED\-CHECKZONE" "8" "June 13, 2000" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
.SH "SYNOPSIS"
.HP 16
\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
.HP 18
\fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-r\ \fR\fB\fImode\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-T\ \fR\fB\fImode\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {\fB\-o\ \fR\fB\fIfilename\fR\fR} {zonename} {filename}
.SH "DESCRIPTION"
.PP
\fBnamed\-checkzone\fR
checks the syntax and integrity of a zone file. It performs the same checks as
\fBnamed\fR
does when loading a zone. This makes
\fBnamed\-checkzone\fR
useful for checking zone files before configuring them into a name server.
.PP
\fBnamed\-compilezone\fR
is similar to
\fBnamed\-checkzone\fR, but it always dumps the zone contents to a specified file in a specified format. Additionally, it applies stricter check levels by default, since the dump output will be used as an actual zone file loaded by
\fBnamed\fR. When manually specified otherwise, the check levels must at least be as strict as those specified in the
\fBnamed\fR
configuration file.
.SH "OPTIONS"
.PP
\-d
.RS 4
Enable debugging.
.RE
.PP
\-h
.RS 4
Print the usage summary and exit.
.RE
.PP
\-q
.RS 4
Quiet mode \- exit code only.
.RE
.PP
\-v
.RS 4
Print the version of the
\fBnamed\-checkzone\fR
program and exit.
.RE
.PP
\-j
.RS 4
When loading the zone file read the journal if it exists.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specify the class of the zone. If not specified, "IN" is assumed.
.RE
.PP
\-i \fImode\fR
.RS 4
Perform post\-load zone integrity checks. Possible modes are
\fB"full"\fR
(default),
\fB"full\-sibling"\fR,
\fB"local"\fR,
\fB"local\-sibling"\fR
and
\fB"none"\fR.
.sp
Mode
\fB"full"\fR
checks that MX records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
\fB"local"\fR
only checks MX records which refer to in\-zone hostnames.
.sp
Mode
\fB"full"\fR
checks that SRV records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). Mode
\fB"local"\fR
only checks SRV records which refer to in\-zone hostnames.
.sp
Mode
\fB"full"\fR
checks that delegation NS records refer to A or AAAA record (both in\-zone and out\-of\-zone hostnames). It also checks that glue address records in the zone match those advertised by the child. Mode
\fB"local"\fR
only checks NS records which refer to in\-zone hostnames or that some required glue exists, that is when the nameserver is in a child zone.
.sp
Mode
\fB"full\-sibling"\fR
and
\fB"local\-sibling"\fR
disable sibling glue checks but are otherwise the same as
\fB"full"\fR
and
\fB"local"\fR
respectively.
.sp
Mode
\fB"none"\fR
disables the checks.
.RE
.PP
\-f \fIformat\fR
.RS 4
Specify the format of the zone file. Possible formats are
\fB"text"\fR
(default) and
\fB"raw"\fR.
.RE
.PP
\-F \fIformat\fR
.RS 4
Specify the format of the output file specified. For
\fBnamed\-checkzone\fR, this does not cause any effects unless it dumps the zone contents.
.sp
Possible formats are
\fB"text"\fR
(default) and
\fB"raw"\fR
or
\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
\fBnamed\fR.
\fB"raw=N"\fR
specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
\fBnamed\fR; if N is 1, the file can be read by release 9.9.0 or higher. The default is 1.
.RE
.PP
\-k \fImode\fR
.RS 4
Perform
\fB"check\-names"\fR
checks with the specified failure mode. Possible modes are
\fB"fail"\fR
(default for
\fBnamed\-compilezone\fR),
\fB"warn"\fR
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR.
.RE
.PP
\-L \fIserial\fR
.RS 4
When compiling a zone to 'raw' format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.)
.RE
.PP
\-m \fImode\fR
.RS 4
Specify whether MX records should be checked to see if they are addresses. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
.RE
.PP
\-M \fImode\fR
.RS 4
Check if a MX record refers to a CNAME. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
.RE
.PP
\-n \fImode\fR
.RS 4
Specify whether NS records should be checked to see if they are addresses. Possible modes are
\fB"fail"\fR
(default for
\fBnamed\-compilezone\fR),
\fB"warn"\fR
(default for
\fBnamed\-checkzone\fR) and
\fB"ignore"\fR.
.RE
.PP
\-o \fIfilename\fR
.RS 4
Write zone output to
\fIfilename\fR. If
\fIfilename\fR
is
\fI\-\fR
then write to standard out. This is mandatory for
\fBnamed\-compilezone\fR.
.RE
.PP
\-r \fImode\fR
.RS 4
Check for records that are treated as different by DNSSEC but are semantically equal in plain DNS. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
.RE
.PP
\-s \fIstyle\fR
.RS 4
Specify the style of the dumped zone file. Possible styles are
\fB"full"\fR
(default) and
\fB"relative"\fR. The full format is most suitable for processing automatically by a separate script. On the other hand, the relative format is more human\-readable and is thus suitable for editing by hand. For
\fBnamed\-checkzone\fR
this does not cause any effects unless it dumps the zone contents. It also does not have any meaning if the output format is not text.
.RE
.PP
\-S \fImode\fR
.RS 4
Check if a SRV record refers to a CNAME. Possible modes are
\fB"fail"\fR,
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
.RE
.PP
\-t \fIdirectory\fR
.RS 4
Chroot to
\fIdirectory\fR
so that include directives in the configuration file are processed as if run by a similarly chrooted named.
.RE
.PP
\-T \fImode\fR
.RS 4
Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are
\fB"warn"\fR
(default),
\fB"ignore"\fR.
.RE
.PP
\-w \fIdirectory\fR
.RS 4
chdir to
\fIdirectory\fR
so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in
\fInamed.conf\fR.
.RE
.PP
\-D
.RS 4
Dump zone file in canonical format. This is always enabled for
\fBnamed\-compilezone\fR.
.RE
.PP
\-W \fImode\fR
.RS 4
Specify whether to check for non\-terminal wildcards. Non\-terminal wildcards are almost always the result of a failure to understand the wildcard matching algorithm (RFC 1034). Possible modes are
\fB"warn"\fR
(default) and
\fB"ignore"\fR.
.RE
.PP
zonename
.RS 4
The domain name of the zone being checked.
.RE
.PP
filename
.RS 4
The name of the zone file.
.RE
.SH "RETURN VALUES"
.PP
\fBnamed\-checkzone\fR
returns an exit status of 1 if errors were detected and 0 otherwise.
.SH "SEE ALSO"
.PP
\fBnamed\fR(8),
\fBnamed\-checkconf\fR(8),
RFC 1035,
BIND 9 Administrator Reference Manual.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004\-2007, 2009\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
.br

544
contrib/bind9/bin/check/named-checkzone.c
View file

@ -1,544 +0,0 @@
/*
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named-checkzone.c,v 1.65 2011/12/22 17:29:22 each Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <isc/app.h>
#include <isc/commandline.h>
#include <isc/dir.h>
#include <isc/entropy.h>
#include <isc/hash.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/socket.h>
#include <isc/string.h>
#include <isc/task.h>
#include <isc/timer.h>
#include <isc/util.h>
#include <dns/db.h>
#include <dns/fixedname.h>
#include <dns/log.h>
#include <dns/master.h>
#include <dns/masterdump.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/result.h>
#include <dns/types.h>
#include <dns/zone.h>
#include "check-tool.h"
static int quiet = 0;
static isc_mem_t *mctx = NULL;
static isc_entropy_t *ectx = NULL;
dns_zone_t *zone = NULL;
dns_zonetype_t zonetype = dns_zone_master;
static int dumpzone = 0;
static const char *output_filename;
static char *prog_name = NULL;
static const dns_master_style_t *outputstyle = NULL;
static enum { progmode_check, progmode_compile } progmode;
#define ERRRET(result, function) \
do { \
if (result != ISC_R_SUCCESS) { \
if (!quiet) \
fprintf(stderr, "%s() returned %s\n", \
function, dns_result_totext(result)); \
return (result); \
} \
} while (0)
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr,
"usage: %s [-djqvD] [-c class] "
"[-f inputformat] [-F outputformat] "
"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
"[-n (ignore|warn|fail)] [-m (ignore|warn|fail)] "
"[-r (ignore|warn|fail)] "
"[-i (full|full-sibling|local|local-sibling|none)] "
"[-M (ignore|warn|fail)] [-S (ignore|warn|fail)] "
"[-W (ignore|warn)] "
"%s zonename filename\n",
prog_name,
progmode == progmode_check ? "[-o filename]" : "-o filename");
exit(1);
}
static void
destroy(void) {
if (zone != NULL)
dns_zone_detach(&zone);
dns_name_destroy();
}
/*% main processing routine */
int
main(int argc, char **argv) {
int c;
char *origin = NULL;
char *filename = NULL;
isc_log_t *lctx = NULL;
isc_result_t result;
char classname_in[] = "IN";
char *classname = classname_in;
const char *workdir = NULL;
const char *inputformatstr = NULL;
const char *outputformatstr = NULL;
dns_masterformat_t inputformat = dns_masterformat_text;
dns_masterformat_t outputformat = dns_masterformat_text;
dns_masterrawheader_t header;
isc_uint32_t rawversion = 1, serialnum = 0;
isc_boolean_t snset = ISC_FALSE;
isc_boolean_t logdump = ISC_FALSE;
FILE *errout = stdout;
char *endp;
outputstyle = &dns_master_style_full;
prog_name = strrchr(argv[0], '/');
if (prog_name == NULL)
prog_name = strrchr(argv[0], '\\');
if (prog_name != NULL)
prog_name++;
else
prog_name = argv[0];
/*
* Libtool doesn't preserve the program name prior to final
* installation. Remove the libtool prefix ("lt-").
*/
if (strncmp(prog_name, "lt-", 3) == 0)
prog_name += 3;
#define PROGCMP(X) \
(strcasecmp(prog_name, X) == 0 || strcasecmp(prog_name, X ".exe") == 0)
if (PROGCMP("named-checkzone"))
progmode = progmode_check;
else if (PROGCMP("named-compilezone"))
progmode = progmode_compile;
else
INSIST(0);
/* Compilation specific defaults */
if (progmode == progmode_compile) {
zone_options |= (DNS_ZONEOPT_CHECKNS |
DNS_ZONEOPT_FATALNS |
DNS_ZONEOPT_CHECKSPF |
DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKNAMES |
DNS_ZONEOPT_CHECKNAMESFAIL |
DNS_ZONEOPT_CHECKWILDCARD);
} else
zone_options |= (DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKSPF);
#define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
isc_commandline_errprint = ISC_FALSE;
while ((c = isc_commandline_parse(argc, argv,
"c:df:hi:jk:L:m:n:qr:s:t:o:vw:DF:M:S:T:W:"))
!= EOF) {
switch (c) {
case 'c':
classname = isc_commandline_argument;
break;
case 'd':
debug++;
break;
case 'i':
if (ARGCMP("full")) {
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY |
DNS_ZONEOPT_CHECKSIBLING;
docheckmx = ISC_TRUE;
docheckns = ISC_TRUE;
dochecksrv = ISC_TRUE;
} else if (ARGCMP("full-sibling")) {
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
docheckmx = ISC_TRUE;
docheckns = ISC_TRUE;
dochecksrv = ISC_TRUE;
} else if (ARGCMP("local")) {
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
zone_options |= DNS_ZONEOPT_CHECKSIBLING;
docheckmx = ISC_FALSE;
docheckns = ISC_FALSE;
dochecksrv = ISC_FALSE;
} else if (ARGCMP("local-sibling")) {
zone_options |= DNS_ZONEOPT_CHECKINTEGRITY;
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
docheckmx = ISC_FALSE;
docheckns = ISC_FALSE;
dochecksrv = ISC_FALSE;
} else if (ARGCMP("none")) {
zone_options &= ~DNS_ZONEOPT_CHECKINTEGRITY;
zone_options &= ~DNS_ZONEOPT_CHECKSIBLING;
docheckmx = ISC_FALSE;
docheckns = ISC_FALSE;
dochecksrv = ISC_FALSE;
} else {
fprintf(stderr, "invalid argument to -i: %s\n",
isc_commandline_argument);
exit(1);
}
break;
case 'f':
inputformatstr = isc_commandline_argument;
break;
case 'F':
outputformatstr = isc_commandline_argument;
break;
case 'j':
nomerge = ISC_FALSE;
break;
case 'k':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKNAMES;
zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
} else if (ARGCMP("fail")) {
zone_options |= DNS_ZONEOPT_CHECKNAMES |
DNS_ZONEOPT_CHECKNAMESFAIL;
} else if (ARGCMP("ignore")) {
zone_options &= ~(DNS_ZONEOPT_CHECKNAMES |
DNS_ZONEOPT_CHECKNAMESFAIL);
} else {
fprintf(stderr, "invalid argument to -k: %s\n",
isc_commandline_argument);
exit(1);
}
break;
case 'L':
snset = ISC_TRUE;
endp = NULL;
serialnum = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0') {
fprintf(stderr, "source serial number "
"must be numeric");
exit(1);
}
break;
case 'n':
if (ARGCMP("ignore")) {
zone_options &= ~(DNS_ZONEOPT_CHECKNS|
DNS_ZONEOPT_FATALNS);
} else if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKNS;
zone_options &= ~DNS_ZONEOPT_FATALNS;
} else if (ARGCMP("fail")) {
zone_options |= DNS_ZONEOPT_CHECKNS|
DNS_ZONEOPT_FATALNS;
} else {
fprintf(stderr, "invalid argument to -n: %s\n",
isc_commandline_argument);
exit(1);
}
break;
case 'm':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKMX;
zone_options &= ~DNS_ZONEOPT_CHECKMXFAIL;
} else if (ARGCMP("fail")) {
zone_options |= DNS_ZONEOPT_CHECKMX |
DNS_ZONEOPT_CHECKMXFAIL;
} else if (ARGCMP("ignore")) {
zone_options &= ~(DNS_ZONEOPT_CHECKMX |
DNS_ZONEOPT_CHECKMXFAIL);
} else {
fprintf(stderr, "invalid argument to -m: %s\n",
isc_commandline_argument);
exit(1);
}
break;
case 'o':
output_filename = isc_commandline_argument;
break;
case 'q':
quiet++;
break;
case 'r':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR;
zone_options &= ~DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (ARGCMP("fail")) {
zone_options |= DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKDUPRRFAIL;
} else if (ARGCMP("ignore")) {
zone_options &= ~(DNS_ZONEOPT_CHECKDUPRR |
DNS_ZONEOPT_CHECKDUPRRFAIL);
} else {
fprintf(stderr, "invalid argument to -r: %s\n",
isc_commandline_argument);
exit(1);
}
break;
case 's':
if (ARGCMP("full"))
outputstyle = &dns_master_style_full;
else if (ARGCMP("relative")) {
outputstyle = &dns_master_style_default;
} else {
fprintf(stderr,
"unknown or unsupported style: %s\n",
isc_commandline_argument);
exit(1);
}
break;
case 't':
result = isc_dir_chroot(isc_commandline_argument);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "isc_dir_chroot: %s: %s\n",
isc_commandline_argument,
isc_result_totext(result));
exit(1);
}
break;
case 'v':
printf(VERSION "\n");
exit(0);
case 'w':
workdir = isc_commandline_argument;
break;
case 'D':
dumpzone++;
break;
case 'M':
if (ARGCMP("fail")) {
zone_options &= ~DNS_ZONEOPT_WARNMXCNAME;
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
} else if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
zone_options &= ~DNS_ZONEOPT_IGNOREMXCNAME;
} else if (ARGCMP("ignore")) {
zone_options |= DNS_ZONEOPT_WARNMXCNAME;
zone_options |= DNS_ZONEOPT_IGNOREMXCNAME;
} else {
fprintf(stderr, "invalid argument to -M: %s\n",
isc_commandline_argument);
exit(1);
}
break;
case 'S':
if (ARGCMP("fail")) {
zone_options &= ~DNS_ZONEOPT_WARNSRVCNAME;
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
} else if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
zone_options &= ~DNS_ZONEOPT_IGNORESRVCNAME;
} else if (ARGCMP("ignore")) {
zone_options |= DNS_ZONEOPT_WARNSRVCNAME;
zone_options |= DNS_ZONEOPT_IGNORESRVCNAME;
} else {
fprintf(stderr, "invalid argument to -S: %s\n",
isc_commandline_argument);
exit(1);
}
break;
case 'T':
if (ARGCMP("warn")) {
zone_options |= DNS_ZONEOPT_CHECKSPF;
} else if (ARGCMP("ignore")) {
zone_options &= ~DNS_ZONEOPT_CHECKSPF;
} else {
fprintf(stderr, "invalid argument to -T: %s\n",
isc_commandline_argument);
exit(1);
}
break;
case 'W':
if (ARGCMP("warn"))
zone_options |= DNS_ZONEOPT_CHECKWILDCARD;
else if (ARGCMP("ignore"))
zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
prog_name, isc_commandline_option);
/* FALLTHROUGH */
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
prog_name, isc_commandline_option);
exit(1);
}
}
if (workdir != NULL) {
result = isc_dir_chdir(workdir);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "isc_dir_chdir: %s: %s\n",
workdir, isc_result_totext(result));
exit(1);
}
}
if (inputformatstr != NULL) {
if (strcasecmp(inputformatstr, "text") == 0)
inputformat = dns_masterformat_text;
else if (strcasecmp(inputformatstr, "raw") == 0)
inputformat = dns_masterformat_raw;
else if (strncasecmp(inputformatstr, "raw=", 4) == 0) {
inputformat = dns_masterformat_raw;
fprintf(stderr,
"WARNING: input format raw, version ignored\n");
} else {
fprintf(stderr, "unknown file format: %s\n",
inputformatstr);
exit(1);
}
}
if (outputformatstr != NULL) {
if (strcasecmp(outputformatstr, "text") == 0) {
outputformat = dns_masterformat_text;
} else if (strcasecmp(outputformatstr, "raw") == 0) {
outputformat = dns_masterformat_raw;
} else if (strncasecmp(outputformatstr, "raw=", 4) == 0) {
char *end;
outputformat = dns_masterformat_raw;
rawversion = strtol(outputformatstr + 4, &end, 10);
if (end == outputformatstr + 4 || *end != '\0' ||
rawversion > 1U) {
fprintf(stderr,
"unknown raw format version\n");
exit(1);
}
} else {
fprintf(stderr, "unknown file format: %s\n",
outputformatstr);
exit(1);
}
}
if (progmode == progmode_compile) {
dumpzone = 1; /* always dump */
logdump = !quiet;
if (output_filename == NULL) {
fprintf(stderr,
"output file required, but not specified\n");
usage();
}
}
if (output_filename != NULL)
dumpzone = 1;
/*
* If we are outputing to stdout then send the informational
* output to stderr.
*/
if (dumpzone &&
(output_filename == NULL ||
strcmp(output_filename, "-") == 0 ||
strcmp(output_filename, "/dev/fd/1") == 0 ||
strcmp(output_filename, "/dev/stdout") == 0)) {
errout = stderr;
logdump = ISC_FALSE;
}
if (isc_commandline_index + 2 != argc)
usage();
#ifdef _WIN32
InitSockets();
#endif
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
if (!quiet)
RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
== ISC_R_SUCCESS);
RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
== ISC_R_SUCCESS);
dns_result_register();
origin = argv[isc_commandline_index++];
filename = argv[isc_commandline_index++];
result = load_zone(mctx, origin, filename, inputformat, classname,
&zone);
if (snset) {
dns_master_initrawheader(&header);
header.flags = DNS_MASTERRAW_SOURCESERIALSET;
header.sourceserial = serialnum;
dns_zone_setrawdata(zone, &header);
}
if (result == ISC_R_SUCCESS && dumpzone) {
if (logdump) {
fprintf(errout, "dump zone to %s...", output_filename);
fflush(errout);
}
result = dump_zone(origin, zone, output_filename,
outputformat, outputstyle, rawversion);
if (logdump)
fprintf(errout, "done\n");
}
if (!quiet && result == ISC_R_SUCCESS)
fprintf(errout, "OK\n");
destroy();
if (lctx != NULL)
isc_log_destroy(&lctx);
isc_hash_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);
#ifdef _WIN32
DestroySockets();
#endif
return ((result == ISC_R_SUCCESS) ? 0 : 1);
}

509
contrib/bind9/bin/check/named-checkzone.docbook
View file

@ -1,509 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2007, 2009-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named-checkzone.docbook,v 1.44 2011/12/22 07:32:39 each Exp $ -->
<refentry id="man.named-checkzone">
<refentryinfo>
<date>June 13, 2000</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>named-checkzone</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2013</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refnamediv>
<refname><application>named-checkzone</application></refname>
<refname><application>named-compilezone</application></refname>
<refpurpose>zone file validity checking or converting tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>named-checkzone</command>
<arg><option>-d</option></arg>
<arg><option>-h</option></arg>
<arg><option>-j</option></arg>
<arg><option>-q</option></arg>
<arg><option>-v</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-M <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg><option>-S <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-D</option></arg>
<arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req">zonename</arg>
<arg choice="req">filename</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>named-compilezone</command>
<arg><option>-d</option></arg>
<arg><option>-j</option></arg>
<arg><option>-q</option></arg>
<arg><option>-v</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-C <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">format</replaceable></option></arg>
<arg><option>-F <replaceable class="parameter">format</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">style</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">mode</replaceable></option></arg>
<arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-D</option></arg>
<arg><option>-W <replaceable class="parameter">mode</replaceable></option></arg>
<arg choice="req"><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
<arg choice="req">zonename</arg>
<arg choice="req">filename</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>named-checkzone</command>
checks the syntax and integrity of a zone file. It performs the
same checks as <command>named</command> does when loading a
zone. This makes <command>named-checkzone</command> useful for
checking zone files before configuring them into a name server.
</para>
<para>
<command>named-compilezone</command> is similar to
<command>named-checkzone</command>, but it always dumps the
zone contents to a specified file in a specified format.
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <command>named</command>.
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<command>named</command> configuration file.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Enable debugging.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Print the usage summary and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode - exit code only.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem>
<para>
Print the version of the <command>named-checkzone</command>
program and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j</term>
<listitem>
<para>
When loading the zone file read the journal if it exists.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specify the class of the zone. If not specified, "IN" is assumed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Perform post-load zone integrity checks. Possible modes are
<command>"full"</command> (default),
<command>"full-sibling"</command>,
<command>"local"</command>,
<command>"local-sibling"</command> and
<command>"none"</command>.
</para>
<para>
Mode <command>"full"</command> checks that MX records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <command>"local"</command> only
checks MX records which refer to in-zone hostnames.
</para>
<para>
Mode <command>"full"</command> checks that SRV records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <command>"local"</command> only
checks SRV records which refer to in-zone hostnames.
</para>
<para>
Mode <command>"full"</command> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <command>"local"</command> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
that is when the nameserver is in a child zone.
</para>
<para>
Mode <command>"full-sibling"</command> and
<command>"local-sibling"</command> disable sibling glue
checks but are otherwise the same as <command>"full"</command>
and <command>"local"</command> respectively.
</para>
<para>
Mode <command>"none"</command> disables the checks.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">format</replaceable></term>
<listitem>
<para>
Specify the format of the zone file.
Possible formats are <command>"text"</command> (default)
and <command>"raw"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-F <replaceable class="parameter">format</replaceable></term>
<listitem>
<para>
Specify the format of the output file specified.
For <command>named-checkzone</command>,
this does not cause any effects unless it dumps the zone
contents.
</para>
<para>
Possible formats are <command>"text"</command> (default)
and <command>"raw"</command> or <command>"raw=N"</command>,
which store the zone in a binary format for rapid loading
by <command>named</command>. <command>"raw=N"</command>
specifies the format version of the raw zone file: if N
is 0, the raw file can be read by any version of
<command>named</command>; if N is 1, the file can be read
by release 9.9.0 or higher. The default is 1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Perform <command>"check-names"</command> checks with the
specified failure mode.
Possible modes are <command>"fail"</command>
(default for <command>named-compilezone</command>),
<command>"warn"</command>
(default for <command>named-checkzone</command>) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">serial</replaceable></term>
<listitem>
<para>
When compiling a zone to 'raw' format, set the "source serial"
value in the header to the specified serial number. (This is
expected to be used primarily for testing purposes.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-m <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether MX records should be checked to see if they
are addresses. Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-M <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if a MX record refers to a CNAME.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether NS records should be checked to see if they
are addresses.
Possible modes are <command>"fail"</command>
(default for <command>named-compilezone</command>),
<command>"warn"</command>
(default for <command>named-checkzone</command>) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">filename</replaceable></term>
<listitem>
<para>
Write zone output to <filename>filename</filename>.
If <filename>filename</filename> is <filename>-</filename> then
write to standard out.
This is mandatory for <command>named-compilezone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">style</replaceable></term>
<listitem>
<para>
Specify the style of the dumped zone file.
Possible styles are <command>"full"</command> (default)
and <command>"relative"</command>.
The full format is most suitable for processing
automatically by a separate script.
On the other hand, the relative format is more
human-readable and is thus suitable for editing by hand.
For <command>named-checkzone</command>
this does not cause any effects unless it dumps the zone
contents.
It also does not have any meaning if the output format
is not text.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if a SRV record refers to a CNAME.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Chroot to <filename>directory</filename> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted named.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Check if Sender Policy Framework records (TXT and SPF)
both exist or both don't exist. A warning is issued
if they don't match. Possible modes are
<command>"warn"</command> (default), <command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-w <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
chdir to <filename>directory</filename> so that
relative
filenames in master file $INCLUDE directives work. This
is similar to the directory clause in
<filename>named.conf</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Dump zone file in canonical format.
This is always enabled for <command>named-compilezone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-W <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
Specify whether to check for non-terminal wildcards.
Non-terminal wildcards are almost always the result of a
failure to understand the wildcard matching algorithm (RFC 1034).
Possible modes are <command>"warn"</command> (default)
and
<command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonename</term>
<listitem>
<para>
The domain name of the zone being checked.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filename</term>
<listitem>
<para>
The name of the zone file.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>RETURN VALUES</title>
<para><command>named-checkzone</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>RFC 1035</citetitle>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

293
contrib/bind9/bin/check/named-checkzone.html
View file

@ -1,293 +0,0 @@
<!--
- Copyright (C) 2004-2007, 2009-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>named-checkzone</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.named-checkzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">named-checkzone</span>, <span class="application">named-compilezone</span> &#8212; zone file validity checking or converting tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">named-checkzone</code> [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
<div class="cmdsynopsis"><p><code class="command">named-compilezone</code> [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-r <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-T <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {<code class="option">-o <em class="replaceable"><code>filename</code></em></code>} {zonename} {filename}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543736"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">named-checkzone</strong></span>
checks the syntax and integrity of a zone file. It performs the
same checks as <span><strong class="command">named</strong></span> does when loading a
zone. This makes <span><strong class="command">named-checkzone</strong></span> useful for
checking zone files before configuring them into a name server.
</p>
<p>
<span><strong class="command">named-compilezone</strong></span> is similar to
<span><strong class="command">named-checkzone</strong></span>, but it always dumps the
zone contents to a specified file in a specified format.
Additionally, it applies stricter check levels by default,
since the dump output will be used as an actual zone file
loaded by <span><strong class="command">named</strong></span>.
When manually specified otherwise, the check levels must at
least be as strict as those specified in the
<span><strong class="command">named</strong></span> configuration file.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543771"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-d</span></dt>
<dd><p>
Enable debugging.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Print the usage summary and exit.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode - exit code only.
</p></dd>
<dt><span class="term">-v</span></dt>
<dd><p>
Print the version of the <span><strong class="command">named-checkzone</strong></span>
program and exit.
</p></dd>
<dt><span class="term">-j</span></dt>
<dd><p>
When loading the zone file read the journal if it exists.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specify the class of the zone. If not specified, "IN" is assumed.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
<dd>
<p>
Perform post-load zone integrity checks. Possible modes are
<span><strong class="command">"full"</strong></span> (default),
<span><strong class="command">"full-sibling"</strong></span>,
<span><strong class="command">"local"</strong></span>,
<span><strong class="command">"local-sibling"</strong></span> and
<span><strong class="command">"none"</strong></span>.
</p>
<p>
Mode <span><strong class="command">"full"</strong></span> checks that MX records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span><strong class="command">"local"</strong></span> only
checks MX records which refer to in-zone hostnames.
</p>
<p>
Mode <span><strong class="command">"full"</strong></span> checks that SRV records
refer to A or AAAA record (both in-zone and out-of-zone
hostnames). Mode <span><strong class="command">"local"</strong></span> only
checks SRV records which refer to in-zone hostnames.
</p>
<p>
Mode <span><strong class="command">"full"</strong></span> checks that delegation NS
records refer to A or AAAA record (both in-zone and out-of-zone
hostnames). It also checks that glue address records
in the zone match those advertised by the child.
Mode <span><strong class="command">"local"</strong></span> only checks NS records which
refer to in-zone hostnames or that some required glue exists,
that is when the nameserver is in a child zone.
</p>
<p>
Mode <span><strong class="command">"full-sibling"</strong></span> and
<span><strong class="command">"local-sibling"</strong></span> disable sibling glue
checks but are otherwise the same as <span><strong class="command">"full"</strong></span>
and <span><strong class="command">"local"</strong></span> respectively.
</p>
<p>
Mode <span><strong class="command">"none"</strong></span> disables the checks.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>format</code></em></span></dt>
<dd><p>
Specify the format of the zone file.
Possible formats are <span><strong class="command">"text"</strong></span> (default)
and <span><strong class="command">"raw"</strong></span>.
</p></dd>
<dt><span class="term">-F <em class="replaceable"><code>format</code></em></span></dt>
<dd>
<p>
Specify the format of the output file specified.
For <span><strong class="command">named-checkzone</strong></span>,
this does not cause any effects unless it dumps the zone
contents.
</p>
<p>
Possible formats are <span><strong class="command">"text"</strong></span> (default)
and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,
which store the zone in a binary format for rapid loading
by <span><strong class="command">named</strong></span>. <span><strong class="command">"raw=N"</strong></span>
specifies the format version of the raw zone file: if N
is 0, the raw file can be read by any version of
<span><strong class="command">named</strong></span>; if N is 1, the file can be read
by release 9.9.0 or higher. The default is 1.
</p>
</dd>
<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Perform <span><strong class="command">"check-names"</strong></span> checks with the
specified failure mode.
Possible modes are <span><strong class="command">"fail"</strong></span>
(default for <span><strong class="command">named-compilezone</strong></span>),
<span><strong class="command">"warn"</strong></span>
(default for <span><strong class="command">named-checkzone</strong></span>) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd><p>
When compiling a zone to 'raw' format, set the "source serial"
value in the header to the specified serial number. (This is
expected to be used primarily for testing purposes.)
</p></dd>
<dt><span class="term">-m <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Specify whether MX records should be checked to see if they
are addresses. Possible modes are <span><strong class="command">"fail"</strong></span>,
<span><strong class="command">"warn"</strong></span> (default) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-M <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Check if a MX record refers to a CNAME.
Possible modes are <span><strong class="command">"fail"</strong></span>,
<span><strong class="command">"warn"</strong></span> (default) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Specify whether NS records should be checked to see if they
are addresses.
Possible modes are <span><strong class="command">"fail"</strong></span>
(default for <span><strong class="command">named-compilezone</strong></span>),
<span><strong class="command">"warn"</strong></span>
(default for <span><strong class="command">named-checkzone</strong></span>) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
<dd><p>
Write zone output to <code class="filename">filename</code>.
If <code class="filename">filename</code> is <code class="filename">-</code> then
write to standard out.
This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Check for records that are treated as different by DNSSEC but
are semantically equal in plain DNS.
Possible modes are <span><strong class="command">"fail"</strong></span>,
<span><strong class="command">"warn"</strong></span> (default) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
<dd><p>
Specify the style of the dumped zone file.
Possible styles are <span><strong class="command">"full"</strong></span> (default)
and <span><strong class="command">"relative"</strong></span>.
The full format is most suitable for processing
automatically by a separate script.
On the other hand, the relative format is more
human-readable and is thus suitable for editing by hand.
For <span><strong class="command">named-checkzone</strong></span>
this does not cause any effects unless it dumps the zone
contents.
It also does not have any meaning if the output format
is not text.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Check if a SRV record refers to a CNAME.
Possible modes are <span><strong class="command">"fail"</strong></span>,
<span><strong class="command">"warn"</strong></span> (default) and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Chroot to <code class="filename">directory</code> so that
include
directives in the configuration file are processed as if
run by a similarly chrooted named.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Check if Sender Policy Framework records (TXT and SPF)
both exist or both don't exist. A warning is issued
if they don't match. Possible modes are
<span><strong class="command">"warn"</strong></span> (default), <span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
chdir to <code class="filename">directory</code> so that
relative
filenames in master file $INCLUDE directives work. This
is similar to the directory clause in
<code class="filename">named.conf</code>.
</p></dd>
<dt><span class="term">-D</span></dt>
<dd><p>
Dump zone file in canonical format.
This is always enabled for <span><strong class="command">named-compilezone</strong></span>.
</p></dd>
<dt><span class="term">-W <em class="replaceable"><code>mode</code></em></span></dt>
<dd><p>
Specify whether to check for non-terminal wildcards.
Non-terminal wildcards are almost always the result of a
failure to understand the wildcard matching algorithm (RFC 1034).
Possible modes are <span><strong class="command">"warn"</strong></span> (default)
and
<span><strong class="command">"ignore"</strong></span>.
</p></dd>
<dt><span class="term">zonename</span></dt>
<dd><p>
The domain name of the zone being checked.
</p></dd>
<dt><span class="term">filename</span></dt>
<dd><p>
The name of the zone file.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544612"></a><h2>RETURN VALUES</h2>
<p><span><strong class="command">named-checkzone</strong></span>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544624"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
<em class="citetitle">RFC 1035</em>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544657"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

101
contrib/bind9/bin/confgen/Makefile.in
View file

@ -1,101 +0,0 @@
# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.8 2009/12/05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
CDEFINES =
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
SRCS= rndc-confgen.c ddns-confgen.c
SUBDIRS = unix
TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
MANPAGES = rndc-confgen.8 ddns-confgen.8
HTMLPAGES = rndc-confgen.html ddns-confgen.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
UOBJS = unix/os.@O@
@BIND9_MAKE_RULES@
rndc-confgen.@O@: rndc-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-c ${srcdir}/rndc-confgen.c
ddns-confgen.@O@: ddns-confgen.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
clean distclean maintainer-clean::
rm -f ${TARGETS}

143
contrib/bind9/bin/confgen/ddns-confgen.8
View file

@ -1,143 +0,0 @@
.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: ddns\-confgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: Jan 29, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DDNS\-CONFGEN" "8" "Jan 29, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
ddns\-confgen \- ddns key generation tool
.SH "SYNOPSIS"
.HP 13
\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR] [\fB\-q\fR] [name]
.SH "DESCRIPTION"
.PP
\fBddns\-confgen\fR
generates a key for use by
\fBnsupdate\fR
and
\fBnamed\fR. It simplifies configuration of dynamic zones by generating a key and providing the
\fBnsupdate\fR
and
\fBnamed.conf\fR
syntax that will be needed to use it, including an example
\fBupdate\-policy\fR
statement.
.PP
If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample
\fBnamed.conf\fR
syntax. For example,
\fBddns\-confgen example.com\fR
would generate a key called "ddns\-key.example.com", and sample
\fBnamed.conf\fR
command that could be used in the zone definition for "example.com".
.PP
Note that
\fBnamed\fR
itself can configure a local DDNS key for use with
\fBnsupdate \-l\fR.
\fBddns\-confgen\fR
is only needed when a more elaborate configuration is required: for instance, if
\fBnsupdate\fR
is to be used from a remote system.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBddns\-confgen\fR.
.RE
.PP
\-k \fIkeyname\fR
.RS 4
Specifies the key name of the DDNS authentication key. The default is
\fBddns\-key\fR
when neither the
\fB\-s\fR
nor
\fB\-z\fR
option is specified; otherwise, the default is
\fBddns\-key\fR
as a separate label followed by the argument of the option, e.g.,
\fBddns\-key.example.com.\fR
The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods.
.RE
.PP
\-q
.RS 4
Quiet mode: Print only the key, with no explanatory text or usage examples.
.RE
.PP
\-r \fIrandomfile\fR
.RS 4
Specifies a source of random data for generating the authorization. If the operating system does not provide a
\fI/dev/random\fR
or equivalent device, the default source of randomness is keyboard input.
\fIrandomdev\fR
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used.
.RE
.PP
\-s \fIname\fR
.RS 4
Single host mode: The example
\fBnamed.conf\fR
text shows how to set an update policy for the specified
\fIname\fR
using the "name" nametype. The default key name is ddns\-key.\fIname\fR. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the
\fB\-z\fR
option.
.RE
.PP
\-z \fIzone\fR
.RS 4
zone mode: The example
\fBnamed.conf\fR
text shows how to set an update policy for the specified
\fIzone\fR
using the "zonesub" nametype, allowing updates to all subdomain names within that
\fIzone\fR. This option cannot be used with the
\fB\-s\fR
option.
.RE
.SH "SEE ALSO"
.PP
\fBnsupdate\fR(1),
\fBnamed.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
.br

258
contrib/bind9/bin/confgen/ddns-confgen.c
View file

@ -1,258 +0,0 @@
/*
* Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: ddns-confgen.c,v 1.11 2011/03/12 04:59:46 tbox Exp $ */
/*! \file */
/**
* ddns-confgen generates configuration files for dynamic DNS. It can
* be used as a convenient alternative to writing the ddns.key file
* and the corresponding key and update-policy statements in named.conf.
*/
#include <config.h>
#include <stdlib.h>
#include <stdarg.h>
#include <isc/assertions.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/keyboard.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dst/dst.h>
#include <confgen/os.h>
#include "util.h"
#include "keygen.h"
#define DEFAULT_KEYNAME "ddns-key"
static char program[256];
const char *progname;
isc_boolean_t verbose = ISC_FALSE;
ISC_PLATFORM_NORETURN_PRE static void
usage(int status) ISC_PLATFORM_NORETURN_POST;
static void
usage(int status) {
fprintf(stderr, "\
Usage:\n\
%s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
-a alg: algorithm (default hmac-sha256)\n\
-k keyname: name of the key as it will be used in named.conf\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-s name: domain name to be updated using the created key\n\
-z zone: name of the zone as it will be used in named.conf\n\
-q: quiet mode: print the key, with no explanatory text\n",
progname);
exit (status);
}
int
main(int argc, char **argv) {
isc_boolean_t show_final_mem = ISC_FALSE;
isc_boolean_t quiet = ISC_FALSE;
isc_buffer_t key_txtbuffer;
char key_txtsecret[256];
isc_mem_t *mctx = NULL;
isc_result_t result = ISC_R_SUCCESS;
const char *randomfile = NULL;
const char *keyname = NULL;
const char *zone = NULL;
const char *self_domain = NULL;
char *keybuf = NULL;
dns_secalg_t alg = DST_ALG_HMACSHA256;
const char *algname = alg_totext(alg);
int keysize = 256;
int len = 0;
int ch;
result = isc_file_progname(*argv, program, sizeof(program));
if (result != ISC_R_SUCCESS)
memcpy(program, "ddns-confgen", 13);
progname = program;
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"a:hk:Mmr:qs:Vy:z:")) != -1) {
switch (ch) {
case 'a':
algname = isc_commandline_argument;
alg = alg_fromtext(algname);
if (alg == DST_ALG_UNKNOWN)
fatal("Unsupported algorithm '%s'", algname);
keysize = alg_bits(alg);
break;
case 'h':
usage(0);
case 'k':
case 'y':
keyname = isc_commandline_argument;
break;
case 'M':
isc_mem_debugging = ISC_MEM_DEBUGTRACE;
break;
case 'm':
show_final_mem = ISC_TRUE;
break;
case 'q':
quiet = ISC_TRUE;
break;
case 'r':
randomfile = isc_commandline_argument;
break;
case 's':
self_domain = isc_commandline_argument;
break;
case 'V':
verbose = ISC_TRUE;
break;
case 'z':
zone = isc_commandline_argument;
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
usage(1);
} else
usage(0);
break;
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
argc -= isc_commandline_index;
argv += isc_commandline_index;
POST(argv);
if (self_domain != NULL && zone != NULL)
usage(1); /* -s and -z cannot coexist */
if (argc > 0)
usage(1);
DO("create memory context", isc_mem_create(0, 0, &mctx));
if (keyname == NULL) {
const char *suffix = NULL;
keyname = DEFAULT_KEYNAME;
if (self_domain != NULL)
suffix = self_domain;
else if (zone != NULL)
suffix = zone;
if (suffix != NULL) {
len = strlen(keyname) + strlen(suffix) + 2;
keybuf = isc_mem_get(mctx, len);
if (keybuf == NULL)
fatal("failed to allocate memory for keyname");
snprintf(keybuf, len, "%s.%s", keyname, suffix);
keyname = (const char *) keybuf;
}
}
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
if (!quiet)
printf("\
# To activate this key, place the following in named.conf, and\n\
# in a separate keyfile on the system or systems from which nsupdate\n\
# will be run:\n");
printf("\
key \"%s\" {\n\
algorithm %s;\n\
secret \"%.*s\";\n\
};\n",
keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer));
if (!quiet) {
if (self_domain != NULL) {
printf("\n\
# Then, in the \"zone\" statement for the zone containing the\n\
# name \"%s\", place an \"update-policy\" statement\n\
# like this one, adjusted as needed for your preferred permissions:\n\
update-policy {\n\
grant %s name %s ANY;\n\
};\n",
self_domain, keyname, self_domain);
} else if (zone != NULL) {
printf("\n\
# Then, in the \"zone\" definition statement for \"%s\",\n\
# place an \"update-policy\" statement like this one, adjusted as \n\
# needed for your preferred permissions:\n\
update-policy {\n\
grant %s zonesub ANY;\n\
};\n",
zone, keyname);
} else {
printf("\n\
# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
# update, place an \"update-policy\" statement granting update permission\n\
# to this key. For example, the following statement grants this key\n\
# permission to update any name within the zone:\n\
update-policy {\n\
grant %s zonesub ANY;\n\
};\n",
keyname);
}
printf("\n\
# After the keyfile has been placed, the following command will\n\
# execute nsupdate using this key:\n\
nsupdate -k <keyfile>\n");
}
if (keybuf != NULL)
isc_mem_put(mctx, keybuf, len);
if (show_final_mem)
isc_mem_stats(mctx, stderr);
isc_mem_destroy(&mctx);
return (0);
}

218
contrib/bind9/bin/confgen/ddns-confgen.docbook
View file

@ -1,218 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: ddns-confgen.docbook,v 1.6 2009/09/18 22:08:55 fdupont Exp $ -->
<refentry id="man.ddns-confgen">
<refentryinfo>
<date>Jan 29, 2009</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>ddns-confgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>ddns-confgen</application></refname>
<refpurpose>ddns key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>ddns-confgen</command>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<group>
<arg choice="plain">-s <replaceable class="parameter">name</replaceable></arg>
<arg choice="plain">-z <replaceable class="parameter">zone</replaceable></arg>
</group>
<arg><option>-q</option></arg>
<arg choice="opt">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>ddns-confgen</command>
generates a key for use by <command>nsupdate</command>
and <command>named</command>. It simplifies configuration
of dynamic zones by generating a key and providing the
<command>nsupdate</command> and <command>named.conf</command>
syntax that will be needed to use it, including an example
<command>update-policy</command> statement.
</para>
<para>
If a domain name is specified on the command line, it will
be used in the name of the generated key and in the sample
<command>named.conf</command> syntax. For example,
<command>ddns-confgen example.com</command> would
generate a key called "ddns-key.example.com", and sample
<command>named.conf</command> command that could be used
in the zone definition for "example.com".
</para>
<para>
Note that <command>named</command> itself can configure a
local DDNS key for use with <command>nsupdate -l</command>.
<command>ddns-confgen</command> is only needed when a
more elaborate configuration is required: for instance, if
<command>nsupdate</command> is to be used from a remote system.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>ddns-confgen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyname</replaceable></term>
<listitem>
<para>
Specifies the key name of the DDNS authentication key.
The default is <constant>ddns-key</constant> when neither
the <option>-s</option> nor <option>-z</option> option is
specified; otherwise, the default
is <constant>ddns-key</constant> as a separate label
followed by the argument of the option, e.g.,
<constant>ddns-key.example.com.</constant>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Print only the key, with no explanatory text or
usage examples.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomfile</replaceable></term>
<listitem>
<para>
Specifies a source of random data for generating the
authorization. If the operating system does not provide a
<filename>/dev/random</filename> or equivalent device, the
default source of randomness is keyboard input.
<filename>randomdev</filename> specifies the name of a
character device or file containing random data to be used
instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard input
should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">name</replaceable></term>
<listitem>
<para>
Single host mode: The example <command>named.conf</command> text
shows how to set an update policy for the specified
<replaceable class="parameter">name</replaceable>
using the "name" nametype.
The default key name is
ddns-key.<replaceable class="parameter">name</replaceable>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <option>-z</option> option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z <replaceable class="parameter">zone</replaceable></term>
<listitem>
<para>
zone mode: The example <command>named.conf</command> text
shows how to set an update policy for the specified
<replaceable class="parameter">zone</replaceable>
using the "zonesub" nametype, allowing updates to all subdomain
names within
that <replaceable class="parameter">zone</replaceable>.
This option cannot be used with the <option>-s</option> option.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

141
contrib/bind9/bin/confgen/ddns-confgen.html
View file

@ -1,141 +0,0 @@
<!--
- Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>ddns-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.ddns-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">ddns-confgen</span> &#8212; ddns key generation tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543396"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">ddns-confgen</strong></span>
generates a key for use by <span><strong class="command">nsupdate</strong></span>
and <span><strong class="command">named</strong></span>. It simplifies configuration
of dynamic zones by generating a key and providing the
<span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
syntax that will be needed to use it, including an example
<span><strong class="command">update-policy</strong></span> statement.
</p>
<p>
If a domain name is specified on the command line, it will
be used in the name of the generated key and in the sample
<span><strong class="command">named.conf</strong></span> syntax. For example,
<span><strong class="command">ddns-confgen example.com</strong></span> would
generate a key called "ddns-key.example.com", and sample
<span><strong class="command">named.conf</strong></span> command that could be used
in the zone definition for "example.com".
</p>
<p>
Note that <span><strong class="command">named</strong></span> itself can configure a
local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
<span><strong class="command">ddns-confgen</strong></span> is only needed when a
more elaborate configuration is required: for instance, if
<span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543456"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-sha256.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span><strong class="command">ddns-confgen</strong></span>.
</p></dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd><p>
Specifies the key name of the DDNS authentication key.
The default is <code class="constant">ddns-key</code> when neither
the <code class="option">-s</code> nor <code class="option">-z</code> option is
specified; otherwise, the default
is <code class="constant">ddns-key</code> as a separate label
followed by the argument of the option, e.g.,
<code class="constant">ddns-key.example.com.</code>
The key name must have the format of a valid domain name,
consisting of letters, digits, hyphens and periods.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode: Print only the key, with no explanatory text or
usage examples.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
<dd><p>
Specifies a source of random data for generating the
authorization. If the operating system does not provide a
<code class="filename">/dev/random</code> or equivalent device, the
default source of randomness is keyboard input.
<code class="filename">randomdev</code> specifies the name of a
character device or file containing random data to be used
instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard input
should be used.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
<dd><p>
Single host mode: The example <span><strong class="command">named.conf</strong></span> text
shows how to set an update policy for the specified
<em class="replaceable"><code>name</code></em>
using the "name" nametype.
The default key name is
ddns-key.<em class="replaceable"><code>name</code></em>.
Note that the "self" nametype cannot be used, since
the name to be updated may differ from the key name.
This option cannot be used with the <code class="option">-z</code> option.
</p></dd>
<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
<dd><p>
zone mode: The example <span><strong class="command">named.conf</strong></span> text
shows how to set an update policy for the specified
<em class="replaceable"><code>zone</code></em>
using the "zonesub" nametype, allowing updates to all subdomain
names within
that <em class="replaceable"><code>zone</code></em>.
This option cannot be used with the <code class="option">-s</code> option.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543643"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543682"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

39
contrib/bind9/bin/confgen/include/confgen/os.h
View file

@ -1,39 +0,0 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: os.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
/*! \file */
#ifndef RNDC_OS_H
#define RNDC_OS_H 1
#include <isc/lang.h>
#include <stdio.h>
ISC_LANG_BEGINDECLS
int set_user(FILE *fd, const char *user);
/*%<
* Set the owner of the file referenced by 'fd' to 'user'.
* Returns:
* 0 success
* -1 insufficient permissions, or 'user' does not exist.
*/
ISC_LANG_ENDDECLS
#endif

222
contrib/bind9/bin/confgen/keygen.c
View file

@ -1,222 +0,0 @@
/*
* Copyright (C) 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keygen.c,v 1.4 2009/11/12 14:02:38 marka Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <stdarg.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/keyboard.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/string.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dst/dst.h>
#include <confgen/os.h>
#include "util.h"
#include "keygen.h"
/*%
* Convert algorithm type to string.
*/
const char *
alg_totext(dns_secalg_t alg) {
switch (alg) {
case DST_ALG_HMACMD5:
return "hmac-md5";
case DST_ALG_HMACSHA1:
return "hmac-sha1";
case DST_ALG_HMACSHA224:
return "hmac-sha224";
case DST_ALG_HMACSHA256:
return "hmac-sha256";
case DST_ALG_HMACSHA384:
return "hmac-sha384";
case DST_ALG_HMACSHA512:
return "hmac-sha512";
default:
return "(unknown)";
}
}
/*%
* Convert string to algorithm type.
*/
dns_secalg_t
alg_fromtext(const char *name) {
if (strcmp(name, "hmac-md5") == 0)
return DST_ALG_HMACMD5;
if (strcmp(name, "hmac-sha1") == 0)
return DST_ALG_HMACSHA1;
if (strcmp(name, "hmac-sha224") == 0)
return DST_ALG_HMACSHA224;
if (strcmp(name, "hmac-sha256") == 0)
return DST_ALG_HMACSHA256;
if (strcmp(name, "hmac-sha384") == 0)
return DST_ALG_HMACSHA384;
if (strcmp(name, "hmac-sha512") == 0)
return DST_ALG_HMACSHA512;
return DST_ALG_UNKNOWN;
}
/*%
* Return default keysize for a given algorithm type.
*/
int
alg_bits(dns_secalg_t alg) {
switch (alg) {
case DST_ALG_HMACMD5:
return 128;
case DST_ALG_HMACSHA1:
return 160;
case DST_ALG_HMACSHA224:
return 224;
case DST_ALG_HMACSHA256:
return 256;
case DST_ALG_HMACSHA384:
return 384;
case DST_ALG_HMACSHA512:
return 512;
default:
return 0;
}
}
/*%
* Generate a key of size 'keysize' using entropy source 'randomfile',
* and place it in 'key_txtbuffer'
*/
void
generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
int keysize, isc_buffer_t *key_txtbuffer) {
isc_result_t result = ISC_R_SUCCESS;
isc_entropysource_t *entropy_source = NULL;
int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
int entropy_flags = 0;
isc_entropy_t *ectx = NULL;
isc_buffer_t key_rawbuffer;
isc_region_t key_rawregion;
char key_rawsecret[64];
dst_key_t *key = NULL;
switch (alg) {
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
if (keysize < 1 || keysize > 512)
fatal("keysize %d out of range (must be 1-512)\n",
keysize);
break;
case DST_ALG_HMACSHA384:
case DST_ALG_HMACSHA512:
if (keysize < 1 || keysize > 1024)
fatal("keysize %d out of range (must be 1-1024)\n",
keysize);
break;
default:
fatal("unsupported algorithm %d\n", alg);
}
DO("create entropy context", isc_entropy_create(mctx, &ectx));
if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
randomfile = NULL;
open_keyboard = ISC_ENTROPY_KEYBOARDYES;
}
DO("start entropy source", isc_entropy_usebestsource(ectx,
&entropy_source,
randomfile,
open_keyboard));
entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
DO("generate key", dst_key_generate(dns_rootname, alg,
keysize, 0, 0,
DNS_KEYPROTO_ANY,
dns_rdataclass_in, mctx, &key));
isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
key_txtbuffer));
/*
* Shut down the entropy source now so the "stop typing" message
* does not muck with the output.
*/
if (entropy_source != NULL)
isc_entropy_destroysource(&entropy_source);
if (key != NULL)
dst_key_free(&key);
isc_entropy_detach(&ectx);
dst_lib_destroy();
}
/*%
* Write a key file to 'keyfile'. If 'user' is non-NULL,
* make that user the owner of the file. The key will have
* the name 'keyname' and the secret in the buffer 'secret'.
*/
void
write_key_file(const char *keyfile, const char *user,
const char *keyname, isc_buffer_t *secret,
dns_secalg_t alg) {
isc_result_t result;
const char *algname = alg_totext(alg);
FILE *fd = NULL;
DO("create keyfile", isc_file_safecreate(keyfile, &fd));
if (user != NULL) {
if (set_user(fd, user) == -1)
fatal("unable to set file owner\n");
}
fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
"\tsecret \"%.*s\";\n};\n",
keyname, algname,
(int)isc_buffer_usedlength(secret),
(char *)isc_buffer_base(secret));
fflush(fd);
if (ferror(fd))
fatal("write to %s failed\n", keyfile);
if (fclose(fd))
fatal("fclose(%s) failed\n", keyfile);
fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
}

41
contrib/bind9/bin/confgen/keygen.h
View file

@ -1,41 +0,0 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: keygen.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
#ifndef RNDC_KEYGEN_H
#define RNDC_KEYGEN_H 1
/*! \file */
#include <isc/lang.h>
ISC_LANG_BEGINDECLS
void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
int keysize, isc_buffer_t *key_txtbuffer);
void write_key_file(const char *keyfile, const char *user,
const char *keyname, isc_buffer_t *secret,
dns_secalg_t alg);
const char *alg_totext(dns_secalg_t alg);
dns_secalg_t alg_fromtext(const char *name);
int alg_bits(dns_secalg_t alg);
ISC_LANG_ENDDECLS
#endif /* RNDC_KEYGEN_H */

211
contrib/bind9/bin/confgen/rndc-confgen.8
View file

@ -1,211 +0,0 @@
.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2001, 2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: rndc\-confgen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: Aug 27, 2001
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
rndc\-confgen \- rndc key generation tool
.SH "SYNOPSIS"
.HP 13
\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
.SH "DESCRIPTION"
.PP
\fBrndc\-confgen\fR
generates configuration files for
\fBrndc\fR. It can be used as a convenient alternative to writing the
\fIrndc.conf\fR
file and the corresponding
\fBcontrols\fR
and
\fBkey\fR
statements in
\fInamed.conf\fR
by hand. Alternatively, it can be run with the
\fB\-a\fR
option to set up a
\fIrndc.key\fR
file and avoid the need for a
\fIrndc.conf\fR
file and a
\fBcontrols\fR
statement altogether.
.SH "OPTIONS"
.PP
\-a
.RS 4
Do automatic
\fBrndc\fR
configuration. This creates a file
\fIrndc.key\fR
in
\fI/etc\fR
(or whatever
\fIsysconfdir\fR
was specified as when
BIND
was built) that is read by both
\fBrndc\fR
and
\fBnamed\fR
on startup. The
\fIrndc.key\fR
file defines a default command channel and authentication key allowing
\fBrndc\fR
to communicate with
\fBnamed\fR
on the local host with no further configuration.
.sp
Running
\fBrndc\-confgen \-a\fR
allows BIND 9 and
\fBrndc\fR
to be used as drop\-in replacements for BIND 8 and
\fBndc\fR, with no changes to the existing BIND 8
\fInamed.conf\fR
file.
.sp
If a more elaborate configuration than that generated by
\fBrndc\-confgen \-a\fR
is required, for example if rndc is to be used remotely, you should run
\fBrndc\-confgen\fR
without the
\fB\-a\fR
option and set up a
\fIrndc.conf\fR
and
\fInamed.conf\fR
as directed.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
.RE
.PP
\-c \fIkeyfile\fR
.RS 4
Used with the
\fB\-a\fR
option to specify an alternate location for
\fIrndc.key\fR.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBrndc\-confgen\fR.
.RE
.PP
\-k \fIkeyname\fR
.RS 4
Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
\fBrndc\-key\fR.
.RE
.PP
\-p \fIport\fR
.RS 4
Specifies the command channel port where
\fBnamed\fR
listens for connections from
\fBrndc\fR. The default is 953.
.RE
.PP
\-r \fIrandomfile\fR
.RS 4
Specifies a source of random data for generating the authorization. If the operating system does not provide a
\fI/dev/random\fR
or equivalent device, the default source of randomness is keyboard input.
\fIrandomdev\fR
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used.
.RE
.PP
\-s \fIaddress\fR
.RS 4
Specifies the IP address where
\fBnamed\fR
listens for command channel connections from
\fBrndc\fR. The default is the loopback address 127.0.0.1.
.RE
.PP
\-t \fIchrootdir\fR
.RS 4
Used with the
\fB\-a\fR
option to specify a directory where
\fBnamed\fR
will run chrooted. An additional copy of the
\fIrndc.key\fR
will be written relative to this directory so that it will be found by the chrooted
\fBnamed\fR.
.RE
.PP
\-u \fIuser\fR
.RS 4
Used with the
\fB\-a\fR
option to set the owner of the
\fIrndc.key\fR
file generated. If
\fB\-t\fR
is also specified only the file in the chroot area has its owner changed.
.RE
.SH "EXAMPLES"
.PP
To allow
\fBrndc\fR
to be used with no manual configuration, run
.PP
\fBrndc\-confgen \-a\fR
.PP
To print a sample
\fIrndc.conf\fR
file and corresponding
\fBcontrols\fR
and
\fBkey\fR
statements to be manually inserted into
\fInamed.conf\fR, run
.PP
\fBrndc\-confgen\fR
.SH "SEE ALSO"
.PP
\fBrndc\fR(8),
\fBrndc.conf\fR(5),
\fBnamed\fR(8),
BIND 9 Administrator Reference Manual.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2001, 2003 Internet Software Consortium.
.br

269
contrib/bind9/bin/confgen/rndc-confgen.c
View file

@ -1,269 +0,0 @@
/*
* Copyright (C) 2004, 2005, 2007-2009, 2011, 2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rndc-confgen.c,v 1.7 2011/03/12 04:59:46 tbox Exp $ */
/*! \file */
/**
* rndc-confgen generates configuration files for rndc. It can be used
* as a convenient alternative to writing the rndc.conf file and the
* corresponding controls and key statements in named.conf by hand.
* Alternatively, it can be run with the -a option to set up a
* rndc.key file and avoid the need for a rndc.conf file and a
* controls statement altogether.
*/
#include <config.h>
#include <stdlib.h>
#include <stdarg.h>
#include <isc/assertions.h>
#include <isc/base64.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/keyboard.h>
#include <isc/mem.h>
#include <isc/net.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/name.h>
#include <dst/dst.h>
#include <confgen/os.h>
#include "util.h"
#include "keygen.h"
#define DEFAULT_KEYLENGTH 128 /*% Bits. */
#define DEFAULT_KEYNAME "rndc-key"
#define DEFAULT_SERVER "127.0.0.1"
#define DEFAULT_PORT 953
static char program[256];
const char *progname;
isc_boolean_t verbose = ISC_FALSE;
const char *keyfile, *keydef;
ISC_PLATFORM_NORETURN_PRE static void
usage(int status) ISC_PLATFORM_NORETURN_POST;
static void
usage(int status) {
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
-b bits: from 1 through 512, default %d; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef, DEFAULT_KEYLENGTH);
exit (status);
}
int
main(int argc, char **argv) {
isc_boolean_t show_final_mem = ISC_FALSE;
isc_buffer_t key_txtbuffer;
char key_txtsecret[256];
isc_mem_t *mctx = NULL;
isc_result_t result = ISC_R_SUCCESS;
const char *keyname = NULL;
const char *randomfile = NULL;
const char *serveraddr = NULL;
dns_secalg_t alg = DST_ALG_HMACMD5;
const char *algname = alg_totext(alg);
char *p;
int ch;
int port;
int keysize;
struct in_addr addr4_dummy;
struct in6_addr addr6_dummy;
char *chrootdir = NULL;
char *user = NULL;
isc_boolean_t keyonly = ISC_FALSE;
int len;
keydef = keyfile = RNDC_KEYFILE;
result = isc_file_progname(*argv, program, sizeof(program));
if (result != ISC_R_SUCCESS)
memcpy(program, "rndc-confgen", 13);
progname = program;
keyname = DEFAULT_KEYNAME;
keysize = DEFAULT_KEYLENGTH;
serveraddr = DEFAULT_SERVER;
port = DEFAULT_PORT;
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
switch (ch) {
case 'a':
keyonly = ISC_TRUE;
break;
case 'b':
keysize = strtol(isc_commandline_argument, &p, 10);
if (*p != '\0' || keysize < 0)
fatal("-b requires a non-negative number");
break;
case 'c':
keyfile = isc_commandline_argument;
break;
case 'h':
usage(0);
case 'k':
case 'y': /* Compatible with rndc -y. */
keyname = isc_commandline_argument;
break;
case 'M':
isc_mem_debugging = ISC_MEM_DEBUGTRACE;
break;
case 'm':
show_final_mem = ISC_TRUE;
break;
case 'p':
port = strtol(isc_commandline_argument, &p, 10);
if (*p != '\0' || port < 0 || port > 65535)
fatal("port '%s' out of range",
isc_commandline_argument);
break;
case 'r':
randomfile = isc_commandline_argument;
break;
case 's':
serveraddr = isc_commandline_argument;
if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 &&
inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1)
fatal("-s should be an IPv4 or IPv6 address");
break;
case 't':
chrootdir = isc_commandline_argument;
break;
case 'u':
user = isc_commandline_argument;
break;
case 'V':
verbose = ISC_TRUE;
break;
case '?':
if (isc_commandline_option != '?') {
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
usage(1);
} else
usage(0);
break;
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
argc -= isc_commandline_index;
argv += isc_commandline_index;
POST(argv);
if (argc > 0)
usage(1);
DO("create memory context", isc_mem_create(0, 0, &mctx));
isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
if (keyonly) {
write_key_file(keyfile, chrootdir == NULL ? user : NULL,
keyname, &key_txtbuffer, alg);
if (chrootdir != NULL) {
char *buf;
len = strlen(chrootdir) + strlen(keyfile) + 2;
buf = isc_mem_get(mctx, len);
if (buf == NULL)
fatal("isc_mem_get(%d) failed\n", len);
snprintf(buf, len, "%s%s%s", chrootdir,
(*keyfile != '/') ? "/" : "", keyfile);
write_key_file(buf, user, keyname, &key_txtbuffer, alg);
isc_mem_put(mctx, buf, len);
}
} else {
printf("\
# Start of rndc.conf\n\
key \"%s\" {\n\
algorithm %s;\n\
secret \"%.*s\";\n\
};\n\
\n\
options {\n\
default-key \"%s\";\n\
default-server %s;\n\
default-port %d;\n\
};\n\
# End of rndc.conf\n\
\n\
# Use with the following in named.conf, adjusting the allow list as needed:\n\
# key \"%s\" {\n\
# algorithm %s;\n\
# secret \"%.*s\";\n\
# };\n\
# \n\
# controls {\n\
# inet %s port %d\n\
# allow { %s; } keys { \"%s\"; };\n\
# };\n\
# End of named.conf\n",
keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
keyname, serveraddr, port,
keyname, algname,
(int)isc_buffer_usedlength(&key_txtbuffer),
(char *)isc_buffer_base(&key_txtbuffer),
serveraddr, port, serveraddr, keyname);
}
if (show_final_mem)
isc_mem_stats(mctx, stderr);
isc_mem_destroy(&mctx);
return (0);
}

287
contrib/bind9/bin/confgen/rndc-confgen.docbook
View file

@ -1,287 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: rndc-confgen.docbook,v 1.4 2009/06/15 23:47:59 tbox Exp $ -->
<refentry id="man.rndc-confgen">
<refentryinfo>
<date>Aug 27, 2001</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>rndc-confgen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>rndc-confgen</application></refname>
<refpurpose>rndc key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2001</year>
<year>2003</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>rndc-confgen</command>
<arg><option>-a</option></arg>
<arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">address</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
<arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>rndc-confgen</command>
generates configuration files
for <command>rndc</command>. It can be used as a
convenient alternative to writing the
<filename>rndc.conf</filename> file
and the corresponding <command>controls</command>
and <command>key</command>
statements in <filename>named.conf</filename> by hand.
Alternatively, it can be run with the <command>-a</command>
option to set up a <filename>rndc.key</filename> file and
avoid the need for a <filename>rndc.conf</filename> file
and a <command>controls</command> statement altogether.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem>
<para>
Do automatic <command>rndc</command> configuration.
This creates a file <filename>rndc.key</filename>
in <filename>/etc</filename> (or whatever
<varname>sysconfdir</varname>
was specified as when <acronym>BIND</acronym> was
built)
that is read by both <command>rndc</command>
and <command>named</command> on startup. The
<filename>rndc.key</filename> file defines a default
command channel and authentication key allowing
<command>rndc</command> to communicate with
<command>named</command> on the local host
with no further configuration.
</para>
<para>
Running <command>rndc-confgen -a</command> allows
BIND 9 and <command>rndc</command> to be used as
drop-in
replacements for BIND 8 and <command>ndc</command>,
with no changes to the existing BIND 8
<filename>named.conf</filename> file.
</para>
<para>
If a more elaborate configuration than that
generated by <command>rndc-confgen -a</command>
is required, for example if rndc is to be used remotely,
you should run <command>rndc-confgen</command> without
the
<command>-a</command> option and set up a
<filename>rndc.conf</filename> and
<filename>named.conf</filename>
as directed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is 128.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">keyfile</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to specify
an alternate location for <filename>rndc.key</filename>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>rndc-confgen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">keyname</replaceable></term>
<listitem>
<para>
Specifies the key name of the rndc authentication key.
This must be a valid domain name.
The default is <constant>rndc-key</constant>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">port</replaceable></term>
<listitem>
<para>
Specifies the command channel port where <command>named</command>
listens for connections from <command>rndc</command>.
The default is 953.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomfile</replaceable></term>
<listitem>
<para>
Specifies a source of random data for generating the
authorization. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">address</replaceable></term>
<listitem>
<para>
Specifies the IP address where <command>named</command>
listens for command channel connections from
<command>rndc</command>. The default is the loopback
address 127.0.0.1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">chrootdir</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to specify
a directory where <command>named</command> will run
chrooted. An additional copy of the <filename>rndc.key</filename>
will be written relative to this directory so that
it will be found by the chrooted <command>named</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u <replaceable class="parameter">user</replaceable></term>
<listitem>
<para>
Used with the <command>-a</command> option to set the
owner
of the <filename>rndc.key</filename> file generated.
If
<command>-t</command> is also specified only the file
in
the chroot area has its owner changed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLES</title>
<para>
To allow <command>rndc</command> to be used with
no manual configuration, run
</para>
<para><userinput>rndc-confgen -a</userinput>
</para>
<para>
To print a sample <filename>rndc.conf</filename> file and
corresponding <command>controls</command> and <command>key</command>
statements to be manually inserted into <filename>named.conf</filename>,
run
</para>
<para><userinput>rndc-confgen</userinput>
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

188
contrib/bind9/bin/confgen/rndc-confgen.html
View file

@ -1,188 +0,0 @@
<!--
- Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2001, 2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>rndc-confgen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.rndc-confgen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543433"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">rndc-confgen</strong></span>
generates configuration files
for <span><strong class="command">rndc</strong></span>. It can be used as a
convenient alternative to writing the
<code class="filename">rndc.conf</code> file
and the corresponding <span><strong class="command">controls</strong></span>
and <span><strong class="command">key</strong></span>
statements in <code class="filename">named.conf</code> by hand.
Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
option to set up a <code class="filename">rndc.key</code> file and
avoid the need for a <code class="filename">rndc.conf</code> file
and a <span><strong class="command">controls</strong></span> statement altogether.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543478"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd>
<p>
Do automatic <span><strong class="command">rndc</strong></span> configuration.
This creates a file <code class="filename">rndc.key</code>
in <code class="filename">/etc</code> (or whatever
<code class="varname">sysconfdir</code>
was specified as when <acronym class="acronym">BIND</acronym> was
built)
that is read by both <span><strong class="command">rndc</strong></span>
and <span><strong class="command">named</strong></span> on startup. The
<code class="filename">rndc.key</code> file defines a default
command channel and authentication key allowing
<span><strong class="command">rndc</strong></span> to communicate with
<span><strong class="command">named</strong></span> on the local host
with no further configuration.
</p>
<p>
Running <span><strong class="command">rndc-confgen -a</strong></span> allows
BIND 9 and <span><strong class="command">rndc</strong></span> to be used as
drop-in
replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
with no changes to the existing BIND 8
<code class="filename">named.conf</code> file.
</p>
<p>
If a more elaborate configuration than that
generated by <span><strong class="command">rndc-confgen -a</strong></span>
is required, for example if rndc is to be used remotely,
you should run <span><strong class="command">rndc-confgen</strong></span> without
the
<span><strong class="command">-a</strong></span> option and set up a
<code class="filename">rndc.conf</code> and
<code class="filename">named.conf</code>
as directed.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd><p>
Specifies the size of the authentication key in bits.
Must be between 1 and 512 bits; the default is 128.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
<dd><p>
Used with the <span><strong class="command">-a</strong></span> option to specify
an alternate location for <code class="filename">rndc.key</code>.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span><strong class="command">rndc-confgen</strong></span>.
</p></dd>
<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
<dd><p>
Specifies the key name of the rndc authentication key.
This must be a valid domain name.
The default is <code class="constant">rndc-key</code>.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
<dd><p>
Specifies the command channel port where <span><strong class="command">named</strong></span>
listens for connections from <span><strong class="command">rndc</strong></span>.
The default is 953.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
<dd><p>
Specifies a source of random data for generating the
authorization. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
<dd><p>
Specifies the IP address where <span><strong class="command">named</strong></span>
listens for command channel connections from
<span><strong class="command">rndc</strong></span>. The default is the loopback
address 127.0.0.1.
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
<dd><p>
Used with the <span><strong class="command">-a</strong></span> option to specify
a directory where <span><strong class="command">named</strong></span> will run
chrooted. An additional copy of the <code class="filename">rndc.key</code>
will be written relative to this directory so that
it will be found by the chrooted <span><strong class="command">named</strong></span>.
</p></dd>
<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
<dd><p>
Used with the <span><strong class="command">-a</strong></span> option to set the
owner
of the <code class="filename">rndc.key</code> file generated.
If
<span><strong class="command">-t</strong></span> is also specified only the file
in
the chroot area has its owner changed.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543792"></a><h2>EXAMPLES</h2>
<p>
To allow <span><strong class="command">rndc</strong></span> to be used with
no manual configuration, run
</p>
<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
</p>
<p>
To print a sample <code class="filename">rndc.conf</code> file and
corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
statements to be manually inserted into <code class="filename">named.conf</code>,
run
</p>
<p><strong class="userinput"><code>rndc-confgen</code></strong>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543833"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543872"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

35
contrib/bind9/bin/confgen/unix/Makefile.in
View file

@ -1,35 +0,0 @@
# Copyright (C) 2009, 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.3 2009/06/11 23:47:55 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
${DNS_INCLUDES} ${ISC_INCLUDES}
CDEFINES =
CWARNINGS =
OBJS = os.@O@
SRCS = os.c
TARGETS = ${OBJS}
@BIND9_MAKE_RULES@

43
contrib/bind9/bin/confgen/unix/os.c
View file

@ -1,43 +0,0 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: os.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
/*! \file */
#include <config.h>
#include <confgen/os.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#include <errno.h>
#include <stdio.h>
#include <sys/stat.h>
int
set_user(FILE *fd, const char *user) {
struct passwd *pw;
pw = getpwnam(user);
if (pw == NULL) {
errno = EINVAL;
return (-1);
}
return (fchown(fileno(fd), pw->pw_uid, -1));
}

56
contrib/bind9/bin/confgen/util.c
View file

@ -1,56 +0,0 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: util.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
/*! \file */
#include <config.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdio.h>
#include <isc/boolean.h>
#include "util.h"
extern isc_boolean_t verbose;
extern const char *progname;
void
notify(const char *fmt, ...) {
va_list ap;
if (verbose) {
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
fputs("\n", stderr);
}
}
void
fatal(const char *format, ...) {
va_list args;
fprintf(stderr, "%s: ", progname);
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
fprintf(stderr, "\n");
exit(1);
}

52
contrib/bind9/bin/confgen/util.h
View file

@ -1,52 +0,0 @@
/*
* Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: util.h,v 1.4 2009/09/29 15:06:05 fdupont Exp $ */
#ifndef RNDC_UTIL_H
#define RNDC_UTIL_H 1
/*! \file */
#include <isc/lang.h>
#include <isc/platform.h>
#include <isc/formatcheck.h>
#define NS_CONTROL_PORT 953
#undef DO
#define DO(name, function) \
do { \
result = function; \
if (result != ISC_R_SUCCESS) \
fatal("%s: %s", name, isc_result_totext(result)); \
else \
notify("%s", name); \
} while (0)
ISC_LANG_BEGINDECLS
void
notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
ISC_LANG_ENDDECLS
#endif /* RNDC_UTIL_H */

107
contrib/bind9/bin/dig/Makefile.in
View file

@ -1,107 +0,0 @@
# Copyright (C) 2004, 2005, 2007, 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.47 2009/12/05 23:31:40 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
READLINE_LIB = @READLINE_LIB@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS =
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
${LWRESDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCLIBS} @IDNLIBS@ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
SUBDIRS =
TARGETS = dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
OBJS = dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
UOBJS =
SRCS = dig.c dighost.c host.c nslookup.c
MANPAGES = dig.1 host.1 nslookup.1
HTMLPAGES = dig.html host.html nslookup.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
${FINALBUILDCMD}
nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \
${FINALBUILDCMD}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
clean distclean maintainer-clean::
rm -f ${TARGETS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
dig@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
host@EXEEXT@ ${DESTDIR}${bindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
nslookup@EXEEXT@ ${DESTDIR}${bindir}
for m in ${MANPAGES}; do \
${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
done

603
contrib/bind9/bin/dig/dig.1
View file

@ -1,603 +0,0 @@
.\" Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: dig
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: Jun 30, 2000
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DIG" "1" "Jun 30, 2000" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
dig \- DNS lookup utility
.SH "SYNOPSIS"
.HP 4
\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
.HP 4
\fBdig\fR [\fB\-h\fR]
.HP 4
\fBdig\fR [global\-queryopt...] [query...]
.SH "DESCRIPTION"
.PP
\fBdig\fR
(domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use
\fBdig\fR
to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than
\fBdig\fR.
.PP
Although
\fBdig\fR
is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the
\fB\-h\fR
option is given. Unlike earlier versions, the BIND 9 implementation of
\fBdig\fR
allows multiple lookups to be issued from the command line.
.PP
Unless it is told to query a specific name server,
\fBdig\fR
will try each of the servers listed in
\fI/etc/resolv.conf\fR. If no usable server addreses are found,
\fBdig\fR
will send the query to the local host.
.PP
When no command line arguments or options are given,
\fBdig\fR
will perform an NS query for "." (the root).
.PP
It is possible to set per\-user defaults for
\fBdig\fR
via
\fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments.
.PP
The IN and CH class names overlap with the IN and CH top level domains names. Either use the
\fB\-t\fR
and
\fB\-c\fR
options to specify the type and class, use the
\fB\-q\fR
the specify the domain name, or use "IN." and "CH." when looking up these top level domains.
.SH "SIMPLE USAGE"
.PP
A typical invocation of
\fBdig\fR
looks like:
.sp
.RS 4
.nf
dig @server name type
.fi
.RE
.sp
where:
.PP
\fBserver\fR
.RS 4
is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
\fIserver\fR
argument is a hostname,
\fBdig\fR
resolves that name before querying that name server.
.sp
If no
\fIserver\fR
argument is provided,
\fBdig\fR
consults
\fI/etc/resolv.conf\fR; if an address is found there, it queries the name server at that address. If either of the
\fB\-4\fR
or
\fB\-6\fR
options are in use, then only addresses for the corresponding transport will be tried. If no usable addresses are found,
\fBdig\fR
will send the query to the local host. The reply from the name server that responds is displayed.
.RE
.PP
\fBname\fR
.RS 4
is the name of the resource record that is to be looked up.
.RE
.PP
\fBtype\fR
.RS 4
indicates what type of query is required \(em ANY, A, MX, SIG, etc.
\fItype\fR
can be any valid query type. If no
\fItype\fR
argument is supplied,
\fBdig\fR
will perform a lookup for an A record.
.RE
.SH "OPTIONS"
.PP
The
\fB\-b\fR
option sets the source IP address of the query to
\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"
.PP
The default query class (IN for internet) is overridden by the
\fB\-c\fR
option.
\fIclass\fR
is any valid class, such as HS for Hesiod records or CH for Chaosnet records.
.PP
The
\fB\-f\fR
option makes
\fBdig \fR
operate in batch mode by reading a list of lookup requests to process from the file
\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to
\fBdig\fR
using the command\-line interface.
.PP
The
\fB\-m\fR
option enables memory usage debugging.
.PP
If a non\-standard port number is to be queried, the
\fB\-p\fR
option is used.
\fIport#\fR
is the port number that
\fBdig\fR
will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
.PP
The
\fB\-4\fR
option forces
\fBdig\fR
to only use IPv4 query transport. The
\fB\-6\fR
option forces
\fBdig\fR
to only use IPv6 query transport.
.PP
The
\fB\-t\fR
option sets the query type to
\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
\fB\-x\fR
option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required,
\fItype\fR
is set to
ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was
\fIN\fR.
.PP
The
\fB\-q\fR
option sets the query name to
\fIname\fR. This useful do distinguish the
\fIname\fR
from other arguments.
.PP
Reverse lookups \(em mapping addresses to names \(em are simplified by the
\fB\-x\fR
option.
\fIaddr\fR
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the
\fIname\fR,
\fIclass\fR
and
\fItype\fR
arguments.
\fBdig\fR
automatically performs a lookup for a name like
11.12.13.10.in\-addr.arpa
and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the
\fB\-i\fR
option. Bit string labels (RFC2874) are now experimental and are not attempted.
.PP
To sign the DNS queries sent by
\fBdig\fR
and their responses using transaction signatures (TSIG), specify a TSIG key file using the
\fB\-k\fR
option. You can also specify the TSIG key itself on the command line using the
\fB\-y\fR
option;
\fIhmac\fR
is the type of the TSIG, default HMAC\-MD5,
\fIname\fR
is the name of the TSIG key and
\fIkey\fR
is the actual key. The key is a base\-64 encoded string, typically generated by
\fBdnssec\-keygen\fR(8). Caution should be taken when using the
\fB\-y\fR
option on multi\-user systems as the key can be visible in the output from
\fBps\fR(1)
or in the shell's history file. When using TSIG authentication with
\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
\fBkey\fR
and
\fBserver\fR
statements in
\fInamed.conf\fR.
.SH "QUERY OPTIONS"
.PP
\fBdig\fR
provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.
.PP
Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
no
to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
\fB+keyword=value\fR. The query options are:
.PP
\fB+[no]tcp\fR
.RS 4
Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
.RE
.PP
\fB+[no]vc\fR
.RS 4
Use [do not use] TCP when querying name servers. This alternate syntax to
\fI+[no]tcp\fR
is provided for backwards compatibility. The "vc" stands for "virtual circuit".
.RE
.PP
\fB+[no]ignore\fR
.RS 4
Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
.RE
.PP
\fB+domain=somename\fR
.RS 4
Set the search list to contain the single domain
\fIsomename\fR, as if specified in a
\fBdomain\fR
directive in
\fI/etc/resolv.conf\fR, and enable search list processing as if the
\fI+search\fR
option were given.
.RE
.PP
\fB+[no]search\fR
.RS 4
Use [do not use] the search list defined by the searchlist or domain directive in
\fIresolv.conf\fR
(if any). The search list is not used by default.
.RE
.PP
\fB+[no]showsearch\fR
.RS 4
Perform [do not perform] a search showing intermediate results.
.RE
.PP
\fB+[no]defname\fR
.RS 4
Deprecated, treated as a synonym for
\fI+[no]search\fR
.RE
.PP
\fB+[no]aaonly\fR
.RS 4
Sets the "aa" flag in the query.
.RE
.PP
\fB+[no]aaflag\fR
.RS 4
A synonym for
\fI+[no]aaonly\fR.
.RE
.PP
\fB+[no]adflag\fR
.RS 4
Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range. AD=0 indicate that some part of the answer was insecure or not validated. This bit is set by default.
.RE
.PP
\fB+[no]cdflag\fR
.RS 4
Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
.RE
.PP
\fB+[no]cl\fR
.RS 4
Display [do not display] the CLASS when printing the record.
.RE
.PP
\fB+[no]ttlid\fR
.RS 4
Display [do not display] the TTL when printing the record.
.RE
.PP
\fB+[no]recurse\fR
.RS 4
Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
\fBdig\fR
normally sends recursive queries. Recursion is automatically disabled when the
\fI+nssearch\fR
or
\fI+trace\fR
query options are used.
.RE
.PP
\fB+[no]nssearch\fR
.RS 4
When this option is set,
\fBdig\fR
attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
.RE
.PP
\fB+[no]trace\fR
.RS 4
Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
\fBdig\fR
makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
.sp
\fB+dnssec\fR
is also set when +trace is set to better emulate the default queries from a nameserver.
.RE
.PP
\fB+[no]cmd\fR
.RS 4
Toggles the printing of the initial comment in the output identifying the version of
\fBdig\fR
and the query options that have been applied. This comment is printed by default.
.RE
.PP
\fB+[no]short\fR
.RS 4
Provide a terse answer. The default is to print the answer in a verbose form.
.RE
.PP
\fB+[no]identify\fR
.RS 4
Show [or do not show] the IP address and port number that supplied the answer when the
\fI+short\fR
option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
.RE
.PP
\fB+[no]comments\fR
.RS 4
Toggle the display of comment lines in the output. The default is to print comments.
.RE
.PP
\fB+[no]rrcomments\fR
.RS 4
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records). The default is not to print record comments unless multiline mode is active.
.RE
.PP
\fB+split=W\fR
.RS 4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
is rounded up to the nearest multiple of 4).
\fI+nosplit\fR
or
\fI+split=0\fR
causes fields not to be split at all. The default is 56 characters, or 44 characters when multiline mode is active.
.RE
.PP
\fB+[no]stats\fR
.RS 4
This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics.
.RE
.PP
\fB+[no]qr\fR
.RS 4
Print [do not print] the query as it is sent. By default, the query is not printed.
.RE
.PP
\fB+[no]question\fR
.RS 4
Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
.RE
.PP
\fB+[no]answer\fR
.RS 4
Display [do not display] the answer section of a reply. The default is to display it.
.RE
.PP
\fB+[no]authority\fR
.RS 4
Display [do not display] the authority section of a reply. The default is to display it.
.RE
.PP
\fB+[no]additional\fR
.RS 4
Display [do not display] the additional section of a reply. The default is to display it.
.RE
.PP
\fB+[no]all\fR
.RS 4
Set or clear all display flags.
.RE
.PP
\fB+time=T\fR
.RS 4
Sets the timeout for a query to
\fIT\fR
seconds. The default timeout is 5 seconds. An attempt to set
\fIT\fR
to less than 1 will result in a query timeout of 1 second being applied.
.RE
.PP
\fB+tries=T\fR
.RS 4
Sets the number of times to try UDP queries to server to
\fIT\fR
instead of the default, 3. If
\fIT\fR
is less than or equal to zero, the number of tries is silently rounded up to 1.
.RE
.PP
\fB+retry=T\fR
.RS 4
Sets the number of times to retry UDP queries to server to
\fIT\fR
instead of the default, 2. Unlike
\fI+tries\fR, this does not include the initial query.
.RE
.PP
\fB+ndots=D\fR
.RS 4
Set the number of dots that have to appear in
\fIname\fR
to
\fID\fR
for it to be considered absolute. The default value is that defined using the ndots statement in
\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
\fBsearch\fR
or
\fBdomain\fR
directive in
\fI/etc/resolv.conf\fR.
.RE
.PP
\fB+bufsize=B\fR
.RS 4
Set the UDP message buffer size advertised using EDNS0 to
\fIB\fR
bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent.
.RE
.PP
\fB+edns=#\fR
.RS 4
Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent.
\fB+noedns\fR
clears the remembered EDNS version. EDNS is set to 0 by default.
.RE
.PP
\fB+[no]multiline\fR
.RS 4
Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
\fBdig\fR
output.
.RE
.PP
\fB+[no]onesoa\fR
.RS 4
Print only one (starting) SOA record when performing an AXFR. The default is to print both the starting and ending SOA records.
.RE
.PP
\fB+[no]fail\fR
.RS 4
Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
.RE
.PP
\fB+[no]besteffort\fR
.RS 4
Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
.RE
.PP
\fB+[no]dnssec\fR
.RS 4
Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
.RE
.PP
\fB+[no]sigchase\fR
.RS 4
Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
.RE
.PP
\fB+trusted\-key=####\fR
.RS 4
Specifies a file containing trusted keys to be used with
\fB+sigchase\fR. Each DNSKEY record must be on its own line.
.sp
If not specified,
\fBdig\fR
will look for
\fI/etc/trusted\-key.key\fR
then
\fItrusted\-key.key\fR
in the current directory.
.sp
Requires dig be compiled with \-DDIG_SIGCHASE.
.RE
.PP
\fB+[no]topdown\fR
.RS 4
When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
.RE
.PP
\fB+[no]nsid\fR
.RS 4
Include an EDNS name server ID request when sending a query.
.RE
.SH "MULTIPLE QUERIES"
.PP
The BIND 9 implementation of
\fBdig \fR
supports specifying multiple queries on the command line (in addition to supporting the
\fB\-f\fR
batch file option). Each of those queries can be supplied with its own set of flags, options and query options.
.PP
In this case, each
\fIquery\fR
argument represent an individual query in the command\-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query.
.PP
A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the
\fB+[no]cmd\fR
option) can be overridden by a query\-specific set of query options. For example:
.sp
.RS 4
.nf
dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
.fi
.RE
.sp
shows how
\fBdig\fR
could be used from the command line to make three lookups: an ANY query for
www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of
isc.org. A global query option of
\fI+qr\fR
is applied, so that
\fBdig\fR
shows the initial query it made for each lookup. The final query has a local query option of
\fI+noqr\fR
which means that
\fBdig\fR
will not print the initial query when it looks up the NS records for
isc.org.
.SH "IDN SUPPORT"
.PP
If
\fBdig\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
\fBdig\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
\fBIDN_DISABLE\fR
environment variable. The IDN support is disabled if the variable is set when
\fBdig\fR
runs.
.SH "FILES"
.PP
\fI/etc/resolv.conf\fR
.PP
\fI${HOME}/.digrc\fR
.SH "SEE ALSO"
.PP
\fBhost\fR(1),
\fBnamed\fR(8),
\fBdnssec\-keygen\fR(8),
RFC1035.
.SH "BUGS"
.PP
There are probably too many query options.
.SH "COPYRIGHT"
Copyright \(co 2004\-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2003 Internet Software Consortium.
.br

1868
contrib/bind9/bin/dig/dig.c
View file

File diff suppressed because it is too large Load diff

1003
contrib/bind9/bin/dig/dig.docbook
View file

File diff suppressed because it is too large Load diff

673
contrib/bind9/bin/dig/dig.html
View file

@ -1,673 +0,0 @@
<!--
- Copyright (C) 2004-2011, 2013 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dig</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.dig"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>dig &#8212; DNS lookup utility</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dig</code> [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
<div class="cmdsynopsis"><p><code class="command">dig</code> [<code class="option">-h</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543530"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dig</strong></span>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
displays the answers that are returned from the name server(s) that
were queried. Most DNS administrators use <span><strong class="command">dig</strong></span> to
troubleshoot DNS problems because of its flexibility, ease of use and
clarity of output. Other lookup tools tend to have less functionality
than <span><strong class="command">dig</strong></span>.
</p>
<p>
Although <span><strong class="command">dig</strong></span> is normally used with
command-line
arguments, it also has a batch mode of operation for reading lookup
requests from a file. A brief summary of its command-line arguments
and options is printed when the <code class="option">-h</code> option is given.
Unlike earlier versions, the BIND 9 implementation of
<span><strong class="command">dig</strong></span> allows multiple lookups to be issued
from the
command line.
</p>
<p>
Unless it is told to query a specific name server,
<span><strong class="command">dig</strong></span> will try each of the servers listed in
<code class="filename">/etc/resolv.conf</code>. If no usable server addreses
are found, <span><strong class="command">dig</strong></span> will send the query to the local
host.
</p>
<p>
When no command line arguments or options are given,
<span><strong class="command">dig</strong></span> will perform an NS query for "." (the root).
</p>
<p>
It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
<code class="filename">${HOME}/.digrc</code>. This file is read and
any options in it
are applied before the command line arguments.
</p>
<p>
The IN and CH class names overlap with the IN and CH top level
domains names. Either use the <code class="option">-t</code> and
<code class="option">-c</code> options to specify the type and class,
use the <code class="option">-q</code> the specify the domain name, or
use "IN." and "CH." when looking up these top level domains.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543609"></a><h2>SIMPLE USAGE</h2>
<p>
A typical invocation of <span><strong class="command">dig</strong></span> looks like:
</p>
<pre class="programlisting"> dig @server name type </pre>
<p>
where:
</p>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd>
<p>
is the name or IP address of the name server to query. This
can be an IPv4 address in dotted-decimal notation or an IPv6
address in colon-delimited notation. When the supplied
<em class="parameter"><code>server</code></em> argument is a hostname,
<span><strong class="command">dig</strong></span> resolves that name before querying
that name server.
</p>
<p>
If no <em class="parameter"><code>server</code></em> argument is
provided, <span><strong class="command">dig</strong></span> consults
<code class="filename">/etc/resolv.conf</code>; if an
address is found there, it queries the name server at
that address. If either of the <code class="option">-4</code> or
<code class="option">-6</code> options are in use, then
only addresses for the corresponding transport
will be tried. If no usable addresses are found,
<span><strong class="command">dig</strong></span> will send the query to the
local host. The reply from the name server that
responds is displayed.
</p>
</dd>
<dt><span class="term"><code class="constant">name</code></span></dt>
<dd><p>
is the name of the resource record that is to be looked up.
</p></dd>
<dt><span class="term"><code class="constant">type</code></span></dt>
<dd><p>
indicates what type of query is required &#8212;
ANY, A, MX, SIG, etc.
<em class="parameter"><code>type</code></em> can be any valid query
type. If no
<em class="parameter"><code>type</code></em> argument is supplied,
<span><strong class="command">dig</strong></span> will perform a lookup for an
A record.
</p></dd>
</dl></div>
<p>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543713"></a><h2>OPTIONS</h2>
<p>
The <code class="option">-b</code> option sets the source IP address of the query
to <em class="parameter"><code>address</code></em>. This must be a valid
address on
one of the host's network interfaces or "0.0.0.0" or "::". An optional
port
may be specified by appending "#&lt;port&gt;"
</p>
<p>
The default query class (IN for internet) is overridden by the
<code class="option">-c</code> option. <em class="parameter"><code>class</code></em> is
any valid
class, such as HS for Hesiod records or CH for Chaosnet records.
</p>
<p>
The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>
operate
in batch mode by reading a list of lookup requests to process from the
file <em class="parameter"><code>filename</code></em>. The file contains a
number of
queries, one per line. Each entry in the file should be organized in
the same way they would be presented as queries to
<span><strong class="command">dig</strong></span> using the command-line interface.
</p>
<p>
The <code class="option">-m</code> option enables memory usage debugging.
</p>
<p>
If a non-standard port number is to be queried, the
<code class="option">-p</code> option is used. <em class="parameter"><code>port#</code></em> is
the port number that <span><strong class="command">dig</strong></span> will send its
queries
instead of the standard DNS port number 53. This option would be used
to test a name server that has been configured to listen for queries
on a non-standard port number.
</p>
<p>
The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span>
to only
use IPv4 query transport. The <code class="option">-6</code> option forces
<span><strong class="command">dig</strong></span> to only use IPv6 query transport.
</p>
<p>
The <code class="option">-t</code> option sets the query type to
<em class="parameter"><code>type</code></em>. It can be any valid query type
which is
supported in BIND 9. The default query type is "A", unless the
<code class="option">-x</code> option is supplied to indicate a reverse lookup.
A zone transfer can be requested by specifying a type of AXFR. When
an incremental zone transfer (IXFR) is required,
<em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
The incremental zone transfer will contain the changes made to the zone
since the serial number in the zone's SOA record was
<em class="parameter"><code>N</code></em>.
</p>
<p>
The <code class="option">-q</code> option sets the query name to
<em class="parameter"><code>name</code></em>. This useful do distinguish the
<em class="parameter"><code>name</code></em> from other arguments.
</p>
<p>
Reverse lookups &#8212; mapping addresses to names &#8212; are simplified by the
<code class="option">-x</code> option. <em class="parameter"><code>addr</code></em> is
an IPv4
address in dotted-decimal notation, or a colon-delimited IPv6 address.
When this option is used, there is no need to provide the
<em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
<em class="parameter"><code>type</code></em> arguments. <span><strong class="command">dig</strong></span>
automatically performs a lookup for a name like
<code class="literal">11.12.13.10.in-addr.arpa</code> and sets the
query type and
class to PTR and IN respectively. By default, IPv6 addresses are
looked up using nibble format under the IP6.ARPA domain.
To use the older RFC1886 method using the IP6.INT domain
specify the <code class="option">-i</code> option. Bit string labels (RFC2874)
are now experimental and are not attempted.
</p>
<p>
To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and
their
responses using transaction signatures (TSIG), specify a TSIG key file
using the <code class="option">-k</code> option. You can also specify the TSIG
key itself on the command line using the <code class="option">-y</code> option;
<em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5,
<em class="parameter"><code>name</code></em> is the name of the TSIG key and
<em class="parameter"><code>key</code></em> is the actual key. The key is a
base-64
encoded string, typically generated by
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
Caution should be taken when using the <code class="option">-y</code> option on
multi-user systems as the key can be visible in the output from
<span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
or in the shell's history file. When
using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
server that is queried needs to know the key and algorithm that is
being used. In BIND, this is done by providing appropriate
<span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
<code class="filename">named.conf</code>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544061"></a><h2>QUERY OPTIONS</h2>
<p><span><strong class="command">dig</strong></span>
provides a number of query options which affect
the way in which lookups are made and the results displayed. Some of
these set or reset flag bits in the query header, some determine which
sections of the answer get printed, and others determine the timeout
and retry strategies.
</p>
<p>
Each query option is identified by a keyword preceded by a plus sign
(<code class="literal">+</code>). Some keywords set or reset an
option. These may be preceded
by the string <code class="literal">no</code> to negate the meaning of
that keyword. Other
keywords assign values to options like the timeout interval. They
have the form <code class="option">+keyword=value</code>.
The query options are:
</p>
<div class="variablelist"><dl>
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
<dd><p>
Use [do not use] TCP when querying name servers. The default
behavior is to use UDP unless an AXFR or IXFR query is
requested, in
which case a TCP connection is used.
</p></dd>
<dt><span class="term"><code class="option">+[no]vc</code></span></dt>
<dd><p>
Use [do not use] TCP when querying name servers. This alternate
syntax to <em class="parameter"><code>+[no]tcp</code></em> is
provided for backwards
compatibility. The "vc" stands for "virtual circuit".
</p></dd>
<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
<dd><p>
Ignore truncation in UDP responses instead of retrying with TCP.
By
default, TCP retries are performed.
</p></dd>
<dt><span class="term"><code class="option">+domain=somename</code></span></dt>
<dd><p>
Set the search list to contain the single domain
<em class="parameter"><code>somename</code></em>, as if specified in
a
<span><strong class="command">domain</strong></span> directive in
<code class="filename">/etc/resolv.conf</code>, and enable
search list
processing as if the <em class="parameter"><code>+search</code></em>
option were given.
</p></dd>
<dt><span class="term"><code class="option">+[no]search</code></span></dt>
<dd><p>
Use [do not use] the search list defined by the searchlist or
domain
directive in <code class="filename">resolv.conf</code> (if
any).
The search list is not used by default.
</p></dd>
<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
<dd><p>
Perform [do not perform] a search showing intermediate
results.
</p></dd>
<dt><span class="term"><code class="option">+[no]defname</code></span></dt>
<dd><p>
Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
</p></dd>
<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
<dd><p>
Sets the "aa" flag in the query.
</p></dd>
<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
<dd><p>
A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
</p></dd>
<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
<dd><p>
Set [do not set] the AD (authentic data) bit in the
query. This requests the server to return whether
all of the answer and authority sections have all
been validated as secure according to the security
policy of the server. AD=1 indicates that all records
have been validated as secure and the answer is not
from a OPT-OUT range. AD=0 indicate that some part
of the answer was insecure or not validated. This
bit is set by default.
</p></dd>
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
<dd><p>
Set [do not set] the CD (checking disabled) bit in the query.
This
requests the server to not perform DNSSEC validation of
responses.
</p></dd>
<dt><span class="term"><code class="option">+[no]cl</code></span></dt>
<dd><p>
Display [do not display] the CLASS when printing the record.
</p></dd>
<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
<dd><p>
Display [do not display] the TTL when printing the record.
</p></dd>
<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
<dd><p>
Toggle the setting of the RD (recursion desired) bit
in the query. This bit is set by default, which means
<span><strong class="command">dig</strong></span> normally sends recursive
queries. Recursion is automatically disabled when
the <em class="parameter"><code>+nssearch</code></em> or
<em class="parameter"><code>+trace</code></em> query options are used.
</p></dd>
<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
<dd><p>
When this option is set, <span><strong class="command">dig</strong></span>
attempts to find the
authoritative name servers for the zone containing the name
being
looked up and display the SOA record that each name server has
for the
zone.
</p></dd>
<dt><span class="term"><code class="option">+[no]trace</code></span></dt>
<dd>
<p>
Toggle tracing of the delegation path from the root
name servers for the name being looked up. Tracing
is disabled by default. When tracing is enabled,
<span><strong class="command">dig</strong></span> makes iterative queries to
resolve the name being looked up. It will follow
referrals from the root servers, showing the answer
from each server that was used to resolve the lookup.
</p>
<p>
<span><strong class="command">+dnssec</strong></span> is also set when +trace is
set to better emulate the default queries from a nameserver.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
<dd><p>
Toggles the printing of the initial comment in the output
identifying
the version of <span><strong class="command">dig</strong></span> and the query
options that have
been applied. This comment is printed by default.
</p></dd>
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
<dd><p>
Provide a terse answer. The default is to print the answer in a
verbose form.
</p></dd>
<dt><span class="term"><code class="option">+[no]identify</code></span></dt>
<dd><p>
Show [or do not show] the IP address and port number that
supplied the
answer when the <em class="parameter"><code>+short</code></em> option
is enabled. If
short form answers are requested, the default is not to show the
source address and port number of the server that provided the
answer.
</p></dd>
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
<dd><p>
Toggle the display of comment lines in the output. The default
is to print comments.
</p></dd>
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
<dd><p>
Toggle the display of per-record comments in the output (for
example, human-readable key information about DNSKEY records).
The default is not to print record comments unless multiline
mode is active.
</p></dd>
<dt><span class="term"><code class="option">+split=W</code></span></dt>
<dd><p>
Split long hex- or base64-formatted fields in resource
records into chunks of <em class="parameter"><code>W</code></em> characters
(where <em class="parameter"><code>W</code></em> is rounded up to the nearest
multiple of 4).
<em class="parameter"><code>+nosplit</code></em> or
<em class="parameter"><code>+split=0</code></em> causes fields not to be
split at all. The default is 56 characters, or 44 characters
when multiline mode is active.
</p></dd>
<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
<dd><p>
This query option toggles the printing of statistics: when the
query
was made, the size of the reply and so on. The default
behavior is
to print the query statistics.
</p></dd>
<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
<dd><p>
Print [do not print] the query as it is sent.
By default, the query is not printed.
</p></dd>
<dt><span class="term"><code class="option">+[no]question</code></span></dt>
<dd><p>
Print [do not print] the question section of a query when an
answer is
returned. The default is to print the question section as a
comment.
</p></dd>
<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
<dd><p>
Display [do not display] the answer section of a reply. The
default
is to display it.
</p></dd>
<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
<dd><p>
Display [do not display] the authority section of a reply. The
default is to display it.
</p></dd>
<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
<dd><p>
Display [do not display] the additional section of a reply.
The default is to display it.
</p></dd>
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
<dd><p>
Set or clear all display flags.
</p></dd>
<dt><span class="term"><code class="option">+time=T</code></span></dt>
<dd><p>
Sets the timeout for a query to
<em class="parameter"><code>T</code></em> seconds. The default
timeout is 5 seconds.
An attempt to set <em class="parameter"><code>T</code></em> to less
than 1 will result
in a query timeout of 1 second being applied.
</p></dd>
<dt><span class="term"><code class="option">+tries=T</code></span></dt>
<dd><p>
Sets the number of times to try UDP queries to server to
<em class="parameter"><code>T</code></em> instead of the default, 3.
If
<em class="parameter"><code>T</code></em> is less than or equal to
zero, the number of
tries is silently rounded up to 1.
</p></dd>
<dt><span class="term"><code class="option">+retry=T</code></span></dt>
<dd><p>
Sets the number of times to retry UDP queries to server to
<em class="parameter"><code>T</code></em> instead of the default, 2.
Unlike
<em class="parameter"><code>+tries</code></em>, this does not include
the initial
query.
</p></dd>
<dt><span class="term"><code class="option">+ndots=D</code></span></dt>
<dd><p>
Set the number of dots that have to appear in
<em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
considered absolute. The default value is that defined using
the
ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
ndots statement is present. Names with fewer dots are
interpreted as
relative names and will be searched for in the domains listed in
the
<code class="option">search</code> or <code class="option">domain</code> directive in
<code class="filename">/etc/resolv.conf</code>.
</p></dd>
<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
<dd><p>
Set the UDP message buffer size advertised using EDNS0 to
<em class="parameter"><code>B</code></em> bytes. The maximum and minimum sizes
of this buffer are 65535 and 0 respectively. Values outside
this range are rounded up or down appropriately.
Values other than zero will cause a EDNS query to be sent.
</p></dd>
<dt><span class="term"><code class="option">+edns=#</code></span></dt>
<dd><p>
Specify the EDNS version to query with. Valid values
are 0 to 255. Setting the EDNS version will cause
a EDNS query to be sent. <code class="option">+noedns</code>
clears the remembered EDNS version. EDNS is set to
0 by default.
</p></dd>
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
<dd><p>
Print records like the SOA records in a verbose multi-line
format with human-readable comments. The default is to print
each record on a single line, to facilitate machine parsing
of the <span><strong class="command">dig</strong></span> output.
</p></dd>
<dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>
<dd><p>
Print only one (starting) SOA record when performing
an AXFR. The default is to print both the starting and
ending SOA records.
</p></dd>
<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
<dd><p>
Do not try the next server if you receive a SERVFAIL. The
default is
to not try the next server which is the reverse of normal stub
resolver
behavior.
</p></dd>
<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
<dd><p>
Attempt to display the contents of messages which are malformed.
The default is to not display malformed answers.
</p></dd>
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
<dd><p>
Requests DNSSEC records be sent by setting the DNSSEC OK bit
(DO)
in the OPT record in the additional section of the query.
</p></dd>
<dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
<dd><p>
Chase DNSSEC signature chains. Requires dig be compiled with
-DDIG_SIGCHASE.
</p></dd>
<dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
<dd>
<p>
Specifies a file containing trusted keys to be used with
<code class="option">+sigchase</code>. Each DNSKEY record must be
on its own line.
</p>
<p>
If not specified, <span><strong class="command">dig</strong></span> will look for
<code class="filename">/etc/trusted-key.key</code> then
<code class="filename">trusted-key.key</code> in the current directory.
</p>
<p>
Requires dig be compiled with -DDIG_SIGCHASE.
</p>
</dd>
<dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
<dd><p>
When chasing DNSSEC signature chains perform a top-down
validation.
Requires dig be compiled with -DDIG_SIGCHASE.
</p></dd>
<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
<dd><p>
Include an EDNS name server ID request when sending a query.
</p></dd>
</dl></div>
<p>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545324"></a><h2>MULTIPLE QUERIES</h2>
<p>
The BIND 9 implementation of <span><strong class="command">dig </strong></span>
supports
specifying multiple queries on the command line (in addition to
supporting the <code class="option">-f</code> batch file option). Each of those
queries can be supplied with its own set of flags, options and query
options.
</p>
<p>
In this case, each <em class="parameter"><code>query</code></em> argument
represent an
individual query in the command-line syntax described above. Each
consists of any of the standard options and flags, the name to be
looked up, an optional query type and class and any query options that
should be applied to that query.
</p>
<p>
A global set of query options, which should be applied to all queries,
can also be supplied. These global query options must precede the
first tuple of name, class, type, options, flags, and query options
supplied on the command line. Any global query options (except
the <code class="option">+[no]cmd</code> option) can be
overridden by a query-specific set of query options. For example:
</p>
<pre class="programlisting">
dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
</pre>
<p>
shows how <span><strong class="command">dig</strong></span> could be used from the
command line
to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
reverse lookup of 127.0.0.1 and a query for the NS records of
<code class="literal">isc.org</code>.
A global query option of <em class="parameter"><code>+qr</code></em> is
applied, so
that <span><strong class="command">dig</strong></span> shows the initial query it made
for each
lookup. The final query has a local query option of
<em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
will not print the initial query when it looks up the NS records for
<code class="literal">isc.org</code>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545386"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span><strong class="command">dig</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, defines
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span><strong class="command">dig</strong></span> runs.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545409"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
<p><code class="filename">${HOME}/.digrc</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545426"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">RFC1035</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545531"></a><h2>BUGS</h2>
<p>
There are probably too many query options.
</p>
</div>
</div></body>
</html>

5789
contrib/bind9/bin/dig/dighost.c
View file

File diff suppressed because it is too large Load diff

219
contrib/bind9/bin/dig/host.1
View file

@ -1,219 +0,0 @@
.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2002 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: host
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: Jun 30, 2000
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
host \- DNS lookup utility
.SH "SYNOPSIS"
.HP 5
\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server]
.SH "DESCRIPTION"
.PP
\fBhost\fR
is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given,
\fBhost\fR
prints a short summary of its command line arguments and options.
.PP
\fIname\fR
is the domain name that is to be looked up. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
\fBhost\fR
will by default perform a reverse lookup for that address.
\fIserver\fR
is an optional argument which is either the name or IP address of the name server that
\fBhost\fR
should query instead of the server or servers listed in
\fI/etc/resolv.conf\fR.
.PP
The
\fB\-a\fR
(all) option is equivalent to setting the
\fB\-v\fR
option and asking
\fBhost\fR
to make a query of type ANY.
.PP
When the
\fB\-C\fR
option is used,
\fBhost\fR
will attempt to display the SOA records for zone
\fIname\fR
from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.
.PP
The
\fB\-c\fR
option instructs to make a DNS query of class
\fIclass\fR. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet).
.PP
Verbose output is generated by
\fBhost\fR
when the
\fB\-d\fR
or
\fB\-v\fR
option is used. The two options are equivalent. They have been provided for backwards compatibility. In previous versions, the
\fB\-d\fR
option switched on debugging traces and
\fB\-v\fR
enabled verbose output.
.PP
List mode is selected by the
\fB\-l\fR
option. This makes
\fBhost\fR
perform a zone transfer for zone
\fIname\fR. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with
\fB\-a\fR
all records will be printed.
.PP
The
\fB\-i\fR
option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. The default is to use IP6.ARPA.
.PP
The
\fB\-N\fR
option sets the number of dots that have to be in
\fIname\fR
for it to be considered absolute. The default value is that defined using the ndots statement in
\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
\fBsearch\fR
or
\fBdomain\fR
directive in
\fI/etc/resolv.conf\fR.
.PP
The number of UDP retries for a lookup can be changed with the
\fB\-R\fR
option.
\fInumber\fR
indicates how many times
\fBhost\fR
will repeat a query that does not get answered. The default number of retries is 1. If
\fInumber\fR
is negative or zero, the number of retries will default to 1.
.PP
Non\-recursive queries can be made via the
\fB\-r\fR
option. Setting this option clears the
\fBRD\fR
\(em recursion desired \(em bit in the query which
\fBhost\fR
makes. This should mean that the name server receiving the query will not attempt to resolve
\fIname\fR. The
\fB\-r\fR
option enables
\fBhost\fR
to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
.PP
By default,
\fBhost\fR
uses UDP when making queries. The
\fB\-T\fR
option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests.
.PP
The
\fB\-4\fR
option forces
\fBhost\fR
to only use IPv4 query transport. The
\fB\-6\fR
option forces
\fBhost\fR
to only use IPv6 query transport.
.PP
The
\fB\-t\fR
option is used to select the query type.
\fItype\fR
can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
\fBhost\fR
automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the
\fB\-C\fR
option was given, queries will be made for SOA records, and if
\fIname\fR
is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
\fBhost\fR
will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e.g. \-t IXFR=12345678).
.PP
The time to wait for a reply can be controlled through the
\fB\-W\fR
and
\fB\-w\fR
options. The
\fB\-W\fR
option makes
\fBhost\fR
wait for
\fIwait\fR
seconds. If
\fIwait\fR
is less than one, the wait interval is set to one second. When the
\fB\-w\fR
option is used,
\fBhost\fR
will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
.PP
The
\fB\-s\fR
option tells
\fBhost\fR
\fInot\fR
to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior.
.PP
The
\fB\-m\fR
can be used to set the memory usage debugging flags
\fIrecord\fR,
\fIusage\fR
and
\fItrace\fR.
.SH "IDN SUPPORT"
.PP
If
\fBhost\fR
has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
\fBhost\fR
appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
\fBIDN_DISABLE\fR
environment variable. The IDN support is disabled if the variable is set when
\fBhost\fR
runs.
.SH "FILES"
.PP
\fI/etc/resolv.conf\fR
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8).
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2002 Internet Software Consortium.
.br

892
contrib/bind9/bin/dig/host.c
View file

@ -1,892 +0,0 @@
/*
* Copyright (C) 2004-2007, 2009-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: host.c,v 1.127 2011/03/11 06:11:20 marka Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <limits.h>
#ifdef HAVE_LOCALE_H
#include <locale.h>
#endif
#ifdef WITH_IDN
#include <idn/result.h>
#include <idn/log.h>
#include <idn/resconf.h>
#include <idn/api.h>
#endif
#include <isc/app.h>
#include <isc/commandline.h>
#include <isc/netaddr.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
#include <isc/task.h>
#include <isc/stdlib.h>
#include <dns/byaddr.h>
#include <dns/fixedname.h>
#include <dns/message.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatatype.h>
#include <dns/rdatastruct.h>
#include <dig/dig.h>
static isc_boolean_t short_form = ISC_TRUE, listed_server = ISC_FALSE;
static isc_boolean_t default_lookups = ISC_TRUE;
static int seen_error = -1;
static isc_boolean_t list_addresses = ISC_TRUE;
static dns_rdatatype_t list_type = dns_rdatatype_a;
static isc_boolean_t printed_server = ISC_FALSE;
static const char *opcodetext[] = {
"QUERY",
"IQUERY",
"STATUS",
"RESERVED3",
"NOTIFY",
"UPDATE",
"RESERVED6",
"RESERVED7",
"RESERVED8",
"RESERVED9",
"RESERVED10",
"RESERVED11",
"RESERVED12",
"RESERVED13",
"RESERVED14",
"RESERVED15"
};
static const char *rcodetext[] = {
"NOERROR",
"FORMERR",
"SERVFAIL",
"NXDOMAIN",
"NOTIMP",
"REFUSED",
"YXDOMAIN",
"YXRRSET",
"NXRRSET",
"NOTAUTH",
"NOTZONE",
"RESERVED11",
"RESERVED12",
"RESERVED13",
"RESERVED14",
"RESERVED15",
"BADVERS"
};
struct rtype {
unsigned int type;
const char *text;
};
struct rtype rtypes[] = {
{ 1, "has address" },
{ 2, "name server" },
{ 5, "is an alias for" },
{ 11, "has well known services" },
{ 12, "domain name pointer" },
{ 13, "host information" },
{ 15, "mail is handled by" },
{ 16, "descriptive text" },
{ 19, "x25 address" },
{ 20, "ISDN address" },
{ 24, "has signature" },
{ 25, "has key" },
{ 28, "has IPv6 address" },
{ 29, "location" },
{ 0, NULL }
};
static char *
rcode_totext(dns_rcode_t rcode)
{
static char buf[sizeof("?65535")];
union {
const char *consttext;
char *deconsttext;
} totext;
if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
snprintf(buf, sizeof(buf), "?%u", rcode);
totext.deconsttext = buf;
} else
totext.consttext = rcodetext[rcode];
return totext.deconsttext;
}
ISC_PLATFORM_NORETURN_PRE static void
show_usage(void) ISC_PLATFORM_NORETURN_POST;
static void
show_usage(void) {
fputs(
"Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
" [-R number] [-m flag] hostname [server]\n"
" -a is equivalent to -v -t ANY\n"
" -c specifies query class for non-IN data\n"
" -C compares SOA records on authoritative nameservers\n"
" -d is equivalent to -v\n"
" -l lists all hosts in a domain, using AXFR\n"
" -i IP6.INT reverse lookups\n"
" -N changes the number of dots allowed before root lookup is done\n"
" -r disables recursive processing\n"
" -R specifies number of retries for UDP packets\n"
" -s a SERVFAIL response should stop query\n"
" -t specifies the query type\n"
" -T enables TCP/IP mode\n"
" -v enables verbose output\n"
" -w specifies to wait forever for a reply\n"
" -W specifies how long to wait for a reply\n"
" -4 use IPv4 query transport only\n"
" -6 use IPv6 query transport only\n"
" -m set memory debugging flag (trace|record|usage)\n", stderr);
exit(1);
}
void
dighost_shutdown(void) {
isc_app_shutdown();
}
void
received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
isc_time_t now;
int diff;
if (!short_form) {
char fromtext[ISC_SOCKADDR_FORMATSIZE];
isc_sockaddr_format(from, fromtext, sizeof(fromtext));
TIME_NOW(&now);
diff = (int) isc_time_microdiff(&now, &query->time_sent);
printf("Received %u bytes from %s in %d ms\n",
bytes, fromtext, diff/1000);
}
}
void
trying(char *frm, dig_lookup_t *lookup) {
UNUSED(lookup);
if (!short_form)
printf("Trying \"%s\"\n", frm);
}
static void
say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
dig_query_t *query)
{
isc_buffer_t *b = NULL;
char namestr[DNS_NAME_FORMATSIZE];
isc_region_t r;
isc_result_t result;
unsigned int bufsize = BUFSIZ;
dns_name_format(name, namestr, sizeof(namestr));
retry:
result = isc_buffer_allocate(mctx, &b, bufsize);
check_result(result, "isc_buffer_allocate");
result = dns_rdata_totext(rdata, NULL, b);
if (result == ISC_R_NOSPACE) {
isc_buffer_free(&b);
bufsize *= 2;
goto retry;
}
check_result(result, "dns_rdata_totext");
isc_buffer_usedregion(b, &r);
if (query->lookup->identify_previous_line) {
printf("Nameserver %s:\n\t",
query->servname);
}
printf("%s %s %.*s", namestr,
msg, (int)r.length, (char *)r.base);
if (query->lookup->identify) {
printf(" on server %s", query->servname);
}
printf("\n");
isc_buffer_free(&b);
}
#ifdef DIG_SIGCHASE
/* Just for compatibility : not use in host program */
isc_result_t
printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
isc_buffer_t *target)
{
UNUSED(owner_name);
UNUSED(rdataset);
UNUSED(target);
return(ISC_FALSE);
}
#endif
static isc_result_t
printsection(dns_message_t *msg, dns_section_t sectionid,
const char *section_name, isc_boolean_t headers,
dig_query_t *query)
{
dns_name_t *name, *print_name;
dns_rdataset_t *rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_buffer_t target;
isc_result_t result, loopresult;
isc_region_t r;
dns_name_t empty_name;
char t[4096];
isc_boolean_t first;
isc_boolean_t no_rdata;
if (sectionid == DNS_SECTION_QUESTION)
no_rdata = ISC_TRUE;
else
no_rdata = ISC_FALSE;
if (headers)
printf(";; %s SECTION:\n", section_name);
dns_name_init(&empty_name, NULL);
result = dns_message_firstname(msg, sectionid);
if (result == ISC_R_NOMORE)
return (ISC_R_SUCCESS);
else if (result != ISC_R_SUCCESS)
return (result);
for (;;) {
name = NULL;
dns_message_currentname(msg, sectionid, &name);
isc_buffer_init(&target, t, sizeof(t));
first = ISC_TRUE;
print_name = name;
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
if (query->lookup->rdtype == dns_rdatatype_axfr &&
!((!list_addresses &&
(list_type == dns_rdatatype_any ||
rdataset->type == list_type)) ||
(list_addresses &&
(rdataset->type == dns_rdatatype_a ||
rdataset->type == dns_rdatatype_aaaa ||
rdataset->type == dns_rdatatype_ns ||
rdataset->type == dns_rdatatype_ptr))))
continue;
if (!short_form) {
result = dns_rdataset_totext(rdataset,
print_name,
ISC_FALSE,
no_rdata,
&target);
if (result != ISC_R_SUCCESS)
return (result);
#ifdef USEINITALWS
if (first) {
print_name = &empty_name;
first = ISC_FALSE;
}
#else
UNUSED(first); /* Shut up compiler. */
#endif
} else {
loopresult = dns_rdataset_first(rdataset);
while (loopresult == ISC_R_SUCCESS) {
struct rtype *t;
const char *rtt;
char typebuf[DNS_RDATATYPE_FORMATSIZE];
char typebuf2[DNS_RDATATYPE_FORMATSIZE
+ 20];
dns_rdataset_current(rdataset, &rdata);
for (t = rtypes; t->text != NULL; t++) {
if (t->type == rdata.type) {
rtt = t->text;
goto found;
}
}
dns_rdatatype_format(rdata.type,
typebuf,
sizeof(typebuf));
snprintf(typebuf2, sizeof(typebuf2),
"has %s record", typebuf);
rtt = typebuf2;
found:
say_message(print_name, rtt,
&rdata, query);
dns_rdata_reset(&rdata);
loopresult =
dns_rdataset_next(rdataset);
}
}
}
if (!short_form) {
isc_buffer_usedregion(&target, &r);
if (no_rdata)
printf(";%.*s", (int)r.length,
(char *)r.base);
else
printf("%.*s", (int)r.length, (char *)r.base);
}
result = dns_message_nextname(msg, sectionid);
if (result == ISC_R_NOMORE)
break;
else if (result != ISC_R_SUCCESS)
return (result);
}
return (ISC_R_SUCCESS);
}
static isc_result_t
printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,
const char *set_name, isc_boolean_t headers)
{
isc_buffer_t target;
isc_result_t result;
isc_region_t r;
char t[4096];
UNUSED(msg);
if (headers)
printf(";; %s SECTION:\n", set_name);
isc_buffer_init(&target, t, sizeof(t));
result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
&target);
if (result != ISC_R_SUCCESS)
return (result);
isc_buffer_usedregion(&target, &r);
printf("%.*s", (int)r.length, (char *)r.base);
return (ISC_R_SUCCESS);
}
static void
chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
isc_result_t result;
dns_rdataset_t *rdataset;
dns_rdata_cname_t cname;
dns_rdata_t rdata = DNS_RDATA_INIT;
unsigned int i = msg->counts[DNS_SECTION_ANSWER];
while (i-- > 0) {
rdataset = NULL;
result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_cname, 0, NULL,
&rdataset);
if (result != ISC_R_SUCCESS)
return;
result = dns_rdataset_first(rdataset);
check_result(result, "dns_rdataset_first");
dns_rdata_reset(&rdata);
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &cname, NULL);
check_result(result, "dns_rdata_tostruct");
dns_name_copy(&cname.cname, qname, NULL);
dns_rdata_freestruct(&cname);
}
}
isc_result_t
printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
isc_boolean_t did_flag = ISC_FALSE;
dns_rdataset_t *opt, *tsig = NULL;
dns_name_t *tsigname;
isc_result_t result = ISC_R_SUCCESS;
int force_error;
UNUSED(headers);
/*
* We get called multiple times.
* Preserve any existing error status.
*/
force_error = (seen_error == 1) ? 1 : 0;
seen_error = 1;
if (listed_server && !printed_server) {
char sockstr[ISC_SOCKADDR_FORMATSIZE];
printf("Using domain server:\n");
printf("Name: %s\n", query->userarg);
isc_sockaddr_format(&query->sockaddr, sockstr,
sizeof(sockstr));
printf("Address: %s\n", sockstr);
printf("Aliases: \n\n");
printed_server = ISC_TRUE;
}
if (msg->rcode != 0) {
char namestr[DNS_NAME_FORMATSIZE];
dns_name_format(query->lookup->name, namestr, sizeof(namestr));
if (query->lookup->identify_previous_line)
printf("Nameserver %s:\n\t%s not found: %d(%s)\n",
query->servname,
(msg->rcode != dns_rcode_nxdomain) ? namestr :
query->lookup->textname, msg->rcode,
rcode_totext(msg->rcode));
else
printf("Host %s not found: %d(%s)\n",
(msg->rcode != dns_rcode_nxdomain) ? namestr :
query->lookup->textname, msg->rcode,
rcode_totext(msg->rcode));
return (ISC_R_SUCCESS);
}
if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
char namestr[DNS_NAME_FORMATSIZE];
dig_lookup_t *lookup;
dns_fixedname_t fixed;
dns_name_t *name;
/* Add AAAA and MX lookups. */
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
dns_name_copy(query->lookup->name, name, NULL);
chase_cnamechain(msg, name);
dns_name_format(name, namestr, sizeof(namestr));
lookup = clone_lookup(query->lookup, ISC_FALSE);
if (lookup != NULL) {
strncpy(lookup->textname, namestr,
sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1] = 0;
lookup->rdtype = dns_rdatatype_aaaa;
lookup->rdtypeset = ISC_TRUE;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
}
lookup = clone_lookup(query->lookup, ISC_FALSE);
if (lookup != NULL) {
strncpy(lookup->textname, namestr,
sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1] = 0;
lookup->rdtype = dns_rdatatype_mx;
lookup->rdtypeset = ISC_TRUE;
lookup->origin = NULL;
lookup->retries = tries;
ISC_LIST_APPEND(lookup_list, lookup, link);
}
}
if (!short_form) {
printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
opcodetext[msg->opcode], rcode_totext(msg->rcode),
msg->id);
printf(";; flags: ");
if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
printf("qr");
did_flag = ISC_TRUE;
}
if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
printf("%saa", did_flag ? " " : "");
did_flag = ISC_TRUE;
}
if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
printf("%stc", did_flag ? " " : "");
did_flag = ISC_TRUE;
}
if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
printf("%srd", did_flag ? " " : "");
did_flag = ISC_TRUE;
}
if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
printf("%sra", did_flag ? " " : "");
did_flag = ISC_TRUE;
}
if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
printf("%sad", did_flag ? " " : "");
did_flag = ISC_TRUE;
}
if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
printf("%scd", did_flag ? " " : "");
did_flag = ISC_TRUE;
POST(did_flag);
}
printf("; QUERY: %u, ANSWER: %u, "
"AUTHORITY: %u, ADDITIONAL: %u\n",
msg->counts[DNS_SECTION_QUESTION],
msg->counts[DNS_SECTION_ANSWER],
msg->counts[DNS_SECTION_AUTHORITY],
msg->counts[DNS_SECTION_ADDITIONAL]);
opt = dns_message_getopt(msg);
if (opt != NULL)
printf(";; EDNS: version: %u, udp=%u\n",
(unsigned int)((opt->ttl & 0x00ff0000) >> 16),
(unsigned int)opt->rdclass);
tsigname = NULL;
tsig = dns_message_gettsig(msg, &tsigname);
if (tsig != NULL)
printf(";; PSEUDOSECTIONS: TSIG\n");
}
if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION]) &&
!short_form) {
printf("\n");
result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
ISC_TRUE, query);
if (result != ISC_R_SUCCESS)
return (result);
}
if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
if (!short_form)
printf("\n");
result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
ISC_TF(!short_form), query);
if (result != ISC_R_SUCCESS)
return (result);
}
if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
!short_form) {
printf("\n");
result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
ISC_TRUE, query);
if (result != ISC_R_SUCCESS)
return (result);
}
if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
!short_form) {
printf("\n");
result = printsection(msg, DNS_SECTION_ADDITIONAL,
"ADDITIONAL", ISC_TRUE, query);
if (result != ISC_R_SUCCESS)
return (result);
}
if ((tsig != NULL) && !short_form) {
printf("\n");
result = printrdata(msg, tsig, tsigname,
"PSEUDOSECTION TSIG", ISC_TRUE);
if (result != ISC_R_SUCCESS)
return (result);
}
if (!short_form)
printf("\n");
if (short_form && !default_lookups &&
ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
char namestr[DNS_NAME_FORMATSIZE];
char typestr[DNS_RDATATYPE_FORMATSIZE];
dns_name_format(query->lookup->name, namestr, sizeof(namestr));
dns_rdatatype_format(query->lookup->rdtype, typestr,
sizeof(typestr));
printf("%s has no %s record\n", namestr, typestr);
}
seen_error = force_error;
return (result);
}
static const char * optstring = "46ac:dilnm:rst:vwCDN:R:TW:";
static void
pre_parse_args(int argc, char **argv) {
int c;
while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
switch (c) {
case 'm':
memdebugging = ISC_TRUE;
if (strcasecmp("trace", isc_commandline_argument) == 0)
isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
else if (!strcasecmp("record",
isc_commandline_argument) == 0)
isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
else if (strcasecmp("usage",
isc_commandline_argument) == 0)
isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
break;
case '4': break;
case '6': break;
case 'a': break;
case 'c': break;
case 'd': break;
case 'i': break;
case 'l': break;
case 'n': break;
case 'r': break;
case 's': break;
case 't': break;
case 'v': break;
case 'w': break;
case 'C': break;
case 'D':
debugging = ISC_TRUE;
break;
case 'N': break;
case 'R': break;
case 'T': break;
case 'W': break;
default:
show_usage();
}
}
isc_commandline_reset = ISC_TRUE;
isc_commandline_index = 1;
}
static void
parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
char hostname[MXNAME];
dig_lookup_t *lookup;
int c;
char store[MXNAME];
isc_textregion_t tr;
isc_result_t result = ISC_R_SUCCESS;
dns_rdatatype_t rdtype;
dns_rdataclass_t rdclass;
isc_uint32_t serial = 0;
UNUSED(is_batchfile);
lookup = make_empty_lookup();
lookup->servfail_stops = ISC_FALSE;
lookup->comments = ISC_FALSE;
while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
switch (c) {
case 'l':
lookup->tcp_mode = ISC_TRUE;
lookup->rdtype = dns_rdatatype_axfr;
lookup->rdtypeset = ISC_TRUE;
fatalexit = 3;
break;
case 'v':
case 'd':
short_form = ISC_FALSE;
break;
case 'r':
lookup->recurse = ISC_FALSE;
break;
case 't':
if (strncasecmp(isc_commandline_argument,
"ixfr=", 5) == 0) {
rdtype = dns_rdatatype_ixfr;
/* XXXMPA add error checking */
serial = strtoul(isc_commandline_argument + 5,
NULL, 10);
result = ISC_R_SUCCESS;
} else {
tr.base = isc_commandline_argument;
tr.length = strlen(isc_commandline_argument);
result = dns_rdatatype_fromtext(&rdtype,
(isc_textregion_t *)&tr);
}
if (result != ISC_R_SUCCESS) {
fatalexit = 2;
fatal("invalid type: %s\n",
isc_commandline_argument);
}
if (!lookup->rdtypeset ||
lookup->rdtype != dns_rdatatype_axfr)
lookup->rdtype = rdtype;
lookup->rdtypeset = ISC_TRUE;
#ifdef WITH_IDN
idnoptions = 0;
#endif
if (rdtype == dns_rdatatype_axfr) {
/* -l -t any -v */
list_type = dns_rdatatype_any;
short_form = ISC_FALSE;
lookup->tcp_mode = ISC_TRUE;
} else if (rdtype == dns_rdatatype_ixfr) {
lookup->ixfr_serial = serial;
lookup->tcp_mode = ISC_TRUE;
list_type = rdtype;
#ifdef WITH_IDN
} else if (rdtype == dns_rdatatype_a ||
rdtype == dns_rdatatype_aaaa ||
rdtype == dns_rdatatype_mx) {
idnoptions = IDN_ASCCHECK;
list_type = rdtype;
#endif
} else
list_type = rdtype;
list_addresses = ISC_FALSE;
default_lookups = ISC_FALSE;
break;
case 'c':
tr.base = isc_commandline_argument;
tr.length = strlen(isc_commandline_argument);
result = dns_rdataclass_fromtext(&rdclass,
(isc_textregion_t *)&tr);
if (result != ISC_R_SUCCESS) {
fatalexit = 2;
fatal("invalid class: %s\n",
isc_commandline_argument);
} else {
lookup->rdclass = rdclass;
lookup->rdclassset = ISC_TRUE;
}
default_lookups = ISC_FALSE;
break;
case 'a':
if (!lookup->rdtypeset ||
lookup->rdtype != dns_rdatatype_axfr)
lookup->rdtype = dns_rdatatype_any;
list_type = dns_rdatatype_any;
list_addresses = ISC_FALSE;
lookup->rdtypeset = ISC_TRUE;
short_form = ISC_FALSE;
default_lookups = ISC_FALSE;
break;
case 'i':
lookup->ip6_int = ISC_TRUE;
break;
case 'n':
/* deprecated */
break;
case 'm':
/* Handled by pre_parse_args(). */
break;
case 'w':
/*
* The timer routines are coded such that
* timeout==MAXINT doesn't enable the timer
*/
timeout = INT_MAX;
break;
case 'W':
timeout = atoi(isc_commandline_argument);
if (timeout < 1)
timeout = 1;
break;
case 'R':
tries = atoi(isc_commandline_argument) + 1;
if (tries < 2)
tries = 2;
break;
case 'T':
lookup->tcp_mode = ISC_TRUE;
break;
case 'C':
debug("showing all SOAs");
lookup->rdtype = dns_rdatatype_ns;
lookup->rdtypeset = ISC_TRUE;
lookup->rdclass = dns_rdataclass_in;
lookup->rdclassset = ISC_TRUE;
lookup->ns_search_only = ISC_TRUE;
lookup->trace_root = ISC_TRUE;
lookup->identify_previous_line = ISC_TRUE;
default_lookups = ISC_FALSE;
break;
case 'N':
debug("setting NDOTS to %s",
isc_commandline_argument);
ndots = atoi(isc_commandline_argument);
break;
case 'D':
/* Handled by pre_parse_args(). */
break;
case '4':
if (have_ipv4) {
isc_net_disableipv6();
have_ipv6 = ISC_FALSE;
} else
fatal("can't find IPv4 networking");
break;
case '6':
if (have_ipv6) {
isc_net_disableipv4();
have_ipv4 = ISC_FALSE;
} else
fatal("can't find IPv6 networking");
break;
case 's':
lookup->servfail_stops = ISC_TRUE;
break;
}
}
lookup->retries = tries;
if (isc_commandline_index >= argc)
show_usage();
strlcpy(hostname, argv[isc_commandline_index], sizeof(hostname));
if (argc > isc_commandline_index + 1) {
set_nameserver(argv[isc_commandline_index+1]);
debug("server is %s", argv[isc_commandline_index+1]);
listed_server = ISC_TRUE;
} else
check_ra = ISC_TRUE;
lookup->pending = ISC_FALSE;
if (get_reverse(store, sizeof(store), hostname,
lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) {
strncpy(lookup->textname, store, sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1] = 0;
lookup->rdtype = dns_rdatatype_ptr;
lookup->rdtypeset = ISC_TRUE;
default_lookups = ISC_FALSE;
} else {
strncpy(lookup->textname, hostname, sizeof(lookup->textname));
lookup->textname[sizeof(lookup->textname)-1]=0;
usesearch = ISC_TRUE;
}
lookup->new_search = ISC_TRUE;
ISC_LIST_APPEND(lookup_list, lookup, link);
}
int
main(int argc, char **argv) {
isc_result_t result;
tries = 2;
ISC_LIST_INIT(lookup_list);
ISC_LIST_INIT(server_list);
ISC_LIST_INIT(search_list);
fatalexit = 1;
#ifdef WITH_IDN
idnoptions = IDN_ASCCHECK;
#endif
debug("main()");
progname = argv[0];
pre_parse_args(argc, argv);
result = isc_app_start();
check_result(result, "isc_app_start");
setup_libs();
parse_args(ISC_FALSE, argc, argv);
setup_system();
result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
check_result(result, "isc_app_onrun");
isc_app_run();
cancel_all();
destroy_libs();
isc_app_finish();
return ((seen_error == 0) ? 0 : 1);
}

279
contrib/bind9/bin/dig/host.docbook
View file

@ -1,279 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: host.docbook,v 1.20 2009/01/20 23:47:56 tbox Exp $ -->
<refentry id="man.host">
<refentryinfo>
<date>Jun 30, 2000</date>
</refentryinfo>
<refmeta>
<refentrytitle>host</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>host</refname>
<refpurpose>DNS lookup utility</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2008</year>
<year>2009</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>host</command>
<arg><option>-aCdlnrsTwv</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
<arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-4</option></arg>
<arg><option>-6</option></arg>
<arg choice="req">name</arg>
<arg choice="opt">server</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>host</command>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given,
<command>host</command>
prints a short summary of its command line arguments and options.
</para>
<para><parameter>name</parameter> is the domain name that is to be
looked
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
IPv6 address, in which case <command>host</command> will by
default
perform a reverse lookup for that address.
<parameter>server</parameter> is an optional argument which
is either
the name or IP address of the name server that <command>host</command>
should query instead of the server or servers listed in
<filename>/etc/resolv.conf</filename>.
</para>
<para>
The <option>-a</option> (all) option is equivalent to setting the
<option>-v</option> option and asking <command>host</command> to make
a query of type ANY.
</para>
<para>
When the <option>-C</option> option is used, <command>host</command>
will attempt to display the SOA records for zone
<parameter>name</parameter> from all the listed
authoritative name
servers for that zone. The list of name servers is defined by the NS
records that are found for the zone.
</para>
<para>
The <option>-c</option> option instructs to make a DNS query of class
<parameter>class</parameter>. This can be used to lookup
Hesiod or
Chaosnet class resource records. The default class is IN (Internet).
</para>
<para>
Verbose output is generated by <command>host</command> when
the
<option>-d</option> or <option>-v</option> option is used. The two
options are equivalent. They have been provided for backwards
compatibility. In previous versions, the <option>-d</option> option
switched on debugging traces and <option>-v</option> enabled verbose
output.
</para>
<para>
List mode is selected by the <option>-l</option> option. This makes
<command>host</command> perform a zone transfer for zone
<parameter>name</parameter>. Transfer the zone printing out
the NS, PTR
and address records (A/AAAA). If combined with <option>-a</option>
all records will be printed.
</para>
<para>
The <option>-i</option>
option specifies that reverse lookups of IPv6 addresses should
use the IP6.INT domain as defined in RFC1886.
The default is to use IP6.ARPA.
</para>
<para>
The <option>-N</option> option sets the number of dots that have to be
in <parameter>name</parameter> for it to be considered
absolute. The
default value is that defined using the ndots statement in
<filename>/etc/resolv.conf</filename>, or 1 if no ndots
statement is
present. Names with fewer dots are interpreted as relative names and
will be searched for in the domains listed in the <type>search</type>
or <type>domain</type> directive in
<filename>/etc/resolv.conf</filename>.
</para>
<para>
The number of UDP retries for a lookup can be changed with the
<option>-R</option> option. <parameter>number</parameter>
indicates
how many times <command>host</command> will repeat a query
that does
not get answered. The default number of retries is 1. If
<parameter>number</parameter> is negative or zero, the
number of
retries will default to 1.
</para>
<para>
Non-recursive queries can be made via the <option>-r</option> option.
Setting this option clears the <type>RD</type> &mdash; recursion
desired &mdash; bit in the query which <command>host</command> makes.
This should mean that the name server receiving the query will not
attempt to resolve <parameter>name</parameter>. The
<option>-r</option> option enables <command>host</command>
to mimic
the behavior of a name server by making non-recursive queries and
expecting to receive answers to those queries that are usually
referrals to other name servers.
</para>
<para>
By default, <command>host</command> uses UDP when making
queries. The
<option>-T</option> option makes it use a TCP connection when querying
the name server. TCP will be automatically selected for queries that
require it, such as zone transfer (AXFR) requests.
</para>
<para>
The <option>-4</option> option forces <command>host</command> to only
use IPv4 query transport. The <option>-6</option> option forces
<command>host</command> to only use IPv6 query transport.
</para>
<para>
The <option>-t</option> option is used to select the query type.
<parameter>type</parameter> can be any recognized query
type: CNAME,
NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
<command>host</command> automatically selects an appropriate
query
type. By default, it looks for A, AAAA, and MX records, but if the
<option>-C</option> option was given, queries will be made for SOA
records, and if <parameter>name</parameter> is a
dotted-decimal IPv4
address or colon-delimited IPv6 address, <command>host</command> will
query for PTR records. If a query type of IXFR is chosen the starting
serial number can be specified by appending an equal followed by the
starting serial number (e.g. -t IXFR=12345678).
</para>
<para>
The time to wait for a reply can be controlled through the
<option>-W</option> and <option>-w</option> options. The
<option>-W</option> option makes <command>host</command>
wait for
<parameter>wait</parameter> seconds. If <parameter>wait</parameter>
is less than one, the wait interval is set to one second. When the
<option>-w</option> option is used, <command>host</command>
will
effectively wait forever for a reply. The time to wait for a response
will be set to the number of seconds given by the hardware's maximum
value for an integer quantity.
</para>
<para>
The <option>-s</option> option tells <command>host</command>
<emphasis>not</emphasis> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the
reverse of normal stub resolver behavior.
</para>
<para>
The <option>-m</option> can be used to set the memory usage debugging
flags
<parameter>record</parameter>, <parameter>usage</parameter> and
<parameter>trace</parameter>.
</para>
</refsect1>
<refsect1>
<title>IDN SUPPORT</title>
<para>
If <command>host</command> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, defines
the <envar>IDN_DISABLE</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>host</command> runs.
</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para><filename>/etc/resolv.conf</filename>
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

212
contrib/bind9/bin/dig/host.html
View file

@ -1,212 +0,0 @@
<!--
- Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2002 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>host</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.host"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>host &#8212; DNS lookup utility</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">host</code> [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543436"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">host</strong></span>
is a simple utility for performing DNS lookups.
It is normally used to convert names to IP addresses and vice versa.
When no arguments or options are given,
<span><strong class="command">host</strong></span>
prints a short summary of its command line arguments and options.
</p>
<p><em class="parameter"><code>name</code></em> is the domain name that is to be
looked
up. It can also be a dotted-decimal IPv4 address or a colon-delimited
IPv6 address, in which case <span><strong class="command">host</strong></span> will by
default
perform a reverse lookup for that address.
<em class="parameter"><code>server</code></em> is an optional argument which
is either
the name or IP address of the name server that <span><strong class="command">host</strong></span>
should query instead of the server or servers listed in
<code class="filename">/etc/resolv.conf</code>.
</p>
<p>
The <code class="option">-a</code> (all) option is equivalent to setting the
<code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
a query of type ANY.
</p>
<p>
When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
will attempt to display the SOA records for zone
<em class="parameter"><code>name</code></em> from all the listed
authoritative name
servers for that zone. The list of name servers is defined by the NS
records that are found for the zone.
</p>
<p>
The <code class="option">-c</code> option instructs to make a DNS query of class
<em class="parameter"><code>class</code></em>. This can be used to lookup
Hesiod or
Chaosnet class resource records. The default class is IN (Internet).
</p>
<p>
Verbose output is generated by <span><strong class="command">host</strong></span> when
the
<code class="option">-d</code> or <code class="option">-v</code> option is used. The two
options are equivalent. They have been provided for backwards
compatibility. In previous versions, the <code class="option">-d</code> option
switched on debugging traces and <code class="option">-v</code> enabled verbose
output.
</p>
<p>
List mode is selected by the <code class="option">-l</code> option. This makes
<span><strong class="command">host</strong></span> perform a zone transfer for zone
<em class="parameter"><code>name</code></em>. Transfer the zone printing out
the NS, PTR
and address records (A/AAAA). If combined with <code class="option">-a</code>
all records will be printed.
</p>
<p>
The <code class="option">-i</code>
option specifies that reverse lookups of IPv6 addresses should
use the IP6.INT domain as defined in RFC1886.
The default is to use IP6.ARPA.
</p>
<p>
The <code class="option">-N</code> option sets the number of dots that have to be
in <em class="parameter"><code>name</code></em> for it to be considered
absolute. The
default value is that defined using the ndots statement in
<code class="filename">/etc/resolv.conf</code>, or 1 if no ndots
statement is
present. Names with fewer dots are interpreted as relative names and
will be searched for in the domains listed in the <span class="type">search</span>
or <span class="type">domain</span> directive in
<code class="filename">/etc/resolv.conf</code>.
</p>
<p>
The number of UDP retries for a lookup can be changed with the
<code class="option">-R</code> option. <em class="parameter"><code>number</code></em>
indicates
how many times <span><strong class="command">host</strong></span> will repeat a query
that does
not get answered. The default number of retries is 1. If
<em class="parameter"><code>number</code></em> is negative or zero, the
number of
retries will default to 1.
</p>
<p>
Non-recursive queries can be made via the <code class="option">-r</code> option.
Setting this option clears the <span class="type">RD</span> &#8212; recursion
desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
This should mean that the name server receiving the query will not
attempt to resolve <em class="parameter"><code>name</code></em>. The
<code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
to mimic
the behavior of a name server by making non-recursive queries and
expecting to receive answers to those queries that are usually
referrals to other name servers.
</p>
<p>
By default, <span><strong class="command">host</strong></span> uses UDP when making
queries. The
<code class="option">-T</code> option makes it use a TCP connection when querying
the name server. TCP will be automatically selected for queries that
require it, such as zone transfer (AXFR) requests.
</p>
<p>
The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
use IPv4 query transport. The <code class="option">-6</code> option forces
<span><strong class="command">host</strong></span> to only use IPv6 query transport.
</p>
<p>
The <code class="option">-t</code> option is used to select the query type.
<em class="parameter"><code>type</code></em> can be any recognized query
type: CNAME,
NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
<span><strong class="command">host</strong></span> automatically selects an appropriate
query
type. By default, it looks for A, AAAA, and MX records, but if the
<code class="option">-C</code> option was given, queries will be made for SOA
records, and if <em class="parameter"><code>name</code></em> is a
dotted-decimal IPv4
address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
query for PTR records. If a query type of IXFR is chosen the starting
serial number can be specified by appending an equal followed by the
starting serial number (e.g. -t IXFR=12345678).
</p>
<p>
The time to wait for a reply can be controlled through the
<code class="option">-W</code> and <code class="option">-w</code> options. The
<code class="option">-W</code> option makes <span><strong class="command">host</strong></span>
wait for
<em class="parameter"><code>wait</code></em> seconds. If <em class="parameter"><code>wait</code></em>
is less than one, the wait interval is set to one second. When the
<code class="option">-w</code> option is used, <span><strong class="command">host</strong></span>
will
effectively wait forever for a reply. The time to wait for a response
will be set to the number of seconds given by the hardware's maximum
value for an integer quantity.
</p>
<p>
The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span>
<span class="emphasis"><em>not</em></span> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the
reverse of normal stub resolver behavior.
</p>
<p>
The <code class="option">-m</code> can be used to set the memory usage debugging
flags
<em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
<em class="parameter"><code>trace</code></em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543802"></a><h2>IDN SUPPORT</h2>
<p>
If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
<span><strong class="command">host</strong></span> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
If you'd like to turn off the IDN support for some reason, defines
the <code class="envar">IDN_DISABLE</code> environment variable.
The IDN support is disabled if the variable is set when
<span><strong class="command">host</strong></span> runs.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543825"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543836"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>
</div>
</div></body>
</html>

419
contrib/bind9/bin/dig/include/dig/dig.h
View file

@ -1,419 +0,0 @@
/*
* Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dig.h,v 1.114 2011/12/07 17:23:28 each Exp $ */
#ifndef DIG_H
#define DIG_H
/*! \file */
#include <dns/rdatalist.h>
#include <dst/dst.h>
#include <isc/boolean.h>
#include <isc/buffer.h>
#include <isc/bufferlist.h>
#include <isc/formatcheck.h>
#include <isc/lang.h>
#include <isc/list.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/sockaddr.h>
#include <isc/socket.h>
#define MXSERV 20
#define MXNAME (DNS_NAME_MAXTEXT+1)
#define MXRD 32
/*% Buffer Size */
#define BUFSIZE 512
#define COMMSIZE 0xffff
#ifndef RESOLV_CONF
/*% location of resolve.conf */
#define RESOLV_CONF "/etc/resolv.conf"
#endif
/*% output buffer */
#define OUTPUTBUF 32767
/*% Max RR Limit */
#define MAXRRLIMIT 0xffffffff
#define MAXTIMEOUT 0xffff
/*% Max number of tries */
#define MAXTRIES 0xffffffff
/*% Max number of dots */
#define MAXNDOTS 0xffff
/*% Max number of ports */
#define MAXPORT 0xffff
/*% Max serial number */
#define MAXSERIAL 0xffffffff
/*% Default TCP Timeout */
#define TCP_TIMEOUT 10
/*% Default UDP Timeout */
#define UDP_TIMEOUT 5
#define SERVER_TIMEOUT 1
#define LOOKUP_LIMIT 64
/*%
* Lookup_limit is just a limiter, keeping too many lookups from being
* created. It's job is mainly to prevent the program from running away
* in a tight loop of constant lookups. It's value is arbitrary.
*/
/*
* Defaults for the sigchase suboptions. Consolidated here because
* these control the layout of dig_lookup_t (among other things).
*/
#ifdef DIG_SIGCHASE
#ifndef DIG_SIGCHASE_BU
#define DIG_SIGCHASE_BU 1
#endif
#ifndef DIG_SIGCHASE_TD
#define DIG_SIGCHASE_TD 1
#endif
#endif
ISC_LANG_BEGINDECLS
typedef struct dig_lookup dig_lookup_t;
typedef struct dig_query dig_query_t;
typedef struct dig_server dig_server_t;
#ifdef DIG_SIGCHASE
typedef struct dig_message dig_message_t;
#endif
typedef ISC_LIST(dig_server_t) dig_serverlist_t;
typedef struct dig_searchlist dig_searchlist_t;
/*% The dig_lookup structure */
struct dig_lookup {
isc_boolean_t
pending, /*%< Pending a successful answer */
waiting_connect,
doing_xfr,
ns_search_only, /*%< dig +nssearch, host -C */
identify, /*%< Append an "on server <foo>" message */
identify_previous_line, /*% Prepend a "Nameserver <foo>:"
message, with newline and tab */
ignore,
recurse,
aaonly,
adflag,
cdflag,
trace, /*% dig +trace */
trace_root, /*% initial query for either +trace or +nssearch */
tcp_mode,
ip6_int,
comments,
stats,
section_question,
section_answer,
section_authority,
section_additional,
servfail_stops,
new_search,
need_search,
done_as_is,
besteffort,
dnssec,
nsid; /*% Name Server ID (RFC 5001) */
#ifdef DIG_SIGCHASE
isc_boolean_t sigchase;
#if DIG_SIGCHASE_TD
isc_boolean_t do_topdown,
trace_root_sigchase,
rdtype_sigchaseset,
rdclass_sigchaseset;
/* Name we are going to validate RRset */
char textnamesigchase[MXNAME];
#endif
#endif
char textname[MXNAME]; /*% Name we're going to be looking up */
char cmdline[MXNAME];
dns_rdatatype_t rdtype;
dns_rdatatype_t qrdtype;
#if DIG_SIGCHASE_TD
dns_rdatatype_t rdtype_sigchase;
dns_rdatatype_t qrdtype_sigchase;
dns_rdataclass_t rdclass_sigchase;
#endif
dns_rdataclass_t rdclass;
isc_boolean_t rdtypeset;
isc_boolean_t rdclassset;
char namespace[BUFSIZE];
char onamespace[BUFSIZE];
isc_buffer_t namebuf;
isc_buffer_t onamebuf;
isc_buffer_t renderbuf;
char *sendspace;
dns_name_t *name;
isc_timer_t *timer;
isc_interval_t interval;
dns_message_t *sendmsg;
dns_name_t *oname;
ISC_LINK(dig_lookup_t) link;
ISC_LIST(dig_query_t) q;
ISC_LIST(dig_query_t) connecting;
dig_query_t *current_query;
dig_serverlist_t my_server_list;
dig_searchlist_t *origin;
dig_query_t *xfr_q;
isc_uint32_t retries;
int nsfound;
isc_uint16_t udpsize;
isc_int16_t edns;
isc_uint32_t ixfr_serial;
isc_buffer_t rdatabuf;
char rdatastore[MXNAME];
dst_context_t *tsigctx;
isc_buffer_t *querysig;
isc_uint32_t msgcounter;
dns_fixedname_t fdomain;
};
/*% The dig_query structure */
struct dig_query {
dig_lookup_t *lookup;
isc_boolean_t waiting_connect,
pending_free,
waiting_senddone,
first_pass,
first_soa_rcvd,
second_rr_rcvd,
first_repeat_rcvd,
recv_made,
warn_id;
isc_uint32_t first_rr_serial;
isc_uint32_t second_rr_serial;
isc_uint32_t msg_count;
isc_uint32_t rr_count;
char *servname;
char *userarg;
isc_bufferlist_t sendlist,
recvlist,
lengthlist;
isc_buffer_t recvbuf,
lengthbuf,
slbuf;
char *recvspace,
lengthspace[4],
slspace[4];
isc_socket_t *sock;
ISC_LINK(dig_query_t) link;
ISC_LINK(dig_query_t) clink;
isc_sockaddr_t sockaddr;
isc_time_t time_sent;
isc_uint64_t byte_count;
isc_buffer_t sendbuf;
};
struct dig_server {
char servername[MXNAME];
char userarg[MXNAME];
ISC_LINK(dig_server_t) link;
};
struct dig_searchlist {
char origin[MXNAME];
ISC_LINK(dig_searchlist_t) link;
};
#ifdef DIG_SIGCHASE
struct dig_message {
dns_message_t *msg;
ISC_LINK(dig_message_t) link;
};
#endif
typedef ISC_LIST(dig_searchlist_t) dig_searchlistlist_t;
typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
/*
* Externals from dighost.c
*/
extern dig_lookuplist_t lookup_list;
extern dig_serverlist_t server_list;
extern dig_searchlistlist_t search_list;
extern unsigned int extrabytes;
extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source,
usesearch, showsearch, qr;
extern in_port_t port;
extern unsigned int timeout;
extern isc_mem_t *mctx;
extern dns_messageid_t id;
extern int sendcount;
extern int ndots;
extern int lookup_counter;
extern int exitcode;
extern isc_sockaddr_t bind_address;
extern char keynametext[MXNAME];
extern char keyfile[MXNAME];
extern char keysecret[MXNAME];
extern dns_name_t *hmacname;
extern unsigned int digestbits;
#ifdef DIG_SIGCHASE
extern char trustedkey[MXNAME];
#endif
extern dns_tsigkey_t *key;
extern isc_boolean_t validated;
extern isc_taskmgr_t *taskmgr;
extern isc_task_t *global_task;
extern isc_boolean_t free_now;
extern isc_boolean_t debugging, memdebugging;
extern char *progname;
extern int tries;
extern int fatalexit;
#ifdef WITH_IDN
extern int idnoptions;
#endif
/*
* Routines in dighost.c.
*/
isc_result_t
get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr);
int
getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp);
isc_result_t
get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
isc_boolean_t strict);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
void
debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
void
check_result(isc_result_t result, const char *msg);
void
setup_lookup(dig_lookup_t *lookup);
void
destroy_lookup(dig_lookup_t *lookup);
void
do_lookup(dig_lookup_t *lookup);
void
start_lookup(void);
void
onrun_callback(isc_task_t *task, isc_event_t *event);
int
dhmain(int argc, char **argv);
void
setup_libs(void);
void
setup_system(void);
isc_result_t
parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
const char *desc);
void
parse_hmac(const char *hmacstr);
dig_lookup_t *
requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
dig_lookup_t *
make_empty_lookup(void);
dig_lookup_t *
clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
dig_server_t *
make_server(const char *servname, const char *userarg);
void
flush_server_list(void);
void
set_nameserver(char *opt);
void
clone_server_list(dig_serverlist_t src,
dig_serverlist_t *dest);
void
cancel_all(void);
void
destroy_libs(void);
void
set_search_domain(char *domain);
#ifdef DIG_SIGCHASE
void
clean_trustedkey(void);
#endif
/*
* Routines to be defined in dig.c, host.c, and nslookup.c.
*/
#ifdef DIG_SIGCHASE
isc_result_t
printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
isc_buffer_t *target);
#endif
isc_result_t
printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
/*%<
* Print the final result of the lookup.
*/
void
received(int bytes, isc_sockaddr_t *from, dig_query_t *query);
/*%<
* Print a message about where and when the response
* was received from, like the final comment in the
* output of "dig".
*/
void
trying(char *frm, dig_lookup_t *lookup);
void
dighost_shutdown(void);
char *
next_token(char **stringp, const char *delim);
#ifdef DIG_SIGCHASE
/* Chasing functions */
dns_rdataset_t *
chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers);
void
chase_sig(dns_message_t *msg);
#endif
ISC_LANG_ENDDECLS
#endif

258
contrib/bind9/bin/dig/nslookup.1
View file

@ -1,258 +0,0 @@
.\" Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: nslookup
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: Jun 30, 2000
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
nslookup \- query Internet name servers interactively
.SH "SYNOPSIS"
.HP 9
\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
.SH "DESCRIPTION"
.PP
\fBNslookup\fR
is a program to query Internet domain name servers.
\fBNslookup\fR
has two modes: interactive and non\-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non\-interactive mode is used to print just the name and requested information for a host or domain.
.SH "ARGUMENTS"
.PP
Interactive mode is entered in the following cases:
.TP 4
1.
when no arguments are given (the default name server will be used)
.TP 4
2.
when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
.sp
.RE
.PP
Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
.PP
Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
.sp
.RS 4
.nf
nslookup \-query=hinfo \-timeout=10
.fi
.RE
.sp
.SH "INTERACTIVE COMMANDS"
.PP
\fBhost\fR [server]
.RS 4
Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
.sp
To look up a host not in the current domain, append a period to the name.
.RE
.PP
\fBserver\fR \fIdomain\fR
.RS 4
.RE
.PP
\fBlserver\fR \fIdomain\fR
.RS 4
Change the default server to
\fIdomain\fR;
\fBlserver\fR
uses the initial server to look up information about
\fIdomain\fR, while
\fBserver\fR
uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
.RE
.PP
\fBroot\fR
.RS 4
not implemented
.RE
.PP
\fBfinger\fR
.RS 4
not implemented
.RE
.PP
\fBls\fR
.RS 4
not implemented
.RE
.PP
\fBview\fR
.RS 4
not implemented
.RE
.PP
\fBhelp\fR
.RS 4
not implemented
.RE
.PP
\fB?\fR
.RS 4
not implemented
.RE
.PP
\fBexit\fR
.RS 4
Exits the program.
.RE
.PP
\fBset\fR \fIkeyword\fR\fI[=value]\fR
.RS 4
This command is used to change state information that affects the lookups. Valid keywords are:
.RS 4
.PP
\fBall\fR
.RS 4
Prints the current values of the frequently used options to
\fBset\fR. Information about the current default server and host is also printed.
.RE
.PP
\fBclass=\fR\fIvalue\fR
.RS 4
Change the query class to one of:
.RS 4
.PP
\fBIN\fR
.RS 4
the Internet class
.RE
.PP
\fBCH\fR
.RS 4
the Chaos class
.RE
.PP
\fBHS\fR
.RS 4
the Hesiod class
.RE
.PP
\fBANY\fR
.RS 4
wildcard
.RE
.RE
.IP "" 4
The class specifies the protocol group of the information.
.sp
(Default = IN; abbreviation = cl)
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBdebug\fR
.RS 4
Turn on or off the display of the full response packet and any intermediate response packets when searching.
.sp
(Default = nodebug; abbreviation =
[no]deb)
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBd2\fR
.RS 4
Turn debugging mode on or off. This displays more about what nslookup is doing.
.sp
(Default = nod2)
.RE
.PP
\fBdomain=\fR\fIname\fR
.RS 4
Sets the search list to
\fIname\fR.
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBsearch\fR
.RS 4
If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
.sp
(Default = search)
.RE
.PP
\fBport=\fR\fIvalue\fR
.RS 4
Change the default TCP/UDP name server port to
\fIvalue\fR.
.sp
(Default = 53; abbreviation = po)
.RE
.PP
\fBquerytype=\fR\fIvalue\fR
.RS 4
.RE
.PP
\fBtype=\fR\fIvalue\fR
.RS 4
Change the type of the information query.
.sp
(Default = A; abbreviations = q, ty)
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBrecurse\fR
.RS 4
Tell the name server to query other servers if it does not have the information.
.sp
(Default = recurse; abbreviation = [no]rec)
.RE
.PP
\fBretry=\fR\fInumber\fR
.RS 4
Set the number of retries to number.
.RE
.PP
\fBtimeout=\fR\fInumber\fR
.RS 4
Change the initial timeout interval for waiting for a reply to number seconds.
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBvc\fR
.RS 4
Always use a virtual circuit when sending requests to the server.
.sp
(Default = novc)
.RE
.PP
\fB \fR\fB\fI[no]\fR\fR\fBfail\fR
.RS 4
Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.
.sp
(Default = nofail)
.RE
.RE
.IP "" 4
.RE
.SH "FILES"
.PP
\fI/etc/resolv.conf\fR
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBhost\fR(1),
\fBnamed\fR(8).
.SH "AUTHOR"
.PP
Andrew Cherenson
.SH "COPYRIGHT"
Copyright \(co 2004\-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
.br

921
contrib/bind9/bin/dig/nslookup.c
View file

@ -1,921 +0,0 @@
/*
* Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nslookup.c,v 1.130 2011/12/16 23:01:16 each Exp $ */
#include <config.h>
#include <stdlib.h>
#include <unistd.h>
#include <isc/app.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/event.h>
#include <isc/parseint.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/timer.h>
#include <isc/util.h>
#include <isc/task.h>
#include <isc/netaddr.h>
#include <dns/message.h>
#include <dns/name.h>
#include <dns/fixedname.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/byaddr.h>
#include <dig/dig.h>
#if defined(HAVE_READLINE)
#include <readline/readline.h>
#include <readline/history.h>
#endif
static isc_boolean_t short_form = ISC_TRUE,
tcpmode = ISC_FALSE,
identify = ISC_FALSE, stats = ISC_TRUE,
comments = ISC_TRUE, section_question = ISC_TRUE,
section_answer = ISC_TRUE, section_authority = ISC_TRUE,
section_additional = ISC_TRUE, recurse = ISC_TRUE,
aaonly = ISC_FALSE, nofail = ISC_TRUE;
static isc_boolean_t interactive;
static isc_boolean_t in_use = ISC_FALSE;
static char defclass[MXRD] = "IN";
static char deftype[MXRD] = "A";
static isc_event_t *global_event = NULL;
static int query_error = 1, print_error = 0;
static char domainopt[DNS_NAME_MAXTEXT];
static const char *rcodetext[] = {
"NOERROR",
"FORMERR",
"SERVFAIL",
"NXDOMAIN",
"NOTIMP",
"REFUSED",
"YXDOMAIN",
"YXRRSET",
"NXRRSET",
"NOTAUTH",
"NOTZONE",
"RESERVED11",
"RESERVED12",
"RESERVED13",
"RESERVED14",
"RESERVED15",
"BADVERS"
};
static const char *rtypetext[] = {
"rtype_0 = ", /* 0 */
"internet address = ", /* 1 */
"nameserver = ", /* 2 */
"md = ", /* 3 */
"mf = ", /* 4 */
"canonical name = ", /* 5 */
"soa = ", /* 6 */
"mb = ", /* 7 */
"mg = ", /* 8 */
"mr = ", /* 9 */
"rtype_10 = ", /* 10 */
"protocol = ", /* 11 */
"name = ", /* 12 */
"hinfo = ", /* 13 */
"minfo = ", /* 14 */
"mail exchanger = ", /* 15 */
"text = ", /* 16 */
"rp = ", /* 17 */
"afsdb = ", /* 18 */
"x25 address = ", /* 19 */
"isdn address = ", /* 20 */
"rt = ", /* 21 */
"nsap = ", /* 22 */
"nsap_ptr = ", /* 23 */
"signature = ", /* 24 */
"key = ", /* 25 */
"px = ", /* 26 */
"gpos = ", /* 27 */
"has AAAA address ", /* 28 */
"loc = ", /* 29 */
"next = ", /* 30 */
"rtype_31 = ", /* 31 */
"rtype_32 = ", /* 32 */
"service = ", /* 33 */
"rtype_34 = ", /* 34 */
"naptr = ", /* 35 */
"kx = ", /* 36 */
"cert = ", /* 37 */
"v6 address = ", /* 38 */
"dname = ", /* 39 */
"rtype_40 = ", /* 40 */
"optional = " /* 41 */
};
#define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
static void flush_lookup_list(void);
static void getinput(isc_task_t *task, isc_event_t *event);
static char *
rcode_totext(dns_rcode_t rcode)
{
static char buf[sizeof("?65535")];
union {
const char *consttext;
char *deconsttext;
} totext;
if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
snprintf(buf, sizeof(buf), "?%u", rcode);
totext.deconsttext = buf;
} else
totext.consttext = rcodetext[rcode];
return totext.deconsttext;
}
void
dighost_shutdown(void) {
isc_event_t *event = global_event;
flush_lookup_list();
debug("dighost_shutdown()");
if (!in_use) {
isc_app_shutdown();
return;
}
isc_task_send(global_task, &event);
}
static void
printsoa(dns_rdata_t *rdata) {
dns_rdata_soa_t soa;
isc_result_t result;
char namebuf[DNS_NAME_FORMATSIZE];
result = dns_rdata_tostruct(rdata, &soa, NULL);
check_result(result, "dns_rdata_tostruct");
dns_name_format(&soa.origin, namebuf, sizeof(namebuf));
printf("\torigin = %s\n", namebuf);
dns_name_format(&soa.contact, namebuf, sizeof(namebuf));
printf("\tmail addr = %s\n", namebuf);
printf("\tserial = %u\n", soa.serial);
printf("\trefresh = %u\n", soa.refresh);
printf("\tretry = %u\n", soa.retry);
printf("\texpire = %u\n", soa.expire);
printf("\tminimum = %u\n", soa.minimum);
dns_rdata_freestruct(&soa);
}
static void
printa(dns_rdata_t *rdata) {
isc_result_t result;
char text[sizeof("255.255.255.255")];
isc_buffer_t b;
isc_buffer_init(&b, text, sizeof(text));
result = dns_rdata_totext(rdata, NULL, &b);
check_result(result, "dns_rdata_totext");
printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b),
(char *)isc_buffer_base(&b));
}
#ifdef DIG_SIGCHASE
/* Just for compatibility : not use in host program */
isc_result_t
printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
isc_buffer_t *target)
{
UNUSED(owner_name);
UNUSED(rdataset);
UNUSED(target);
return(ISC_FALSE);
}
#endif
static void
printrdata(dns_rdata_t *rdata) {
isc_result_t result;
isc_buffer_t *b = NULL;
unsigned int size = 1024;
isc_boolean_t done = ISC_FALSE;
if (rdata->type < N_KNOWN_RRTYPES)
printf("%s", rtypetext[rdata->type]);
else
printf("rdata_%d = ", rdata->type);
while (!done) {
result = isc_buffer_allocate(mctx, &b, size);
if (result != ISC_R_SUCCESS)
check_result(result, "isc_buffer_allocate");
result = dns_rdata_totext(rdata, NULL, b);
if (result == ISC_R_SUCCESS) {
printf("%.*s\n", (int)isc_buffer_usedlength(b),
(char *)isc_buffer_base(b));
done = ISC_TRUE;
} else if (result != ISC_R_NOSPACE)
check_result(result, "dns_rdata_totext");
isc_buffer_free(&b);
size *= 2;
}
}
static isc_result_t
printsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
dns_section_t section) {
isc_result_t result, loopresult;
dns_name_t *name;
dns_rdataset_t *rdataset = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
char namebuf[DNS_NAME_FORMATSIZE];
UNUSED(query);
UNUSED(headers);
debug("printsection()");
result = dns_message_firstname(msg, section);
if (result == ISC_R_NOMORE)
return (ISC_R_SUCCESS);
else if (result != ISC_R_SUCCESS)
return (result);
for (;;) {
name = NULL;
dns_message_currentname(msg, section,
&name);
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
loopresult = dns_rdataset_first(rdataset);
while (loopresult == ISC_R_SUCCESS) {
dns_rdataset_current(rdataset, &rdata);
switch (rdata.type) {
case dns_rdatatype_a:
if (section != DNS_SECTION_ANSWER)
goto def_short_section;
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("Name:\t%s\n", namebuf);
printa(&rdata);
break;
case dns_rdatatype_soa:
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("%s\n", namebuf);
printsoa(&rdata);
break;
default:
def_short_section:
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("%s\t", namebuf);
printrdata(&rdata);
break;
}
dns_rdata_reset(&rdata);
loopresult = dns_rdataset_next(rdataset);
}
}
result = dns_message_nextname(msg, section);
if (result == ISC_R_NOMORE)
break;
else if (result != ISC_R_SUCCESS) {
return (result);
}
}
return (ISC_R_SUCCESS);
}
static isc_result_t
detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
dns_section_t section) {
isc_result_t result, loopresult;
dns_name_t *name;
dns_rdataset_t *rdataset = NULL;
dns_rdata_t rdata = DNS_RDATA_INIT;
char namebuf[DNS_NAME_FORMATSIZE];
UNUSED(query);
debug("detailsection()");
if (headers) {
switch (section) {
case DNS_SECTION_QUESTION:
puts(" QUESTIONS:");
break;
case DNS_SECTION_ANSWER:
puts(" ANSWERS:");
break;
case DNS_SECTION_AUTHORITY:
puts(" AUTHORITY RECORDS:");
break;
case DNS_SECTION_ADDITIONAL:
puts(" ADDITIONAL RECORDS:");
break;
}
}
result = dns_message_firstname(msg, section);
if (result == ISC_R_NOMORE)
return (ISC_R_SUCCESS);
else if (result != ISC_R_SUCCESS)
return (result);
for (;;) {
name = NULL;
dns_message_currentname(msg, section,
&name);
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link)) {
if (section == DNS_SECTION_QUESTION) {
dns_name_format(name, namebuf,
sizeof(namebuf));
printf("\t%s, ", namebuf);
dns_rdatatype_format(rdataset->type,
namebuf,
sizeof(namebuf));
printf("type = %s, ", namebuf);
dns_rdataclass_format(rdataset->rdclass,
namebuf,
sizeof(namebuf));
printf("class = %s\n", namebuf);
}
loopresult = dns_rdataset_first(rdataset);
while (loopresult == ISC_R_SUCCESS) {
dns_rdataset_current(rdataset, &rdata);
dns_name_format(name, namebuf,
sizeof(namebuf));
printf(" -> %s\n", namebuf);
switch (rdata.type) {
case dns_rdatatype_soa:
printsoa(&rdata);
break;
default:
printf("\t");
printrdata(&rdata);
}
dns_rdata_reset(&rdata);
printf("\tttl = %u\n", rdataset->ttl);
loopresult = dns_rdataset_next(rdataset);
}
}
result = dns_message_nextname(msg, section);
if (result == ISC_R_NOMORE)
break;
else if (result != ISC_R_SUCCESS) {
return (result);
}
}
return (ISC_R_SUCCESS);
}
void
received(int bytes, isc_sockaddr_t *from, dig_query_t *query)
{
UNUSED(bytes);
UNUSED(from);
UNUSED(query);
}
void
trying(char *frm, dig_lookup_t *lookup) {
UNUSED(frm);
UNUSED(lookup);
}
isc_result_t
printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
char servtext[ISC_SOCKADDR_FORMATSIZE];
/* I've we've gotten this far, we've reached a server. */
query_error = 0;
debug("printmessage()");
isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
printf("Server:\t\t%s\n", query->userarg);
printf("Address:\t%s\n", servtext);
puts("");
if (!short_form) {
isc_boolean_t headers = ISC_TRUE;
puts("------------");
/* detailheader(query, msg);*/
detailsection(query, msg, headers, DNS_SECTION_QUESTION);
detailsection(query, msg, headers, DNS_SECTION_ANSWER);
detailsection(query, msg, headers, DNS_SECTION_AUTHORITY);
detailsection(query, msg, headers, DNS_SECTION_ADDITIONAL);
puts("------------");
}
if (msg->rcode != 0) {
char nametext[DNS_NAME_FORMATSIZE];
dns_name_format(query->lookup->name,
nametext, sizeof(nametext));
printf("** server can't find %s: %s\n",
(msg->rcode != dns_rcode_nxdomain) ? nametext :
query->lookup->textname, rcode_totext(msg->rcode));
debug("returning with rcode == 0");
/* the lookup failed */
print_error |= 1;
return (ISC_R_SUCCESS);
}
if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0)
puts("Non-authoritative answer:");
if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]))
printsection(query, msg, headers, DNS_SECTION_ANSWER);
else
printf("*** Can't find %s: No answer\n",
query->lookup->textname);
if (((msg->flags & DNS_MESSAGEFLAG_AA) == 0) &&
(query->lookup->rdtype != dns_rdatatype_a)) {
puts("\nAuthoritative answers can be found from:");
printsection(query, msg, headers,
DNS_SECTION_AUTHORITY);
printsection(query, msg, headers,
DNS_SECTION_ADDITIONAL);
}
return (ISC_R_SUCCESS);
}
static void
show_settings(isc_boolean_t full, isc_boolean_t serv_only) {
dig_server_t *srv;
isc_sockaddr_t sockaddr;
dig_searchlist_t *listent;
isc_result_t result;
srv = ISC_LIST_HEAD(server_list);
while (srv != NULL) {
char sockstr[ISC_SOCKADDR_FORMATSIZE];
result = get_address(srv->servername, port, &sockaddr);
check_result(result, "get_address");
isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr));
printf("Default server: %s\nAddress: %s\n",
srv->userarg, sockstr);
if (!full)
return;
srv = ISC_LIST_NEXT(srv, link);
}
if (serv_only)
return;
printf("\nSet options:\n");
printf(" %s\t\t\t%s\t\t%s\n",
tcpmode ? "vc" : "novc",
short_form ? "nodebug" : "debug",
debugging ? "d2" : "nod2");
printf(" %s\t\t%s\n",
usesearch ? "search" : "nosearch",
recurse ? "recurse" : "norecurse");
printf(" timeout = %d\t\tretry = %d\tport = %d\n",
timeout, tries, port);
printf(" querytype = %-8s\tclass = %s\n", deftype, defclass);
printf(" srchlist = ");
for (listent = ISC_LIST_HEAD(search_list);
listent != NULL;
listent = ISC_LIST_NEXT(listent, link)) {
printf("%s", listent->origin);
if (ISC_LIST_NEXT(listent, link) != NULL)
printf("/");
}
printf("\n");
}
static isc_boolean_t
testtype(char *typetext) {
isc_result_t result;
isc_textregion_t tr;
dns_rdatatype_t rdtype;
tr.base = typetext;
tr.length = strlen(typetext);
result = dns_rdatatype_fromtext(&rdtype, &tr);
if (result == ISC_R_SUCCESS)
return (ISC_TRUE);
else {
printf("unknown query type: %s\n", typetext);
return (ISC_FALSE);
}
}
static isc_boolean_t
testclass(char *typetext) {
isc_result_t result;
isc_textregion_t tr;
dns_rdataclass_t rdclass;
tr.base = typetext;
tr.length = strlen(typetext);
result = dns_rdataclass_fromtext(&rdclass, &tr);
if (result == ISC_R_SUCCESS)
return (ISC_TRUE);
else {
printf("unknown query class: %s\n", typetext);
return (ISC_FALSE);
}
}
static void
set_port(const char *value) {
isc_uint32_t n;
isc_result_t result = parse_uint(&n, value, 65535, "port");
if (result == ISC_R_SUCCESS)
port = (isc_uint16_t) n;
}
static void
set_timeout(const char *value) {
isc_uint32_t n;
isc_result_t result = parse_uint(&n, value, UINT_MAX, "timeout");
if (result == ISC_R_SUCCESS)
timeout = n;
}
static void
set_tries(const char *value) {
isc_uint32_t n;
isc_result_t result = parse_uint(&n, value, INT_MAX, "tries");
if (result == ISC_R_SUCCESS)
tries = n;
}
static void
setoption(char *opt) {
if (strncasecmp(opt, "all", 4) == 0) {
show_settings(ISC_TRUE, ISC_FALSE);
} else if (strncasecmp(opt, "class=", 6) == 0) {
if (testclass(&opt[6]))
strlcpy(defclass, &opt[6], sizeof(defclass));
} else if (strncasecmp(opt, "cl=", 3) == 0) {
if (testclass(&opt[3]))
strlcpy(defclass, &opt[3], sizeof(defclass));
} else if (strncasecmp(opt, "type=", 5) == 0) {
if (testtype(&opt[5]))
strlcpy(deftype, &opt[5], sizeof(deftype));
} else if (strncasecmp(opt, "ty=", 3) == 0) {
if (testtype(&opt[3]))
strlcpy(deftype, &opt[3], sizeof(deftype));
} else if (strncasecmp(opt, "querytype=", 10) == 0) {
if (testtype(&opt[10]))
strlcpy(deftype, &opt[10], sizeof(deftype));
} else if (strncasecmp(opt, "query=", 6) == 0) {
if (testtype(&opt[6]))
strlcpy(deftype, &opt[6], sizeof(deftype));
} else if (strncasecmp(opt, "qu=", 3) == 0) {
if (testtype(&opt[3]))
strlcpy(deftype, &opt[3], sizeof(deftype));
} else if (strncasecmp(opt, "q=", 2) == 0) {
if (testtype(&opt[2]))
strlcpy(deftype, &opt[2], sizeof(deftype));
} else if (strncasecmp(opt, "domain=", 7) == 0) {
strlcpy(domainopt, &opt[7], sizeof(domainopt));
set_search_domain(domainopt);
usesearch = ISC_TRUE;
} else if (strncasecmp(opt, "do=", 3) == 0) {
strlcpy(domainopt, &opt[3], sizeof(domainopt));
set_search_domain(domainopt);
usesearch = ISC_TRUE;
} else if (strncasecmp(opt, "port=", 5) == 0) {
set_port(&opt[5]);
} else if (strncasecmp(opt, "po=", 3) == 0) {
set_port(&opt[3]);
} else if (strncasecmp(opt, "timeout=", 8) == 0) {
set_timeout(&opt[8]);
} else if (strncasecmp(opt, "t=", 2) == 0) {
set_timeout(&opt[2]);
} else if (strncasecmp(opt, "rec", 3) == 0) {
recurse = ISC_TRUE;
} else if (strncasecmp(opt, "norec", 5) == 0) {
recurse = ISC_FALSE;
} else if (strncasecmp(opt, "retry=", 6) == 0) {
set_tries(&opt[6]);
} else if (strncasecmp(opt, "ret=", 4) == 0) {
set_tries(&opt[4]);
} else if (strncasecmp(opt, "def", 3) == 0) {
usesearch = ISC_TRUE;
} else if (strncasecmp(opt, "nodef", 5) == 0) {
usesearch = ISC_FALSE;
} else if (strncasecmp(opt, "vc", 3) == 0) {
tcpmode = ISC_TRUE;
} else if (strncasecmp(opt, "novc", 5) == 0) {
tcpmode = ISC_FALSE;
} else if (strncasecmp(opt, "deb", 3) == 0) {
short_form = ISC_FALSE;
showsearch = ISC_TRUE;
} else if (strncasecmp(opt, "nodeb", 5) == 0) {
short_form = ISC_TRUE;
showsearch = ISC_FALSE;
} else if (strncasecmp(opt, "d2", 2) == 0) {
debugging = ISC_TRUE;
} else if (strncasecmp(opt, "nod2", 4) == 0) {
debugging = ISC_FALSE;
} else if (strncasecmp(opt, "search", 3) == 0) {
usesearch = ISC_TRUE;
} else if (strncasecmp(opt, "nosearch", 5) == 0) {
usesearch = ISC_FALSE;
} else if (strncasecmp(opt, "sil", 3) == 0) {
/* deprecation_msg = ISC_FALSE; */
} else if (strncasecmp(opt, "fail", 3) == 0) {
nofail=ISC_FALSE;
} else if (strncasecmp(opt, "nofail", 3) == 0) {
nofail=ISC_TRUE;
} else {
printf("*** Invalid option: %s\n", opt);
}
}
static void
addlookup(char *opt) {
dig_lookup_t *lookup;
isc_result_t result;
isc_textregion_t tr;
dns_rdatatype_t rdtype;
dns_rdataclass_t rdclass;
char store[MXNAME];
debug("addlookup()");
tr.base = deftype;
tr.length = strlen(deftype);
result = dns_rdatatype_fromtext(&rdtype, &tr);
if (result != ISC_R_SUCCESS) {
printf("unknown query type: %s\n", deftype);
rdclass = dns_rdatatype_a;
}
tr.base = defclass;
tr.length = strlen(defclass);
result = dns_rdataclass_fromtext(&rdclass, &tr);
if (result != ISC_R_SUCCESS) {
printf("unknown query class: %s\n", defclass);
rdclass = dns_rdataclass_in;
}
lookup = make_empty_lookup();
if (get_reverse(store, sizeof(store), opt, lookup->ip6_int, ISC_TRUE)
== ISC_R_SUCCESS) {
strlcpy(lookup->textname, store, sizeof(lookup->textname));
lookup->rdtype = dns_rdatatype_ptr;
lookup->rdtypeset = ISC_TRUE;
} else {
strlcpy(lookup->textname, opt, sizeof(lookup->textname));
lookup->rdtype = rdtype;
lookup->rdtypeset = ISC_TRUE;
}
lookup->rdclass = rdclass;
lookup->rdclassset = ISC_TRUE;
lookup->trace = ISC_FALSE;
lookup->trace_root = lookup->trace;
lookup->ns_search_only = ISC_FALSE;
lookup->identify = identify;
lookup->recurse = recurse;
lookup->aaonly = aaonly;
lookup->retries = tries;
lookup->udpsize = 0;
lookup->comments = comments;
lookup->tcp_mode = tcpmode;
lookup->stats = stats;
lookup->section_question = section_question;
lookup->section_answer = section_answer;
lookup->section_authority = section_authority;
lookup->section_additional = section_additional;
lookup->new_search = ISC_TRUE;
if (nofail)
lookup->servfail_stops = ISC_FALSE;
ISC_LIST_INIT(lookup->q);
ISC_LINK_INIT(lookup, link);
ISC_LIST_APPEND(lookup_list, lookup, link);
lookup->origin = NULL;
ISC_LIST_INIT(lookup->my_server_list);
debug("looking up %s", lookup->textname);
}
static void
do_next_command(char *input) {
char *ptr, *arg;
ptr = next_token(&input, " \t\r\n");
if (ptr == NULL)
return;
arg = next_token(&input, " \t\r\n");
if ((strcasecmp(ptr, "set") == 0) &&
(arg != NULL))
setoption(arg);
else if ((strcasecmp(ptr, "server") == 0) ||
(strcasecmp(ptr, "lserver") == 0)) {
isc_app_block();
set_nameserver(arg);
check_ra = ISC_FALSE;
isc_app_unblock();
show_settings(ISC_TRUE, ISC_TRUE);
} else if (strcasecmp(ptr, "exit") == 0) {
in_use = ISC_FALSE;
} else if (strcasecmp(ptr, "help") == 0 ||
strcasecmp(ptr, "?") == 0) {
printf("The '%s' command is not yet implemented.\n", ptr);
} else if (strcasecmp(ptr, "finger") == 0 ||
strcasecmp(ptr, "root") == 0 ||
strcasecmp(ptr, "ls") == 0 ||
strcasecmp(ptr, "view") == 0) {
printf("The '%s' command is not implemented.\n", ptr);
} else
addlookup(ptr);
}
static void
get_next_command(void) {
char *buf;
char *ptr;
fflush(stdout);
buf = isc_mem_allocate(mctx, COMMSIZE);
if (buf == NULL)
fatal("memory allocation failure");
isc_app_block();
if (interactive) {
#ifdef HAVE_READLINE
ptr = readline("> ");
if (ptr != NULL && *ptr != '\0')
add_history(ptr);
#else
fputs("> ", stderr);
fflush(stderr);
ptr = fgets(buf, COMMSIZE, stdin);
#endif
} else
ptr = fgets(buf, COMMSIZE, stdin);
isc_app_unblock();
if (ptr == NULL) {
in_use = ISC_FALSE;
} else
do_next_command(ptr);
#ifdef HAVE_READLINE
if (interactive)
free(ptr);
#endif
isc_mem_free(mctx, buf);
}
static void
parse_args(int argc, char **argv) {
isc_boolean_t have_lookup = ISC_FALSE;
usesearch = ISC_TRUE;
for (argc--, argv++; argc > 0; argc--, argv++) {
debug("main parsing %s", argv[0]);
if (argv[0][0] == '-') {
if (argv[0][1] != 0)
setoption(&argv[0][1]);
else
have_lookup = ISC_TRUE;
} else {
if (!have_lookup) {
have_lookup = ISC_TRUE;
in_use = ISC_TRUE;
addlookup(argv[0]);
} else {
set_nameserver(argv[0]);
check_ra = ISC_FALSE;
}
}
}
}
static void
flush_lookup_list(void) {
dig_lookup_t *l, *lp;
dig_query_t *q, *qp;
dig_server_t *s, *sp;
lookup_counter = 0;
l = ISC_LIST_HEAD(lookup_list);
while (l != NULL) {
q = ISC_LIST_HEAD(l->q);
while (q != NULL) {
if (q->sock != NULL) {
isc_socket_cancel(q->sock, NULL,
ISC_SOCKCANCEL_ALL);
isc_socket_detach(&q->sock);
}
if (ISC_LINK_LINKED(&q->recvbuf, link))
ISC_LIST_DEQUEUE(q->recvlist, &q->recvbuf,
link);
if (ISC_LINK_LINKED(&q->lengthbuf, link))
ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf,
link);
isc_buffer_invalidate(&q->recvbuf);
isc_buffer_invalidate(&q->lengthbuf);
qp = q;
q = ISC_LIST_NEXT(q, link);
ISC_LIST_DEQUEUE(l->q, qp, link);
isc_mem_free(mctx, qp);
}
s = ISC_LIST_HEAD(l->my_server_list);
while (s != NULL) {
sp = s;
s = ISC_LIST_NEXT(s, link);
ISC_LIST_DEQUEUE(l->my_server_list, sp, link);
isc_mem_free(mctx, sp);
}
if (l->sendmsg != NULL)
dns_message_destroy(&l->sendmsg);
if (l->timer != NULL)
isc_timer_detach(&l->timer);
lp = l;
l = ISC_LIST_NEXT(l, link);
ISC_LIST_DEQUEUE(lookup_list, lp, link);
isc_mem_free(mctx, lp);
}
}
static void
getinput(isc_task_t *task, isc_event_t *event) {
UNUSED(task);
if (global_event == NULL)
global_event = event;
while (in_use) {
get_next_command();
if (ISC_LIST_HEAD(lookup_list) != NULL) {
start_lookup();
return;
}
}
isc_app_shutdown();
}
int
main(int argc, char **argv) {
isc_result_t result;
interactive = ISC_TF(isatty(0));
ISC_LIST_INIT(lookup_list);
ISC_LIST_INIT(server_list);
ISC_LIST_INIT(search_list);
check_ra = ISC_TRUE;
result = isc_app_start();
check_result(result, "isc_app_start");
setup_libs();
progname = argv[0];
parse_args(argc, argv);
setup_system();
if (domainopt[0] != '\0')
set_search_domain(domainopt);
if (in_use)
result = isc_app_onrun(mctx, global_task, onrun_callback,
NULL);
else
result = isc_app_onrun(mctx, global_task, getinput, NULL);
check_result(result, "isc_app_onrun");
in_use = ISC_TF(!in_use);
(void)isc_app_run();
puts("");
debug("done, and starting to shut down");
if (global_event != NULL)
isc_event_free(&global_event);
cancel_all();
destroy_libs();
isc_app_finish();
return (query_error | print_error);
}

497
contrib/bind9/bin/dig/nslookup.docbook
View file

@ -1,497 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nslookup.docbook,v 1.18 2010/02/22 23:49:11 tbox Exp $ -->
<!--
- Copyright (c) 1985, 1989
- The Regents of the University of California. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
- 3. All advertising materials mentioning features or use of this software
- must display the following acknowledgement:
- This product includes software developed by the University of
- California, Berkeley and its contributors.
- 4. Neither the name of the University nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
- THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-->
<refentry>
<refentryinfo>
<date>Jun 30, 2000</date>
</refentryinfo>
<refmeta>
<refentrytitle>nslookup</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname>nslookup</refname>
<refpurpose>query Internet name servers interactively</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2010</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>nslookup</command>
<arg><option>-option</option></arg>
<arg choice="opt">name | -</arg>
<arg choice="opt">server</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>Nslookup</command>
is a program to query Internet domain name servers. <command>Nslookup</command>
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
domains or to print a list of hosts in a domain. Non-interactive mode
is
used to print just the name and requested information for a host or
domain.
</para>
</refsect1>
<refsect1>
<title>ARGUMENTS</title>
<para>
Interactive mode is entered in the following cases:
<orderedlist numeration="loweralpha">
<listitem>
<para>
when no arguments are given (the default name server will be used)
</para>
</listitem>
<listitem>
<para>
when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
</para>
</listitem>
</orderedlist>
</para>
<para>
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
</para>
<para>
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to
change the default query type to host information, and the initial
timeout to 10 seconds, type:
<!-- <informalexample> produces bad nroff. -->
<programlisting>
nslookup -query=hinfo -timeout=10
</programlisting>
<!-- </informalexample> -->
</para>
</refsect1>
<refsect1>
<title>INTERACTIVE COMMANDS</title>
<variablelist>
<varlistentry>
<term><constant>host</constant> <optional>server</optional></term>
<listitem>
<para>
Look up information for host using the current default server or
using server, if specified. If host is an Internet address and
the query type is A or PTR, the name of the host is returned.
If host is a name and does not have a trailing period, the
search list is used to qualify the name.
</para>
<para>
To look up a host not in the current domain, append a period to
the name.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para/>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
the current default server. If an authoritative answer can't be
found, the names of servers that might have the answer are
returned.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>root</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>finger</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ls</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>view</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>help</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>?</constant></term>
<listitem>
<para>
not implemented
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>exit</constant></term>
<listitem>
<para>
Exits the program.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>set</constant>
<replaceable>keyword<optional>=value</optional></replaceable></term>
<listitem>
<para>
This command is used to change state information that affects
the lookups. Valid keywords are:
<variablelist>
<varlistentry>
<term><constant>all</constant></term>
<listitem>
<para>
Prints the current values of the frequently used
options to <command>set</command>.
Information about the current default
server and host is also printed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>class=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the query class to one of:
<variablelist>
<varlistentry>
<term><constant>IN</constant></term>
<listitem>
<para>
the Internet class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>CH</constant></term>
<listitem>
<para>
the Chaos class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>HS</constant></term>
<listitem>
<para>
the Hesiod class
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>ANY</constant></term>
<listitem>
<para>
wildcard
</para>
</listitem>
</varlistentry>
</variablelist>
The class specifies the protocol group of the information.
</para>
<para>
(Default = IN; abbreviation = cl)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>debug</constant></term>
<listitem>
<para>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</para>
<para>
(Default = nodebug; abbreviation = <optional>no</optional>deb)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>d2</constant></term>
<listitem>
<para>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</para>
<para>
(Default = nod2)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>domain=</constant><replaceable>name</replaceable></term>
<listitem>
<para>
Sets the search list to <replaceable>name</replaceable>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>search</constant></term>
<listitem>
<para>
If the lookup request contains at least one period but
doesn't end with a trailing period, append the domain
names in the domain search list to the request until an
answer is received.
</para>
<para>
(Default = search)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>port=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
</para>
<para>
(Default = 53; abbreviation = po)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>querytype=</constant><replaceable>value</replaceable></term>
<listitem>
<para/>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>type=</constant><replaceable>value</replaceable></term>
<listitem>
<para>
Change the type of the information query.
</para>
<para>
(Default = A; abbreviations = q, ty)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>recurse</constant></term>
<listitem>
<para>
Tell the name server to query other servers if it does not
have the
information.
</para>
<para>
(Default = recurse; abbreviation = [no]rec)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>retry=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Set the number of retries to number.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>timeout=</constant><replaceable>number</replaceable></term>
<listitem>
<para>
Change the initial timeout interval for waiting for a
reply to number seconds.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>vc</constant></term>
<listitem>
<para>
Always use a virtual circuit when sending requests to the
server.
</para>
<para>
(Default = novc)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><constant>
<replaceable><optional>no</optional></replaceable>fail</constant></term>
<listitem>
<para>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</para>
<para>
(Default = nofail)
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para><filename>/etc/resolv.conf</filename>
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
<refsect1>
<title>Author</title>
<para>
Andrew Cherenson
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

309
contrib/bind9/bin/dig/nslookup.html
View file

@ -1,309 +0,0 @@
<!--
- Copyright (C) 2004-2007, 2010 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>nslookup</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="id2476277"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p>nslookup &#8212; query Internet name servers interactively</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">nslookup</code> [<code class="option">-option</code>] [name | -] [server]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543361"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">Nslookup</strong></span>
is a program to query Internet domain name servers. <span><strong class="command">Nslookup</strong></span>
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
domains or to print a list of hosts in a domain. Non-interactive mode
is
used to print just the name and requested information for a host or
domain.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543377"></a><h2>ARGUMENTS</h2>
<p>
Interactive mode is entered in the following cases:
</p>
<div class="orderedlist"><ol type="a">
<li><p>
when no arguments are given (the default name server will be used)
</p></li>
<li><p>
when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
</p></li>
</ol></div>
<p>
</p>
<p>
Non-interactive mode is used when the name or Internet address of the
host to be looked up is given as the first argument. The optional second
argument specifies the host name or address of a name server.
</p>
<p>
Options can also be specified on the command line if they precede the
arguments and are prefixed with a hyphen. For example, to
change the default query type to host information, and the initial
timeout to 10 seconds, type:
</p>
<pre class="programlisting">
nslookup -query=hinfo -timeout=10
</pre>
<p>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543420"></a><h2>INTERACTIVE COMMANDS</h2>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">host</code> [<span class="optional">server</span>]</span></dt>
<dd>
<p>
Look up information for host using the current default server or
using server, if specified. If host is an Internet address and
the query type is A or PTR, the name of the host is returned.
If host is a name and does not have a trailing period, the
search list is used to qualify the name.
</p>
<p>
To look up a host not in the current domain, append a period to
the name.
</p>
</dd>
<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p></p></dd>
<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
the current default server. If an authoritative answer can't be
found, the names of servers that might have the answer are
returned.
</p></dd>
<dt><span class="term"><code class="constant">root</code></span></dt>
<dd><p>
not implemented
</p></dd>
<dt><span class="term"><code class="constant">finger</code></span></dt>
<dd><p>
not implemented
</p></dd>
<dt><span class="term"><code class="constant">ls</code></span></dt>
<dd><p>
not implemented
</p></dd>
<dt><span class="term"><code class="constant">view</code></span></dt>
<dd><p>
not implemented
</p></dd>
<dt><span class="term"><code class="constant">help</code></span></dt>
<dd><p>
not implemented
</p></dd>
<dt><span class="term"><code class="constant">?</code></span></dt>
<dd><p>
not implemented
</p></dd>
<dt><span class="term"><code class="constant">exit</code></span></dt>
<dd><p>
Exits the program.
</p></dd>
<dt><span class="term"><code class="constant">set</code>
<em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
<dd>
<p>
This command is used to change state information that affects
the lookups. Valid keywords are:
</p>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">all</code></span></dt>
<dd><p>
Prints the current values of the frequently used
options to <span><strong class="command">set</strong></span>.
Information about the current default
server and host is also printed.
</p></dd>
<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the query class to one of:
</p>
<div class="variablelist"><dl>
<dt><span class="term"><code class="constant">IN</code></span></dt>
<dd><p>
the Internet class
</p></dd>
<dt><span class="term"><code class="constant">CH</code></span></dt>
<dd><p>
the Chaos class
</p></dd>
<dt><span class="term"><code class="constant">HS</code></span></dt>
<dd><p>
the Hesiod class
</p></dd>
<dt><span class="term"><code class="constant">ANY</code></span></dt>
<dd><p>
wildcard
</p></dd>
</dl></div>
<p>
The class specifies the protocol group of the information.
</p>
<p>
(Default = IN; abbreviation = cl)
</p>
</dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
<dd>
<p>
Turn on or off the display of the full response packet and
any intermediate response packets when searching.
</p>
<p>
(Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
</p>
</dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
<dd>
<p>
Turn debugging mode on or off. This displays more about
what nslookup is doing.
</p>
<p>
(Default = nod2)
</p>
</dd>
<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
<dd><p>
Sets the search list to <em class="replaceable"><code>name</code></em>.
</p></dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
<dd>
<p>
If the lookup request contains at least one period but
doesn't end with a trailing period, append the domain
names in the domain search list to the request until an
answer is received.
</p>
<p>
(Default = search)
</p>
</dd>
<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
</p>
<p>
(Default = 53; abbreviation = po)
</p>
</dd>
<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd><p></p></dd>
<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
<dd>
<p>
Change the type of the information query.
</p>
<p>
(Default = A; abbreviations = q, ty)
</p>
</dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
<dd>
<p>
Tell the name server to query other servers if it does not
have the
information.
</p>
<p>
(Default = recurse; abbreviation = [no]rec)
</p>
</dd>
<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
Set the number of retries to number.
</p></dd>
<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
<dd><p>
Change the initial timeout interval for waiting for a
reply to number seconds.
</p></dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
<dd>
<p>
Always use a virtual circuit when sending requests to the
server.
</p>
<p>
(Default = novc)
</p>
</dd>
<dt><span class="term"><code class="constant">
<em class="replaceable"><code>[<span class="optional">no</span>]</code></em>fail</code></span></dt>
<dd>
<p>
Try the next nameserver if a nameserver responds with
SERVFAIL or a referral (nofail) or terminate query
(fail) on such a response.
</p>
<p>
(Default = nofail)
</p>
</dd>
</dl></div>
<p>
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2546286"></a><h2>FILES</h2>
<p><code class="filename">/etc/resolv.conf</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2546298"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2546332"></a><h2>Author</h2>
<p>
Andrew Cherenson
</p>
</div>
</div></body>
</html>

120
contrib/bind9/bin/dnssec/Makefile.in
View file

@ -1,120 +0,0 @@
# Copyright (C) 2004, 2005, 2007-2009, 2012 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 2000-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.42.332.1 2011/03/16 06:37:51 each Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
dnssec-verify@EXEEXT@
OBJS = dnssectool.@O@
SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
dnssec-revoke.c dnssec-settime.c dnssec-signzone.c \
dnssec-verify.c dnssectool.c
MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \
dnssec-verify.8
HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
dnssec-keygen.html dnssec-revoke.html \
dnssec-settime.html dnssec-signzone.html \
dnssec-verify.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
${FINALBUILDCMD}
dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-revoke.@O@ ${OBJS} ${LIBS}
dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-settime.@O@ ${OBJS} ${LIBS}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
clean distclean::
rm -f ${TARGETS}

157
contrib/bind9/bin/dnssec/dnssec-dsfromkey.8
View file

@ -1,157 +0,0 @@
.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: dnssec\-dsfromkey
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: August 26, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-DSFROMKEY" "8" "August 26, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
dnssec\-dsfromkey \- DNSSEC DS RR generation tool
.SH "SYNOPSIS"
.HP 17
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
.HP 17
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
.SH "DESCRIPTION"
.PP
\fBdnssec\-dsfromkey\fR
outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
.SH "OPTIONS"
.PP
\-1
.RS 4
Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256).
.RE
.PP
\-2
.RS 4
Use SHA\-256 as the digest algorithm.
.RE
.PP
\-a \fIalgorithm\fR
.RS 4
Select the digest algorithm. The value of
\fBalgorithm\fR
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384). These values are case insensitive.
.RE
.PP
\-T \fITTL\fR
.RS 4
Specifies the TTL of the DS records.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Look for key files (or, in keyset mode,
\fIkeyset\-\fR
files) in
\fBdirectory\fR.
.RE
.PP
\-f \fIfile\fR
.RS 4
Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
\fBfile\fR. If the zone name is the same as
\fBfile\fR, then it may be omitted.
.sp
If
\fBfile\fR
is set to
"\-", then the zone data is read from the standard input. This makes it possible to use the output of the
\fBdig\fR
command as input, as in:
.sp
\fBdig dnskey example.com | dnssec\-dsfromkey \-f \- example.com\fR
.RE
.PP
\-A
.RS 4
Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
.RE
.PP
\-l \fIdomain\fR
.RS 4
Generate a DLV set instead of a DS set. The specified
\fBdomain\fR
is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.
.RE
.PP
\-s
.RS 4
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.SH "EXAMPLE"
.PP
To build the SHA\-256 DS RR from the
\fBKexample.com.+003+26160\fR
keyfile name, the following command would be issued:
.PP
\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fR
.PP
The command would print something like:
.PP
\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
.SH "FILES"
.PP
The keyfile can be designed by the key identification
\fIKnnnn.+aaa+iiiii\fR
or the full file name
\fIKnnnn.+aaa+iiiii.key\fR
as generated by
dnssec\-keygen(8).
.PP
The keyset file name is built from the
\fBdirectory\fR, the string
\fIkeyset\-\fR
and the
\fBdnsname\fR.
.SH "CAVEAT"
.PP
A keyfile error can give a "file not found" even if the file exists.
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),
\fBdnssec\-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 3658,
RFC 4431.
RFC 4509.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC")
.br

559
contrib/bind9/bin/dnssec/dnssec-dsfromkey.c
View file

@ -1,559 +0,0 @@
/*
* Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-dsfromkey.c,v 1.24 2011/10/25 01:54:18 marka Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/callbacks.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/ds.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/master.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatatype.h>
#include <dns/result.h>
#include <dst/dst.h>
#include "dnssectool.h"
#ifndef PATH_MAX
#define PATH_MAX 1024 /* AIX, WIN32, and others don't define this. */
#endif
const char *program = "dnssec-dsfromkey";
int verbose;
static dns_rdataclass_t rdclass;
static dns_fixedname_t fixed;
static dns_name_t *name = NULL;
static isc_mem_t *mctx = NULL;
static isc_uint32_t ttl;
static isc_result_t
initname(char *setname) {
isc_result_t result;
isc_buffer_t buf;
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
isc_buffer_init(&buf, setname, strlen(setname));
isc_buffer_add(&buf, strlen(setname));
result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
return (result);
}
static void
db_load_from_stream(dns_db_t *db, FILE *fp) {
isc_result_t result;
dns_rdatacallbacks_t callbacks;
dns_rdatacallbacks_init(&callbacks);
result = dns_db_beginload(db, &callbacks.add, &callbacks.add_private);
if (result != ISC_R_SUCCESS)
fatal("dns_db_beginload failed: %s", isc_result_totext(result));
result = dns_master_loadstream(fp, name, name, rdclass, 0,
&callbacks, mctx);
if (result != ISC_R_SUCCESS)
fatal("can't load from input: %s", isc_result_totext(result));
result = dns_db_endload(db, &callbacks.add_private);
if (result != ISC_R_SUCCESS)
fatal("dns_db_endload failed: %s", isc_result_totext(result));
}
static isc_result_t
loadset(const char *filename, dns_rdataset_t *rdataset) {
isc_result_t result;
dns_db_t *db = NULL;
dns_dbnode_t *node = NULL;
char setname[DNS_NAME_FORMATSIZE];
dns_name_format(name, setname, sizeof(setname));
result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
rdclass, 0, NULL, &db);
if (result != ISC_R_SUCCESS)
fatal("can't create database");
if (strcmp(filename, "-") == 0) {
db_load_from_stream(db, stdin);
filename = "input";
} else {
result = dns_db_load(db, filename);
if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
fatal("can't load %s: %s", filename,
isc_result_totext(result));
}
result = dns_db_findnode(db, name, ISC_FALSE, &node);
if (result != ISC_R_SUCCESS)
fatal("can't find %s node in %s", setname, filename);
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
0, 0, rdataset, NULL);
if (result == ISC_R_NOTFOUND)
fatal("no DNSKEY RR for %s in %s", setname, filename);
else if (result != ISC_R_SUCCESS)
fatal("dns_db_findrdataset");
if (node != NULL)
dns_db_detachnode(db, &node);
if (db != NULL)
dns_db_detach(&db);
return (result);
}
static isc_result_t
loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
isc_result_t result;
char filename[PATH_MAX + 1];
isc_buffer_t buf;
dns_rdataset_init(rdataset);
isc_buffer_init(&buf, filename, sizeof(filename));
if (dirname != NULL) {
/* allow room for a trailing slash */
if (strlen(dirname) >= isc_buffer_availablelength(&buf))
return (ISC_R_NOSPACE);
isc_buffer_putstr(&buf, dirname);
if (dirname[strlen(dirname) - 1] != '/')
isc_buffer_putstr(&buf, "/");
}
if (isc_buffer_availablelength(&buf) < 7)
return (ISC_R_NOSPACE);
isc_buffer_putstr(&buf, "keyset-");
result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
check_result(result, "dns_name_tofilenametext()");
if (isc_buffer_availablelength(&buf) == 0)
return (ISC_R_NOSPACE);
isc_buffer_putuint8(&buf, 0);
return (loadset(filename, rdataset));
}
static void
loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
dns_rdata_t *rdata)
{
isc_result_t result;
dst_key_t *key = NULL;
isc_buffer_t keyb;
isc_region_t r;
dns_rdata_init(rdata);
isc_buffer_init(&keyb, key_buf, key_buf_size);
result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("invalid keyfile name %s: %s",
filename, isc_result_totext(result));
if (verbose > 2) {
char keystr[DST_KEY_FORMATSIZE];
dst_key_format(key, keystr, sizeof(keystr));
fprintf(stderr, "%s: %s\n", program, keystr);
}
result = dst_key_todns(key, &keyb);
if (result != ISC_R_SUCCESS)
fatal("can't decode key");
isc_buffer_usedregion(&keyb, &r);
dns_rdata_fromregion(rdata, dst_key_class(key),
dns_rdatatype_dnskey, &r);
rdclass = dst_key_class(key);
dns_fixedname_init(&fixed);
name = dns_fixedname_name(&fixed);
result = dns_name_copy(dst_key_name(key), name, NULL);
if (result != ISC_R_SUCCESS)
fatal("can't copy name");
dst_key_free(&key);
}
static void
logkey(dns_rdata_t *rdata)
{
isc_result_t result;
dst_key_t *key = NULL;
isc_buffer_t buf;
char keystr[DST_KEY_FORMATSIZE];
isc_buffer_init(&buf, rdata->data, rdata->length);
isc_buffer_add(&buf, rdata->length);
result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
if (result != ISC_R_SUCCESS)
return;
dst_key_format(key, keystr, sizeof(keystr));
fprintf(stderr, "%s: %s\n", program, keystr);
dst_key_free(&key);
}
static void
emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
dns_rdata_t *rdata)
{
isc_result_t result;
unsigned char buf[DNS_DS_BUFFERSIZE];
char text_buf[DST_KEY_MAXTEXTSIZE];
char name_buf[DNS_NAME_MAXWIRE];
char class_buf[10];
isc_buffer_t textb, nameb, classb;
isc_region_t r;
dns_rdata_t ds;
dns_rdata_dnskey_t dnskey;
isc_buffer_init(&textb, text_buf, sizeof(text_buf));
isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
isc_buffer_init(&classb, class_buf, sizeof(class_buf));
dns_rdata_init(&ds);
result = dns_rdata_tostruct(rdata, &dnskey, NULL);
if (result != ISC_R_SUCCESS)
fatal("can't convert DNSKEY");
if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
return;
result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
if (result != ISC_R_SUCCESS)
fatal("can't build record");
result = dns_name_totext(name, ISC_FALSE, &nameb);
if (result != ISC_R_SUCCESS)
fatal("can't print name");
/* Add lookaside origin, if set */
if (lookaside != NULL) {
if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
fatal("DLV origin '%s' is too long", lookaside);
isc_buffer_putstr(&nameb, lookaside);
if (lookaside[strlen(lookaside) - 1] != '.') {
if (isc_buffer_availablelength(&nameb) < 1)
fatal("DLV origin '%s' is too long", lookaside);
isc_buffer_putstr(&nameb, ".");
}
}
result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
&textb);
if (result != ISC_R_SUCCESS)
fatal("can't print rdata");
result = dns_rdataclass_totext(rdclass, &classb);
if (result != ISC_R_SUCCESS)
fatal("can't print class");
isc_buffer_usedregion(&nameb, &r);
printf("%.*s ", (int)r.length, r.base);
if (ttl != 0U)
printf("%u ", ttl);
isc_buffer_usedregion(&classb, &r);
printf("%.*s", (int)r.length, r.base);
if (lookaside == NULL)
printf(" DS ");
else
printf(" DLV ");
isc_buffer_usedregion(&textb, &r);
printf("%.*s\n", (int)r.length, r.base);
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s options [-K dir] keyfile\n\n", program);
fprintf(stderr, " %s options [-K dir] [-c class] -s dnsname\n\n",
program);
fprintf(stderr, " %s options -f zonefile (as zone name)\n\n", program);
fprintf(stderr, " %s options -f zonefile zonename\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Options:\n");
fprintf(stderr, " -v <verbose level>\n");
fprintf(stderr, " -K <directory>: directory in which to find "
"key file or keyset file\n");
fprintf(stderr, " -a algorithm: digest algorithm "
"(SHA-1, SHA-256, GOST or SHA-384)\n");
fprintf(stderr, " -1: use SHA-1\n");
fprintf(stderr, " -2: use SHA-256\n");
fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n");
fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n");
fprintf(stderr, " -T TTL\n");
fprintf(stderr, " -f file: read keyset from zone file\n");
fprintf(stderr, " -A: when used with -f, "
"include all keys in DS set, not just KSKs\n");
fprintf(stderr, "Output: DS or DLV RRs\n");
exit (-1);
}
int
main(int argc, char **argv) {
char *algname = NULL, *classname = NULL;
char *filename = NULL, *dir = NULL, *namestr;
char *lookaside = NULL;
char *endp;
int ch;
unsigned int dtype = DNS_DSDIGEST_SHA1;
isc_boolean_t both = ISC_TRUE;
isc_boolean_t usekeyset = ISC_FALSE;
isc_boolean_t showall = ISC_FALSE;
isc_result_t result;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
dns_rdataset_t rdataset;
dns_rdata_t rdata;
dns_rdata_init(&rdata);
if (argc == 1)
usage();
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("out of memory");
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"12Aa:c:d:Ff:K:l:sT:v:h")) != -1) {
switch (ch) {
case '1':
dtype = DNS_DSDIGEST_SHA1;
both = ISC_FALSE;
break;
case '2':
dtype = DNS_DSDIGEST_SHA256;
both = ISC_FALSE;
break;
case 'A':
showall = ISC_TRUE;
break;
case 'a':
algname = isc_commandline_argument;
both = ISC_FALSE;
break;
case 'c':
classname = isc_commandline_argument;
break;
case 'd':
fprintf(stderr, "%s: the -d option is deprecated; "
"use -K\n", program);
/* fall through */
case 'K':
dir = isc_commandline_argument;
if (strlen(dir) == 0U)
fatal("directory must be non-empty string");
break;
case 'f':
filename = isc_commandline_argument;
break;
case 'l':
lookaside = isc_commandline_argument;
if (strlen(lookaside) == 0U)
fatal("lookaside must be a non-empty string");
break;
case 's':
usekeyset = ISC_TRUE;
break;
case 'T':
ttl = atol(isc_commandline_argument);
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case 'F':
/* Reserved for FIPS mode */
/* FALLTHROUGH */
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* FALLTHROUGH */
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (algname != NULL) {
if (strcasecmp(algname, "SHA1") == 0 ||
strcasecmp(algname, "SHA-1") == 0)
dtype = DNS_DSDIGEST_SHA1;
else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0)
dtype = DNS_DSDIGEST_SHA256;
#ifdef HAVE_OPENSSL_GOST
else if (strcasecmp(algname, "GOST") == 0)
dtype = DNS_DSDIGEST_GOST;
#endif
else if (strcasecmp(algname, "SHA384") == 0 ||
strcasecmp(algname, "SHA-384") == 0)
dtype = DNS_DSDIGEST_SHA384;
else
fatal("unknown algorithm %s", algname);
}
rdclass = strtoclass(classname);
if (usekeyset && filename != NULL)
fatal("cannot use both -s and -f");
/* When not using -f, -A is implicit */
if (filename == NULL)
showall = ISC_TRUE;
if (argc < isc_commandline_index + 1 && filename == NULL)
fatal("the key file name was not specified");
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("could not initialize hash");
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
setup_logging(verbose, mctx, &log);
dns_rdataset_init(&rdataset);
if (usekeyset || filename != NULL) {
if (argc < isc_commandline_index + 1 && filename != NULL) {
/* using zone name as the zone file name */
namestr = filename;
} else
namestr = argv[isc_commandline_index];
result = initname(namestr);
if (result != ISC_R_SUCCESS)
fatal("could not initialize name %s", namestr);
if (usekeyset)
result = loadkeyset(dir, &rdataset);
else
result = loadset(filename, &rdataset);
if (result != ISC_R_SUCCESS)
fatal("could not load DNSKEY set: %s\n",
isc_result_totext(result));
for (result = dns_rdataset_first(&rdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset)) {
dns_rdata_init(&rdata);
dns_rdataset_current(&rdataset, &rdata);
if (verbose > 2)
logkey(&rdata);
if (both) {
emit(DNS_DSDIGEST_SHA1, showall, lookaside,
&rdata);
emit(DNS_DSDIGEST_SHA256, showall, lookaside,
&rdata);
} else
emit(dtype, showall, lookaside, &rdata);
}
} else {
unsigned char key_buf[DST_KEY_MAXSIZE];
loadkey(argv[isc_commandline_index], key_buf,
DST_KEY_MAXSIZE, &rdata);
if (both) {
emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata);
emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata);
} else
emit(dtype, showall, lookaside, &rdata);
}
if (dns_rdataset_isassociated(&rdataset))
dns_rdataset_disassociate(&rdataset);
cleanup_logging(&log);
dst_lib_destroy();
isc_hash_destroy();
cleanup_entropy(&ectx);
dns_name_destroy();
if (verbose > 10)
isc_mem_stats(mctx, stdout);
isc_mem_destroy(&mctx);
fflush(stdout);
if (ferror(stdout)) {
fprintf(stderr, "write error\n");
return (1);
} else
return (0);
}

279
contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook
View file

@ -1,279 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-dsfromkey.docbook,v 1.17 2011/10/25 01:54:18 marka Exp $ -->
<refentry id="man.dnssec-dsfromkey">
<refentryinfo>
<date>August 26, 2009</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-dsfromkey</application></refname>
<refpurpose>DNSSEC DS RR generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-dsfromkey</command>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-1</option></arg>
<arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>dnssec-dsfromkey</command>
<arg choice="req">-s</arg>
<arg><option>-1</option></arg>
<arg><option>-2</option></arg>
<arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-s</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
<arg><option>-A</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req">dnsname</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-dsfromkey</command>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-1</term>
<listitem>
<para>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-2</term>
<listitem>
<para>
Use SHA-256 as the digest algorithm.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem>
<para>
Specifies the TTL of the DS records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for key files (or, in keyset mode,
<filename>keyset-</filename> files) in
<option>directory</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the zone name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <command>dig</command>
command as input, as in:
</para>
<para>
<userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
Include ZSK's when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set instead of a DS set. The specified
<option>domain</option> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
To build the SHA-256 DS RR from the
<userinput>Kexample.com.+003+26160</userinput>
keyfile name, the following command would be issued:
</para>
<para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
</para>
<para>
The command would print something like:
</para>
<para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
</para>
</refsect1>
<refsect1>
<title>FILES</title>
<para>
The keyfile can be designed by the key identification
<filename>Knnnn.+aaa+iiiii</filename> or the full file name
<filename>Knnnn.+aaa+iiiii.key</filename> as generated by
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
</para>
<para>
The keyset file name is built from the <option>directory</option>,
the string <filename>keyset-</filename> and the
<option>dnsname</option>.
</para>
</refsect1>
<refsect1>
<title>CAVEAT</title>
<para>
A keyfile error can give a "file not found" even if the file exists.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle>,
<citetitle>RFC 4431</citetitle>.
<citetitle>RFC 4509</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

169
contrib/bind9/bin/dnssec/dnssec-dsfromkey.html
View file

@ -1,169 +0,0 @@
<!--
- Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-dsfromkey</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543489"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543500"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</p></dd>
<dt><span class="term">-2</span></dt>
<dd><p>
Use SHA-256 as the digest algorithm.
</p></dd>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd><p>
Select the digest algorithm. The value of
<code class="option">algorithm</code> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
<dd><p>
Specifies the TTL of the DS records.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd>
<p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p>
<p>
If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <span><strong class="command">dig</strong></span>
command as input, as in:
</p>
<p>
<strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
</p>
</dd>
<dt><span class="term">-A</span></dt>
<dd><p>
Include ZSK's when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode.
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
Generate a DLV set instead of a DS set. The specified
<code class="option">domain</code> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431.
</p></dd>
<dt><span class="term">-s</span></dt>
<dd><p>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543726"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
keyfile name, the following command would be issued:
</p>
<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
</p>
<p>
The command would print something like:
</p>
<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543756"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
<code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
<span class="refentrytitle">dnssec-keygen</span>(8).
</p>
<p>
The keyset file name is built from the <code class="option">directory</code>,
the string <code class="filename">keyset-</code> and the
<code class="option">dnsname</code>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543792"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543801"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em>,
<em class="citetitle">RFC 4431</em>.
<em class="citetitle">RFC 4509</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543841"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

228
contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8
View file

@ -1,228 +0,0 @@
.\" Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: dnssec\-keyfromlabel
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: February 8, 2008
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-KEYFROMLABEL" "8" "February 8, 2008" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
dnssec\-keyfromlabel \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP 20
\fBdnssec\-keyfromlabel\fR {\-l\ \fIlabel\fR} [\fB\-3\fR] [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-y\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keyfromlabel\fR
gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
.PP
The
\fBname\fR
of the key is specified on the command line. This must match the name of the zone for which the key is being generated.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm. The value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. These values are case insensitive.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
option is specified, in which case NSEC3RSASHA1 will be used instead. (If
\fB\-3\fR
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
.sp
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
.sp
Note 2: DH automatically sets the \-k flag.
.RE
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default.
.RE
.PP
\-E \fIengine\fR
.RS 4
Specifies the name of the crypto hardware (OpenSSL engine). When compiled with PKCS#11 support it defaults to "pkcs11".
.RE
.PP
\-l \fIlabel\fR
.RS 4
Specifies the label of the key pair in the crypto hardware. The label may be preceded by an optional OpenSSL engine name, separated by a colon, as in "pkcs11:keylabel".
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
.RE
.PP
\-C
.RS 4
Compatibility mode: generates an old\-style key, without any metadata. By default,
\fBdnssec\-keyfromlabel\fR
will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
option suppresses them.
.RE
.PP
\-c \fIclass\fR
.RS 4
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
.RE
.PP
\-f \fIflag\fR
.RS 4
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
.RE
.PP
\-G
.RS 4
Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBdnssec\-keyfromlabel\fR.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to be written.
.RE
.PP
\-k
.RS 4
Generate KEY records rather than DNSKEY records.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
0
or
none
removes it.
.RE
.PP
\-p \fIprotocol\fR
.RS 4
Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
.RE
.PP
\-t \fItype\fR
.RS 4
Indicates the use of the key.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.PP
\-y
.RS 4
Allows DNSSEC key files to be generated even if the key ID would collide with that of an existing key, in the event of either key being revoked. (This is only safe to use if you are sure you won't be using RFC 5011 trust anchor maintenance with either of the keys involved.)
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
.RE
.PP
\-I \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
.RE
.SH "GENERATED KEY FILES"
.PP
When
\fBdnssec\-keyfromlabel\fR
completes successfully, it prints a string of the form
\fIKnnnn.+aaa+iiiii\fR
to the standard output. This is an identification string for the key files it has generated.
.TP 4
\(bu
\fInnnn\fR
is the key name.
.TP 4
\(bu
\fIaaa\fR
is the numeric representation of the algorithm.
.TP 4
\(bu
\fIiiiii\fR
is the key identifier (or footprint).
.PP
\fBdnssec\-keyfromlabel\fR
creates two files, with names based on the printed string.
\fIKnnnn.+aaa+iiiii.key\fR
contains the public key, and
\fIKnnnn.+aaa+iiiii.private\fR
contains the private key.
.PP
The
\fI.key\fR
file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
.PP
The
\fI.private\fR
file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),
\fBdnssec\-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 4034.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2008\-2012 Internet Systems Consortium, Inc. ("ISC")
.br

587
contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c
View file

@ -1,587 +0,0 @@
/*
* Copyright (C) 2007-2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.38 2011/11/30 00:48:51 marka Exp $ */
/*! \file */
#include <config.h>
#include <ctype.h>
#include <stdlib.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/mem.h>
#include <isc/region.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dns/result.h>
#include <dns/secalg.h>
#include <dst/dst.h>
#include "dnssectool.h"
#define MAX_RSA 4096 /* should be long enough... */
const char *program = "dnssec-keyfromlabel";
int verbose;
#define DEFAULT_ALGORITHM "RSASHA1"
#define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1 |"
" RSASHA256 | RSASHA512 | ECCGOST |"
" ECDSAP256SHA256 | ECDSAP384SHA384";
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s -l label [options] name\n\n",
program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Required options:\n");
fprintf(stderr, " -l label: label of the key pair\n");
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: %s\n", algs);
fprintf(stderr, " (default: RSASHA1, or "
"NSEC3RSASHA1 if using -3)\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
#ifdef USE_PKCS11
fprintf(stderr, " -E enginename (default: pkcs11)\n");
#else
fprintf(stderr, " -E enginename\n");
#endif
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
fprintf(stderr, " -k: generate a TYPE=KEY key\n");
fprintf(stderr, " -L ttl: default key TTL\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
fprintf(stderr, " -p protocol: default: 3 [dnssec]\n");
fprintf(stderr, " -t type: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
fprintf(stderr, " -y: permit keys that might collide\n");
fprintf(stderr, " -v verbose level\n");
fprintf(stderr, "Date options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting"
" all dates\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
exit (-1);
}
int
main(int argc, char **argv) {
char *algname = NULL, *freeit = NULL;
char *nametype = NULL, *type = NULL;
const char *directory = NULL;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *classname = NULL;
char *endp;
dst_key_t *key = NULL;
dns_fixedname_t fname;
dns_name_t *name;
isc_uint16_t flags = 0, kskflag = 0, revflag = 0;
dns_secalg_t alg;
isc_boolean_t oldstyle = ISC_FALSE;
isc_mem_t *mctx = NULL;
int ch;
int protocol = -1, signatory = 0;
isc_result_t ret;
isc_textregion_t r;
char filename[255];
isc_buffer_t buf;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
char *label = NULL;
dns_ttl_t ttl = 0;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE, setttl = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t genonly = ISC_FALSE;
isc_boolean_t use_nsec3 = ISC_FALSE;
isc_boolean_t avoid_collisions = ISC_TRUE;
isc_boolean_t exact;
unsigned char c;
if (argc == 1)
usage();
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
"3a:Cc:E:f:K:kl:L:n:p:t:v:yFhGP:A:R:I:D:")) != -1)
{
switch (ch) {
case '3':
use_nsec3 = ISC_TRUE;
break;
case 'a':
algname = isc_commandline_argument;
break;
case 'C':
oldstyle = ISC_TRUE;
break;
case 'c':
classname = isc_commandline_argument;
break;
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
c = (unsigned char)(isc_commandline_argument[0]);
if (toupper(c) == 'K')
kskflag = DNS_KEYFLAG_KSK;
else if (toupper(c) == 'R')
revflag = DNS_KEYFLAG_REVOKE;
else
fatal("unknown flag '%s'",
isc_commandline_argument);
break;
case 'K':
directory = isc_commandline_argument;
ret = try_dir(directory);
if (ret != ISC_R_SUCCESS)
fatal("cannot open directory %s: %s",
directory, isc_result_totext(ret));
break;
case 'k':
options |= DST_TYPE_KEY;
break;
case 'L':
if (strcmp(isc_commandline_argument, "none") == 0)
ttl = 0;
else
ttl = strtottl(isc_commandline_argument);
setttl = ISC_TRUE;
break;
case 'l':
label = isc_mem_strdup(mctx, isc_commandline_argument);
break;
case 'n':
nametype = isc_commandline_argument;
break;
case 'p':
protocol = strtol(isc_commandline_argument, &endp, 10);
if (*endp != '\0' || protocol < 0 || protocol > 255)
fatal("-p must be followed by a number "
"[0..255]");
break;
case 't':
type = isc_commandline_argument;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case 'y':
avoid_collisions = ISC_FALSE;
break;
case 'G':
genonly = ISC_TRUE;
break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setpub = ISC_TRUE;
publish = strtotime(isc_commandline_argument,
now, now);
} else {
unsetpub = ISC_TRUE;
}
break;
case 'A':
if (setact || unsetact)
fatal("-A specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setact = ISC_TRUE;
activate = strtotime(isc_commandline_argument,
now, now);
} else {
unsetact = ISC_TRUE;
}
break;
case 'R':
if (setrev || unsetrev)
fatal("-R specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setrev = ISC_TRUE;
revoke = strtotime(isc_commandline_argument,
now, now);
} else {
unsetrev = ISC_TRUE;
}
break;
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setinact = ISC_TRUE;
inactive = strtotime(isc_commandline_argument,
now, now);
} else {
unsetinact = ISC_TRUE;
}
break;
case 'D':
if (setdel || unsetdel)
fatal("-D specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setdel = ISC_TRUE;
delete = strtotime(isc_commandline_argument,
now, now);
} else {
unsetdel = ISC_TRUE;
}
break;
case 'F':
/* Reserved for FIPS mode */
/* FALLTHROUGH */
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* FALLTHROUGH */
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
ret = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (ret != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(ret));
setup_logging(verbose, mctx, &log);
if (label == NULL)
fatal("the key label was not specified");
if (argc < isc_commandline_index + 1)
fatal("the key name was not specified");
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
if (strchr(label, ':') == NULL &&
engine != NULL && strlen(engine) != 0U) {
char *l;
int len;
len = strlen(label) + strlen(engine) + 2;
l = isc_mem_allocate(mctx, len);
if (l == NULL)
fatal("cannot allocate memory");
snprintf(l, len, "%s:%s", engine, label);
isc_mem_free(mctx, label);
label = l;
}
if (algname == NULL) {
if (use_nsec3)
algname = strdup(DEFAULT_NSEC3_ALGORITHM);
else
algname = strdup(DEFAULT_ALGORITHM);
if (algname == NULL)
fatal("strdup failed");
freeit = algname;
if (verbose > 0)
fprintf(stderr, "no algorithm specified; "
"defaulting to %s\n", algname);
}
if (strcasecmp(algname, "RSA") == 0) {
fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
"If you still wish to use RSA (RSAMD5) please "
"specify \"-a RSAMD5\"\n");
if (freeit != NULL)
free(freeit);
return (1);
} else {
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS)
fatal("unknown algorithm %s", algname);
if (alg == DST_ALG_DH)
options |= DST_TYPE_KEY;
}
if (use_nsec3 &&
alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&
alg != DST_ALG_RSASHA256 && alg != DST_ALG_RSASHA512 &&
alg != DST_ALG_ECCGOST &&
alg != DST_ALG_ECDSA256 && alg != DST_ALG_ECDSA384) {
fatal("%s is incompatible with NSEC3; "
"do not use the -3 option", algname);
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0)
flags |= DNS_KEYTYPE_NOAUTH;
else if (strcasecmp(type, "NOCONF") == 0)
flags |= DNS_KEYTYPE_NOCONF;
else if (strcasecmp(type, "NOAUTHCONF") == 0) {
flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
}
else if (strcasecmp(type, "AUTHCONF") == 0)
/* nothing */;
else
fatal("invalid type %s", type);
}
if (nametype == NULL) {
if ((options & DST_TYPE_KEY) != 0) /* KEY */
fatal("no nametype specified");
flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
} else if (strcasecmp(nametype, "zone") == 0)
flags |= DNS_KEYOWNER_ZONE;
else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
if (strcasecmp(nametype, "host") == 0 ||
strcasecmp(nametype, "entity") == 0)
flags |= DNS_KEYOWNER_ENTITY;
else if (strcasecmp(nametype, "user") == 0)
flags |= DNS_KEYOWNER_USER;
else
fatal("invalid KEY nametype %s", nametype);
} else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
fatal("invalid DNSKEY nametype %s", nametype);
rdclass = strtoclass(classname);
if (directory == NULL)
directory = ".";
if ((options & DST_TYPE_KEY) != 0) /* KEY */
flags |= signatory;
else if ((flags & DNS_KEYOWNER_ZONE) != 0) { /* DNSKEY */
flags |= kskflag;
flags |= revflag;
}
if (protocol == -1)
protocol = DNS_KEYPROTO_DNSSEC;
else if ((options & DST_TYPE_KEY) == 0 &&
protocol != DNS_KEYPROTO_DNSSEC)
fatal("invalid DNSKEY protocol: %d", protocol);
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
fatal("specified null key with signing authority");
}
if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
alg == DNS_KEYALG_DH)
fatal("a key with algorithm '%s' cannot be a zone key",
algname);
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
isc_buffer_init(&buf, argv[isc_commandline_index],
strlen(argv[isc_commandline_index]));
isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
ret = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
if (ret != ISC_R_SUCCESS)
fatal("invalid key name %s: %s", argv[isc_commandline_index],
isc_result_totext(ret));
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol,
rdclass, engine, label, NULL, mctx, &key);
isc_entropy_stopcallbacksources(ectx);
if (ret != ISC_R_SUCCESS) {
char namestr[DNS_NAME_FORMATSIZE];
char algstr[DNS_SECALG_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
dns_secalg_format(alg, algstr, sizeof(algstr));
fatal("failed to get key %s/%s: %s\n",
namestr, algstr, isc_result_totext(ret));
/* NOTREACHED */
exit(-1);
}
/*
* Set key timing metadata (unless using -C)
*
* Publish and activation dates are set to "now" by default, but
* can be overridden. Creation date is always set to "now".
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
if (genonly && (setpub || setact))
fatal("cannot use -G together with -P or -A options");
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, publish);
else if (setact)
dst_key_settime(key, DST_TIME_PUBLISH, activate);
else if (!genonly && !unsetpub)
dst_key_settime(key, DST_TIME_PUBLISH, now);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE, activate);
else if (!genonly && !unsetact)
dst_key_settime(key, DST_TIME_ACTIVATE, now);
if (setrev) {
if (kskflag == 0)
fprintf(stderr, "%s: warning: Key is "
"not flagged as a KSK, but -R "
"was used. Revoking a ZSK is "
"legal, but undefined.\n",
program);
dst_key_settime(key, DST_TIME_REVOKE, revoke);
}
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE, inactive);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, delete);
} else {
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
unsetrev || unsetinact || unsetdel || genonly)
fatal("cannot use -C together with "
"-P, -A, -R, -I, -D, or -G options");
/*
* Compatibility mode: Private-key-format
* should be set to 1.2.
*/
dst_key_setprivateformat(key, 1, 2);
}
/* Set default key TTL */
if (setttl)
dst_key_setttl(key, ttl);
/*
* Do not overwrite an existing key. Warn LOUDLY if there
* is a risk of ID collision due to this key or another key
* being revoked.
*/
if (key_collision(key, name, directory, mctx, &exact)) {
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, directory, &buf);
if (ret != ISC_R_SUCCESS)
fatal("dst_key_buildfilename returned: %s\n",
isc_result_totext(ret));
if (exact)
fatal("%s: %s already exists\n", program, filename);
if (avoid_collisions)
fatal("%s: %s could collide with another key upon "
"revokation\n", program, filename);
fprintf(stderr, "%s: WARNING: Key %s could collide with "
"another key upon revokation. If you plan "
"to revoke keys, destroy this key and "
"generate a different one.\n",
program, filename);
}
ret = dst_key_tofile(key, options, directory);
if (ret != ISC_R_SUCCESS) {
char keystr[DST_KEY_FORMATSIZE];
dst_key_format(key, keystr, sizeof(keystr));
fatal("failed to write key %s: %s\n", keystr,
isc_result_totext(ret));
}
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, NULL, &buf);
if (ret != ISC_R_SUCCESS)
fatal("dst_key_buildfilename returned: %s\n",
isc_result_totext(ret));
printf("%s\n", filename);
dst_key_free(&key);
cleanup_logging(&log);
cleanup_entropy(&ectx);
dst_lib_destroy();
dns_name_destroy();
if (verbose > 10)
isc_mem_stats(mctx, stdout);
isc_mem_free(mctx, label);
isc_mem_destroy(&mctx);
if (freeit != NULL)
free(freeit);
return (0);
}

446
contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook
View file

@ -1,446 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.21 2011/03/17 01:40:34 each Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-keyfromlabel</application></refname>
<refpurpose>DNSSEC key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-keyfromlabel</command>
<arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
<arg><option>-3</option></arg>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-y</option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-keyfromlabel</command>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034.
</para>
<para>
The <option>name</option> of the key is specified on the command
line. This must match the name of the zone for which the key is
being generated.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</para>
<para>
Note 2: DH automatically sets the -k flag.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the name of the crypto hardware (OpenSSL engine).
When compiled with PKCS#11 support it defaults to "pkcs11".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
Specifies the label of the key pair in the crypto hardware.
The label may be preceded by an optional OpenSSL engine name,
separated by a colon, as in "pkcs11:keylabel".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without
any metadata. By default, <command>dnssec-keyfromlabel</command>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keyfromlabel</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Generate KEY records rather than DNSKEY records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-y</term>
<listitem>
<para>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>TIMING OPTIONS</title>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
</para>
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>GENERATED KEY FILES</title>
<para>
When <command>dnssec-keyfromlabel</command> completes
successfully,
it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
to the standard output. This is an identification string for
the key files it has generated.
</para>
<itemizedlist>
<listitem>
<para><filename>nnnn</filename> is the key name.
</para>
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
of the algorithm.
</para>
</listitem>
<listitem>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
</listitem>
</itemizedlist>
<para><command>dnssec-keyfromlabel</command>
creates two files, with names based
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
private key.
</para>
<para>
The <filename>.key</filename> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</para>
<para>
The <filename>.private</filename> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4034</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

275
contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html
View file

@ -1,275 +0,0 @@
<!--
- Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keyfromlabel</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543507"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034.
</p>
<p>
The <code class="option">name</code> of the key is specified on the command
line. This must match the name of the zone for which the key is
being generated.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543525"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
These values are case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</p>
<p>
Note 2: DH automatically sets the -k flag.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Specifies the name of the crypto hardware (OpenSSL engine).
When compiled with PKCS#11 support it defaults to "pkcs11".
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd><p>
Specifies the label of the key pair in the crypto hardware.
The label may be preceded by an optional OpenSSL engine name,
separated by a colon, as in "pkcs11:keylabel".
</p></dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-keyfromlabel</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Generate KEY records rather than DNSKEY records.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-y</span></dt>
<dd><p>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543980"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543054"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key files it has generated.
</p>
<div class="itemizedlist"><ul type="disc">
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</ul></div>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543127"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4034</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543160"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

308
contrib/bind9/bin/dnssec/dnssec-keygen.8
View file

@ -1,308 +0,0 @@
.\" Copyright (C) 2004, 2005, 2007-2012 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: dnssec\-keygen
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: June 30, 2000
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-KEYGEN" "8" "June 30, 2000" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
dnssec\-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP 14
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
.PP
The
\fBname\fR
of the key is specified on the command line. For DNSSEC keys, this must match the name of the zone for which the key is being generated.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm. For DNSSEC keys, the value of
\fBalgorithm\fR
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
option is specified, in which case NSEC3RSASHA1 will be used instead. (If
\fB\-3\fR
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
.sp
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
.sp
Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. Elliptic curve algorithms don't need this parameter.
.sp
The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
\fB\-a\fR, then there is no default key size, and the
\fB\-b\fR
must be used.
.RE
.PP
\-n \fInametype\fR
.RS 4
Specifies the owner type of the key. The value of
\fBnametype\fR
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.
.RE
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable.
.RE
.PP
\-C
.RS 4
Compatibility mode: generates an old\-style key, without any metadata. By default,
\fBdnssec\-keygen\fR
will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
option suppresses them.
.RE
.PP
\-c \fIclass\fR
.RS 4
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
.RE
.PP
\-E \fIengine\fR
.RS 4
Uses a crypto hardware (OpenSSL engine) for random number and, when supported, key generation. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
.RE
.PP
\-f \fIflag\fR
.RS 4
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
.RE
.PP
\-G
.RS 4
Generate a key, but do not publish it or sign with it. This option is incompatible with \-P and \-A.
.RE
.PP
\-g \fIgenerator\fR
.RS 4
If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBdnssec\-keygen\fR.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to be written.
.RE
.PP
\-k
.RS 4
Deprecated in favor of \-T KEY.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
0
or
none
removes it.
.RE
.PP
\-p \fIprotocol\fR
.RS 4
Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
.RE
.PP
\-q
.RS 4
Quiet mode: Suppresses unnecessary output, including progress indication. Without this option, when
\fBdnssec\-keygen\fR
is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
\fIstderr\fR
indicating the progress of the key generation. A '.' indicates that a random number has been found which passed an initial sieve test; '+' means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key.
.RE
.PP
\-r \fIrandomdev\fR
.RS 4
Specifies the source of randomness. If the operating system does not provide a
\fI/dev/random\fR
or equivalent device, the default source of randomness is keyboard input.
\fIrandomdev\fR
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used.
.RE
.PP
\-S \fIkey\fR
.RS 4
Create a new key which is an explicit successor to an existing key. The name, algorithm, size, and type of the key will be set to match the existing key. The activation date of the new key will be set to the inactivation date of the existing one. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
.RE
.PP
\-s \fIstrength\fR
.RS 4
Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
.RE
.PP
\-T \fIrrtype\fR
.RS 4
Specifies the resource record type to use for the key.
\fBrrtype\fR
must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0).
Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY.
.RE
.PP
\-t \fItype\fR
.RS 4
Indicates the use of the key.
\fBtype\fR
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it. If not set, and if the \-G option has not been used, the default is "now".
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it. If not set, and if the \-G option has not been used, the default is "now".
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
.RE
.PP
\-I \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
.sp
If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
.sp
As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
.RE
.SH "GENERATED KEYS"
.PP
When
\fBdnssec\-keygen\fR
completes successfully, it prints a string of the form
\fIKnnnn.+aaa+iiiii\fR
to the standard output. This is an identification string for the key it has generated.
.TP 4
\(bu
\fInnnn\fR
is the key name.
.TP 4
\(bu
\fIaaa\fR
is the numeric representation of the algorithm.
.TP 4
\(bu
\fIiiiii\fR
is the key identifier (or footprint).
.PP
\fBdnssec\-keygen\fR
creates two files, with names based on the printed string.
\fIKnnnn.+aaa+iiiii.key\fR
contains the public key, and
\fIKnnnn.+aaa+iiiii.private\fR
contains the private key.
.PP
The
\fI.key\fR
file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
.PP
The
\fI.private\fR
file contains algorithm\-specific fields. For obvious security reasons, this file does not have general read permission.
.PP
Both
\fI.key\fR
and
\fI.private\fR
files are generated for symmetric encryption algorithms such as HMAC\-MD5, even though the public and private key are equivalent.
.SH "EXAMPLE"
.PP
To generate a 768\-bit DSA key for the domain
\fBexample.com\fR, the following command would be issued:
.PP
\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example.com\fR
.PP
The command would print a string of the form:
.PP
\fBKexample.com.+003+26160\fR
.PP
In this example,
\fBdnssec\-keygen\fR
creates the files
\fIKexample.com.+003+26160.key\fR
and
\fIKexample.com.+003+26160.private\fR.
.SH "SEE ALSO"
.PP
\fBdnssec\-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 2539,
RFC 2845,
RFC 4034.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004, 2005, 2007\-2012 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2003 Internet Software Consortium.
.br

1054
contrib/bind9/bin/dnssec/dnssec-keygen.c
View file

File diff suppressed because it is too large Load diff

623
contrib/bind9/bin/dnssec/dnssec-keygen.docbook
View file

@ -1,623 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004, 2005, 2007-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.38 2011/03/17 23:47:29 tbox Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-keygen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-keygen</application></refname>
<refpurpose>DNSSEC key generation tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2007</year>
<year>2008</year>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<year>2012</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-keygen</command>
<arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
<arg ><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg><option>-3</option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-C</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-q</option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-z</option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-keygen</command>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
(Transaction Key) as defined in RFC 2930.
</para>
<para>
The <option>name</option> of the key is specified on the command
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</para>
<para>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <option>-3</option> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<option>-3</option> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</para>
<para>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</para>
<para>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSK's) and 2048 bits for key signing keys (KSK's,
generated with <option>-f KSK</option>). However, if an
algorithm is explicitly specified with the <option>-a</option>,
then there is no default key size, and the <option>-b</option>
must be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-3</term>
<listitem>
<para>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: generates an old-style key, without
any metadata. By default, <command>dnssec-keygen</command>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<option>-C</option> option suppresses them.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Uses a crypto hardware (OpenSSL engine) for random number
and, when supported, key generation. When compiled with PKCS#11
support it defaults to pkcs11; the empty name resets it to
no engine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
<para>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keygen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to be written.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Deprecated in favor of -T KEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q</term>
<listitem>
<para>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<command>dnssec-keygen</command> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <filename>stderr</filename> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">strength</replaceable></term>
<listitem>
<para>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">rrtype</replaceable></term>
<listitem>
<para>
Specifies the resource record type to use for the key.
<option>rrtype</option> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
<para>
</para>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>TIMING OPTIONS</title>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
</para>
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>GENERATED KEYS</title>
<para>
When <command>dnssec-keygen</command> completes
successfully,
it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
to the standard output. This is an identification string for
the key it has generated.
</para>
<itemizedlist>
<listitem>
<para><filename>nnnn</filename> is the key name.
</para>
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
of the
algorithm.
</para>
</listitem>
<listitem>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
</listitem>
</itemizedlist>
<para><command>dnssec-keygen</command>
creates two files, with names based
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
private
key.
</para>
<para>
The <filename>.key</filename> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</para>
<para>
The <filename>.private</filename> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</para>
<para>
Both <filename>.key</filename> and <filename>.private</filename>
files are generated for symmetric encryption algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</para>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
To generate a 768-bit DSA key for the domain
<userinput>example.com</userinput>, the following command would be
issued:
</para>
<para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
</para>
<para>
The command would print a string of the form:
</para>
<para><userinput>Kexample.com.+003+26160</userinput>
</para>
<para>
In this example, <command>dnssec-keygen</command> creates
the files <filename>Kexample.com.+003+26160.key</filename>
and
<filename>Kexample.com.+003+26160.private</filename>.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2539</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 4034</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

411
contrib/bind9/bin/dnssec/dnssec-keygen.html
View file

@ -1,411 +0,0 @@
<!--
- Copyright (C) 2004, 2005, 2007-2012 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keygen</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543590"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
(Transaction Key) as defined in RFC 2930.
</p>
<p>
The <code class="option">name</code> of the key is specified on the command
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543608"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 or ECDSAP384SHA384.
For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead. (If
<code class="option">-3</code> is used and an algorithm is specified,
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</p>
<p>
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
<dd>
<p>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
between 512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC keys must be
between 1 and 512 bits. Elliptic curve algorithms don't need
this parameter.
</p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSK's) and 2048 bits for key signing keys (KSK's,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd><p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</p></dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default. Note that RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
are NSEC3-capable.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Uses a crypto hardware (OpenSSL engine) for random number
and, when supported, key generation. When compiled with PKCS#11
support it defaults to pkcs11; the empty name resets it to
no engine.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-G</span></dt>
<dd><p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p></dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-keygen</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Deprecated in favor of -T KEY.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-q</span></dt>
<dd><p>
Quiet mode: Suppresses unnecessary output, including
progress indication. Without this option, when
<span><strong class="command">dnssec-keygen</strong></span> is run interactively
to generate an RSA or DSA key pair, it will print a string
of symbols to <code class="filename">stderr</code> indicating the
progress of the key generation. A '.' indicates that a
random number has been found which passed an initial
sieve test; '+' means a number has passed a single
round of the Miller-Rabin primality test; a space
means that the number has passed all the tests and is
a satisfactory key.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Create a new key which is an explicit successor to an
existing key. The name, algorithm, size, and type of the
key will be set to match the existing key. The activation
date of the new key will be set to the inactivation date of
the existing one. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
<p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
<p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544187"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544377"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key it has generated.
</p>
<div class="itemizedlist"><ul type="disc">
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</ul></div>
<p><span><strong class="command">dnssec-keygen</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private
key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric encryption algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544459"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
</p>
<p>
The command would print a string of the form:
</p>
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
</p>
<p>
In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
the files <code class="filename">Kexample.com.+003+26160.key</code>
and
<code class="filename">Kexample.com.+003+26160.private</code>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544571"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2539</em>,
<em class="citetitle">RFC 2845</em>,
<em class="citetitle">RFC 4034</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2544602"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

88
contrib/bind9/bin/dnssec/dnssec-revoke.8
View file

@ -1,88 +0,0 @@
.\" Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: dnssec\-revoke
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: June 1, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-REVOKE" "8" "June 1, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key
.SH "SYNOPSIS"
.HP 14
\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] [\fB\-R\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-revoke\fR
reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key.
.SH "OPTIONS"
.PP
\-h
.RS 4
Emit usage message and exit.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to reside.
.RE
.PP
\-r
.RS 4
After writing the new keyset files remove the original keyset files.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.PP
\-E \fIengine\fR
.RS 4
Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
.RE
.PP
\-f
.RS 4
Force overwrite: Causes
\fBdnssec\-revoke\fR
to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.
.RE
.PP
\-R
.RS 4
Print the key tag of the key with the REVOKE bit set but do not revoke the key.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),
BIND 9 Administrator Reference Manual,
RFC 5011.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
.br

276
contrib/bind9/bin/dnssec/dnssec-revoke.c
View file

@ -1,276 +0,0 @@
/*
* Copyright (C) 2009-2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-revoke.c,v 1.24 2011/10/20 23:46:51 tbox Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <unistd.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/result.h>
#include <dst/dst.h>
#include "dnssectool.h"
const char *program = "dnssec-revoke";
int verbose;
static isc_mem_t *mctx = NULL;
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
#ifdef USE_PKCS11
fprintf(stderr, " -E engine: specify OpenSSL engine "
"(default \"pkcs11\")\n");
#else
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -K directory: use directory for key files\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, " -r: remove old keyfiles after "
"creating revoked version\n");
fprintf(stderr, " -v level: set level of verbosity\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<new id>.key, "
"K<name>+<alg>+<new id>.private\n");
exit (-1);
}
int
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *filename = NULL, *dir = NULL;
char newname[1024], oldname[1024];
char keystr[DST_KEY_FORMATSIZE];
char *endp;
int ch;
isc_entropy_t *ectx = NULL;
dst_key_t *key = NULL;
isc_uint32_t flags;
isc_buffer_t buf;
isc_boolean_t force = ISC_FALSE;
isc_boolean_t remove = ISC_FALSE;
isc_boolean_t id = ISC_FALSE;
if (argc == 1)
usage();
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("Out of memory");
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:")) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
force = ISC_TRUE;
break;
case 'K':
/*
* We don't have to copy it here, but do it to
* simplify cleanup later
*/
dir = isc_mem_strdup(mctx, isc_commandline_argument);
if (dir == NULL) {
fatal("Failed to allocate memory for "
"directory");
}
break;
case 'r':
remove = ISC_TRUE;
break;
case 'R':
id = ISC_TRUE;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* Falls into */
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (argc < isc_commandline_index + 1 ||
argv[isc_commandline_index] == NULL)
fatal("The key file name was not specified");
if (argc > isc_commandline_index + 1)
fatal("Extraneous arguments");
if (dir != NULL) {
filename = argv[isc_commandline_index];
} else {
result = isc_file_splitpath(mctx, argv[isc_commandline_index],
&dir, &filename);
if (result != ISC_R_SUCCESS)
fatal("cannot process filename %s: %s",
argv[isc_commandline_index],
isc_result_totext(result));
if (strcmp(dir, ".") == 0) {
isc_mem_free(mctx, dir);
dir = NULL;
}
}
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, dir,
DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile name %s: %s",
filename, isc_result_totext(result));
if (id) {
fprintf(stdout, "%u\n", dst_key_rid(key));
goto cleanup;
}
dst_key_format(key, keystr, sizeof(keystr));
if (verbose > 2)
fprintf(stderr, "%s: %s\n", program, keystr);
if (force)
set_keyversion(key);
else
check_keyversion(key, keystr);
flags = dst_key_flags(key);
if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
isc_stdtime_t now;
if ((flags & DNS_KEYFLAG_KSK) == 0)
fprintf(stderr, "%s: warning: Key is not flagged "
"as a KSK. Revoking a ZSK is "
"legal, but undefined.\n",
program);
isc_stdtime_get(&now);
dst_key_settime(key, DST_TIME_REVOKE, now);
dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
isc_buffer_init(&buf, newname, sizeof(newname));
dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
if (access(newname, F_OK) == 0 && !force) {
fatal("Key file %s already exists; "
"use -f to force overwrite", newname);
}
result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
dir);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
isc_buffer_clear(&buf);
dst_key_buildfilename(key, 0, dir, &buf);
printf("%s\n", newname);
/*
* Remove old key file, if told to (and if
* it isn't the same as the new file)
*/
if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) {
isc_buffer_init(&buf, oldname, sizeof(oldname));
dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
if (strcmp(oldname, newname) == 0)
goto cleanup;
if (access(oldname, F_OK) == 0)
unlink(oldname);
isc_buffer_clear(&buf);
dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
if (access(oldname, F_OK) == 0)
unlink(oldname);
}
} else {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Key %s is already revoked", keystr);
}
cleanup:
dst_key_free(&key);
dst_lib_destroy();
isc_hash_destroy();
cleanup_entropy(&ectx);
if (verbose > 10)
isc_mem_stats(mctx, stdout);
if (dir != NULL)
isc_mem_free(mctx, dir);
isc_mem_destroy(&mctx);
return (0);
}

161
contrib/bind9/bin/dnssec/dnssec-revoke.docbook
View file

@ -1,161 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-revoke.docbook,v 1.9 2011/10/20 23:46:51 tbox Exp $ -->
<refentry id="man.dnssec-revoke">
<refentryinfo>
<date>June 1, 2009</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-revoke</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-revoke</application></refname>
<refpurpose>Set the REVOKED bit on a DNSSEC key</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2011</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-revoke</command>
<arg><option>-hr</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg><option>-R</option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-revoke</command>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
now-revoked key.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Emit usage message and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
After writing the new keyset files remove the original keyset
files.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f</term>
<listitem>
<para>
Force overwrite: Causes <command>dnssec-revoke</command> to
write the new key pair even if a file already exists matching
the algorithm and key ID of the revoked key.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R</term>
<listitem>
<para>
Print the key tag of the key with the REVOKE bit set but do
not revoke the key.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

92
contrib/bind9/bin/dnssec/dnssec-revoke.html
View file

@ -1,92 +0,0 @@
<!--
- Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-revoke</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-revoke</span> &#8212; Set the REVOKED bit on a DNSSEC key</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] [<code class="option">-R</code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543382"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-revoke</strong></span>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
now-revoked key.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543394"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
</p></dd>
<dt><span class="term">-r</span></dt>
<dd><p>
After writing the new keyset files remove the original keyset
files.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</p></dd>
<dt><span class="term">-f</span></dt>
<dd><p>
Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
write the new key pair even if a file already exists matching
the algorithm and key ID of the revoked key.
</p></dd>
<dt><span class="term">-R</span></dt>
<dd><p>
Print the key tag of the key with the REVOKE bit set but do
not revoke the key.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543512"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543537"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

175
contrib/bind9/bin/dnssec/dnssec-settime.8
View file

@ -1,175 +0,0 @@
.\" Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: dnssec\-settime
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: July 15, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-SETTIME" "8" "July 15, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
dnssec\-settime \- Set the key timing metadata for a DNSSEC key
.SH "SYNOPSIS"
.HP 15
\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-settime\fR
reads a DNSSEC private key file and sets the key timing metadata as specified by the
\fB\-P\fR,
\fB\-A\fR,
\fB\-R\fR,
\fB\-I\fR, and
\fB\-D\fR
options. The metadata can then be used by
\fBdnssec\-signzone\fR
or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc.
.PP
If none of these options is set on the command line, then
\fBdnssec\-settime\fR
simply prints the key timing metadata already stored in the key.
.PP
When key metadata fields are changed, both files of a key pair (\fIKnnnn.+aaa+iiiii.key\fR
and
\fIKnnnn.+aaa+iiiii.private\fR) are regenerated. Metadata fields are stored in the private file. A human\-readable description of the metadata is also placed in comments in the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).
.SH "OPTIONS"
.PP
\-f
.RS 4
Force an update of an old\-format key with no metadata fields. Without this option,
\fBdnssec\-settime\fR
will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be set to the present time. If no other values are specified, then the key's publication and activation dates will also be set to the present time.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to reside.
.RE
.PP
\-L \fIttl\fR
.RS 4
Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to
0
or
none
removes it.
.RE
.PP
\-h
.RS 4
Emit usage message and exit.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.PP
\-E \fIengine\fR
.RS 4
Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none'.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it.
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
.RE
.PP
\-I \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
.RE
.PP
\-S \fIpredecessor key\fR
.RS 4
Select a key for which the key being modified will be an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match those of the key being modified. The activation date of the successor key will be set to the inactivation date of the predecessor. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days.
.RE
.PP
\-i \fIinterval\fR
.RS 4
Sets the prepublication interval for a key. If set, then the publication and activation dates must be separated by at least this much time. If the activation date is specified but the publication date isn't, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn't, then activation will be set to this much time after publication.
.sp
If the key is being set to be an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
.sp
As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
.RE
.SH "PRINTING OPTIONS"
.PP
\fBdnssec\-settime\fR
can also be used to print the timing metadata associated with a key.
.PP
\-u
.RS 4
Print times in UNIX epoch format.
.RE
.PP
\-p \fIC/P/A/R/I/D/all\fR
.RS 4
Print a specific metadata value or set of metadata values. The
\fB\-p\fR
option may be followed by one or more of the following letters to indicate which value or values to print:
\fBC\fR
for the creation date,
\fBP\fR
for the publication date,
\fBA\fR
for the activation date,
\fBR\fR
for the revocation date,
\fBI\fR
for the inactivation date, or
\fBD\fR
for the deletion date. To print all of the metadata, use
\fB\-p all\fR.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),
\fBdnssec\-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 5011.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2009\-2011 Internet Systems Consortium, Inc. ("ISC")
.br

624
contrib/bind9/bin/dnssec/dnssec-settime.c
View file

@ -1,624 +0,0 @@
/*
* Copyright (C) 2009-2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-settime.c,v 1.32 2011/06/02 20:24:45 each Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <time.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/keyvalues.h>
#include <dns/result.h>
#include <dns/log.h>
#include <dst/dst.h>
#include "dnssectool.h"
const char *program = "dnssec-settime";
int verbose;
static isc_mem_t *mctx = NULL;
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "General options:\n");
#ifdef USE_PKCS11
fprintf(stderr, " -E engine: specify OpenSSL engine "
"(default \"pkcs11\")\n");
#else
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
fprintf(stderr, " -L ttl: set default key TTL\n");
fprintf(stderr, " -v level: set level of verbosity\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, "Timing options:\n");
fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
"publication date\n");
fprintf(stderr, " -A date/[+-]offset/none: set/unset key "
"activation date\n");
fprintf(stderr, " -R date/[+-]offset/none: set/unset key "
"revocation date\n");
fprintf(stderr, " -I date/[+-]offset/none: set/unset key "
"inactivation date\n");
fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
"deletion date\n");
fprintf(stderr, "Printing options:\n");
fprintf(stderr, " -p C/P/A/R/I/D/all: print a particular time "
"value or values\n");
fprintf(stderr, " -u: print times in unix epoch "
"format\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<new id>.key, "
"K<name>+<alg>+<new id>.private\n");
exit (-1);
}
static void
printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
FILE *stream)
{
isc_result_t result;
const char *output = NULL;
isc_stdtime_t when;
if (tag != NULL)
fprintf(stream, "%s: ", tag);
result = dst_key_gettime(key, type, &when);
if (result == ISC_R_NOTFOUND) {
fprintf(stream, "UNSET\n");
} else if (epoch) {
fprintf(stream, "%d\n", (int) when);
} else {
time_t time = when;
output = ctime(&time);
fprintf(stream, "%s", output);
}
}
int
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *filename = NULL, *directory = NULL;
char newname[1024];
char keystr[DST_KEY_FORMATSIZE];
char *endp, *p;
int ch;
isc_entropy_t *ectx = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
dst_key_t *key = NULL;
isc_buffer_t buf;
dns_name_t *name = NULL;
dns_secalg_t alg = 0;
unsigned int size = 0;
isc_uint16_t flags = 0;
int prepub = -1;
dns_ttl_t ttl = 0;
isc_stdtime_t now;
isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
isc_stdtime_t prevact = 0, previnact = 0, prevdel = 0;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE, setttl = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
isc_boolean_t printinact = ISC_FALSE, printdel = ISC_FALSE;
isc_boolean_t force = ISC_FALSE;
isc_boolean_t epoch = ISC_FALSE;
isc_boolean_t changed = ISC_FALSE;
isc_log_t *log = NULL;
if (argc == 1)
usage();
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("Out of memory");
setup_logging(verbose, mctx, &log);
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
isc_stdtime_get(&now);
#define CMDLINE_FLAGS "A:D:E:fhI:i:K:L:P:p:R:S:uv:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
force = ISC_TRUE;
break;
case 'p':
p = isc_commandline_argument;
if (!strcasecmp(p, "all")) {
printcreate = ISC_TRUE;
printpub = ISC_TRUE;
printact = ISC_TRUE;
printrev = ISC_TRUE;
printinact = ISC_TRUE;
printdel = ISC_TRUE;
break;
}
do {
switch (*p++) {
case 'C':
printcreate = ISC_TRUE;
break;
case 'P':
printpub = ISC_TRUE;
break;
case 'A':
printact = ISC_TRUE;
break;
case 'R':
printrev = ISC_TRUE;
break;
case 'I':
printinact = ISC_TRUE;
break;
case 'D':
printdel = ISC_TRUE;
break;
case ' ':
break;
default:
usage();
break;
}
} while (*p != '\0');
break;
case 'u':
epoch = ISC_TRUE;
break;
case 'K':
/*
* We don't have to copy it here, but do it to
* simplify cleanup later
*/
directory = isc_mem_strdup(mctx,
isc_commandline_argument);
if (directory == NULL) {
fatal("Failed to allocate memory for "
"directory");
}
break;
case 'L':
if (strcmp(isc_commandline_argument, "none") == 0)
ttl = 0;
else
ttl = strtottl(isc_commandline_argument);
setttl = ISC_TRUE;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetpub = ISC_TRUE;
} else {
setpub = ISC_TRUE;
pub = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'A':
if (setact || unsetact)
fatal("-A specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetact = ISC_TRUE;
} else {
setact = ISC_TRUE;
act = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'R':
if (setrev || unsetrev)
fatal("-R specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetrev = ISC_TRUE;
} else {
setrev = ISC_TRUE;
rev = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetinact = ISC_TRUE;
} else {
setinact = ISC_TRUE;
inact = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'D':
if (setdel || unsetdel)
fatal("-D specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetdel = ISC_TRUE;
} else {
setdel = ISC_TRUE;
del = strtotime(isc_commandline_argument,
now, now);
}
break;
case 'S':
predecessor = isc_commandline_argument;
break;
case 'i':
prepub = strtottl(isc_commandline_argument);
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
/* Falls into */
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (argc < isc_commandline_index + 1 ||
argv[isc_commandline_index] == NULL)
fatal("The key file name was not specified");
if (argc > isc_commandline_index + 1)
fatal("Extraneous arguments");
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
if (predecessor != NULL) {
char keystr[DST_KEY_FORMATSIZE];
int major, minor;
if (prepub == -1)
prepub = (30 * 86400);
if (setpub || unsetpub)
fatal("-S and -P cannot be used together");
if (setact || unsetact)
fatal("-S and -A cannot be used together");
result = dst_key_fromnamedfile(predecessor, directory,
DST_TYPE_PUBLIC |
DST_TYPE_PRIVATE,
mctx, &prevkey);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile %s: %s",
filename, isc_result_totext(result));
if (!dst_key_isprivate(prevkey))
fatal("%s is not a private key", filename);
name = dst_key_name(prevkey);
alg = dst_key_alg(prevkey);
size = dst_key_size(prevkey);
flags = dst_key_flags(prevkey);
dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
fatal("Predecessor has incompatible format "
"version %d.%d\n\t", major, minor);
result = dst_key_gettime(prevkey, DST_TIME_ACTIVATE, &prevact);
if (result != ISC_R_SUCCESS)
fatal("Predecessor has no activation date. "
"You must set one before\n\t"
"generating a successor.");
result = dst_key_gettime(prevkey, DST_TIME_INACTIVE,
&previnact);
if (result != ISC_R_SUCCESS)
fatal("Predecessor has no inactivation date. "
"You must set one before\n\t"
"generating a successor.");
pub = prevact - prepub;
if (pub < now && prepub != 0)
fatal("Predecessor will become inactive before the\n\t"
"prepublication period ends. Either change "
"its inactivation date,\n\t"
"or use the -i option to set a shorter "
"prepublication interval.");
result = dst_key_gettime(prevkey, DST_TIME_DELETE, &prevdel);
if (result != ISC_R_SUCCESS)
fprintf(stderr, "%s: warning: Predecessor has no "
"removal date;\n\t"
"it will remain in the zone "
"indefinitely after rollover.\n",
program);
else if (prevdel < previnact)
fprintf(stderr, "%s: warning: Predecessor is "
"scheduled to be deleted\n\t"
"before it is scheduled to be "
"inactive.\n", program);
changed = setpub = setact = ISC_TRUE;
dst_key_free(&prevkey);
} else {
if (prepub < 0)
prepub = 0;
if (prepub > 0) {
if (setpub && setact && (act - prepub) < pub)
fatal("Activation and publication dates "
"are closer together than the\n\t"
"prepublication interval.");
if (setpub && !setact) {
setact = ISC_TRUE;
act = pub + prepub;
} else if (setact && !setpub) {
setpub = ISC_TRUE;
pub = act - prepub;
}
if ((act - prepub) < now)
fatal("Time until activation is shorter "
"than the\n\tprepublication interval.");
}
}
if (directory != NULL) {
filename = argv[isc_commandline_index];
} else {
result = isc_file_splitpath(mctx, argv[isc_commandline_index],
&directory, &filename);
if (result != ISC_R_SUCCESS)
fatal("cannot process filename %s: %s",
argv[isc_commandline_index],
isc_result_totext(result));
}
result = dst_key_fromnamedfile(filename, directory,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
mctx, &key);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile %s: %s",
filename, isc_result_totext(result));
if (!dst_key_isprivate(key))
fatal("%s is not a private key", filename);
dst_key_format(key, keystr, sizeof(keystr));
if (predecessor != NULL) {
if (!dns_name_equal(name, dst_key_name(key)))
fatal("Key name mismatch");
if (alg != dst_key_alg(key))
fatal("Key algorithm mismatch");
if (size != dst_key_size(key))
fatal("Key size mismatch");
if (flags != dst_key_flags(key))
fatal("Key flags mismatch");
}
prevdel = previnact = 0;
if ((setdel && setinact && del < inact) ||
(dst_key_gettime(key, DST_TIME_INACTIVE,
&previnact) == ISC_R_SUCCESS &&
setdel && !setinact && del < previnact) ||
(dst_key_gettime(key, DST_TIME_DELETE,
&prevdel) == ISC_R_SUCCESS &&
setinact && !setdel && prevdel < inact) ||
(!setdel && !setinact && prevdel < previnact))
fprintf(stderr, "%s: warning: Key is scheduled to "
"be deleted before it is\n\t"
"scheduled to be inactive.\n",
program);
if (force)
set_keyversion(key);
else
check_keyversion(key, keystr);
if (verbose > 2)
fprintf(stderr, "%s: %s\n", program, keystr);
/*
* Set time values.
*/
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, pub);
else if (unsetpub)
dst_key_unsettime(key, DST_TIME_PUBLISH);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE, act);
else if (unsetact)
dst_key_unsettime(key, DST_TIME_ACTIVATE);
if (setrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; changing the revocation date "
"will not affect this.\n",
program, keystr);
if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0)
fprintf(stderr, "%s: warning: Key %s is not flagged as "
"a KSK, but -R was used. Revoking a "
"ZSK is legal, but undefined.\n",
program, keystr);
dst_key_settime(key, DST_TIME_REVOKE, rev);
} else if (unsetrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; removing the revocation date "
"will not affect this.\n",
program, keystr);
dst_key_unsettime(key, DST_TIME_REVOKE);
}
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE, inact);
else if (unsetinact)
dst_key_unsettime(key, DST_TIME_INACTIVE);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del);
else if (unsetdel)
dst_key_unsettime(key, DST_TIME_DELETE);
if (setttl)
dst_key_setttl(key, ttl);
/*
* No metadata changes were made but we're forcing an upgrade
* to the new format anyway: use "-P now -A now" as the default
*/
if (force && !changed) {
dst_key_settime(key, DST_TIME_PUBLISH, now);
dst_key_settime(key, DST_TIME_ACTIVATE, now);
changed = ISC_TRUE;
}
if (!changed && setttl)
changed = ISC_TRUE;
/*
* Print out time values, if -p was used.
*/
if (printcreate)
printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
if (printpub)
printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
if (printact)
printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
if (printrev)
printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
if (printinact)
printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
if (printdel)
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
if (changed) {
isc_buffer_init(&buf, newname, sizeof(newname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
&buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build public key filename: %s",
isc_result_totext(result));
}
result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
directory);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
printf("%s\n", newname);
isc_buffer_clear(&buf);
result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory,
&buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build private key filename: %s",
isc_result_totext(result));
}
printf("%s\n", newname);
}
dst_key_free(&key);
dst_lib_destroy();
isc_hash_destroy();
cleanup_entropy(&ectx);
if (verbose > 10)
isc_mem_stats(mctx, stdout);
cleanup_logging(&log);
isc_mem_free(mctx, directory);
isc_mem_destroy(&mctx);
return (0);
}

338
contrib/bind9/bin/dnssec/dnssec-settime.docbook
View file

@ -1,338 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-settime.docbook,v 1.15 2011/11/03 20:21:37 each Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-settime</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-settime</application></refname>
<refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2009</year>
<year>2010</year>
<year>2011</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-settime</command>
<arg><option>-f</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-settime</command>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <option>-P</option>, <option>-A</option>,
<option>-R</option>, <option>-I</option>, and <option>-D</option>
options. The metadata can then be used by
<command>dnssec-signzone</command> or other signing software to
determine when a key is to be published, whether it should be
used for signing a zone, etc.
</para>
<para>
If none of these options is set on the command line,
then <command>dnssec-settime</command> simply prints the key timing
metadata already stored in the key.
</para>
<para>
When key metadata fields are changed, both files of a key
pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
<filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-f</term>
<listitem>
<para>
Force an update of an old-format key with no metadata fields.
Without this option, <command>dnssec-settime</command> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Sets the directory in which the key files are to reside.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<literal>0</literal> or <literal>none</literal> removes it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Emit usage message and exit.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>TIMING OPTIONS</title>
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none'.
</para>
<variablelist>
<varlistentry>
<term>-P <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S <replaceable class="parameter">predecessor key</replaceable></term>
<listitem>
<para>
Select a key for which the key being modified will be an
explicit successor. The name, algorithm, size, and type of the
predecessor key must exactly match those of the key being
modified. The activation date of the successor key will be set
to the inactivation date of the predecessor. The publication
date will be set to the activation date minus the prepublication
interval, which defaults to 30 days.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</para>
<para>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>PRINTING OPTIONS</title>
<para>
<command>dnssec-settime</command> can also be used to print the
timing metadata associated with a key.
</para>
<variablelist>
<varlistentry>
<term>-u</term>
<listitem>
<para>
Print times in UNIX epoch format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">C/P/A/R/I/D/all</replaceable></term>
<listitem>
<para>
Print a specific metadata value or set of metadata values.
The <option>-p</option> option may be followed by one or more
of the following letters to indicate which value or values to print:
<option>C</option> for the creation date,
<option>P</option> for the publication date,
<option>A</option> for the activation date,
<option>R</option> for the revocation date,
<option>I</option> for the inactivation date, or
<option>D</option> for the deletion date.
To print all of the metadata, use <option>-p all</option>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5011</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

220
contrib/bind9/bin/dnssec/dnssec-settime.html
View file

@ -1,220 +0,0 @@
<!--
- Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-settime</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.dnssec-settime"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543432"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-settime</strong></span>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
<code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
options. The metadata can then be used by
<span><strong class="command">dnssec-signzone</strong></span> or other signing software to
determine when a key is to be published, whether it should be
used for signing a zone, etc.
</p>
<p>
If none of these options is set on the command line,
then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
metadata already stored in the key.
</p>
<p>
When key metadata fields are changed, both files of a key
pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
<code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543480"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f</span></dt>
<dd><p>
Force an update of an old-format key with no metadata fields.
Without this option, <span><strong class="command">dnssec-settime</strong></span> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543664"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none'.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it.
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd><p>
Select a key for which the key being modified will be an
explicit successor. The name, algorithm, size, and type of the
predecessor key must exactly match those of the key being
modified. The activation date of the successor key will be set
to the inactivation date of the predecessor. The publication
date will be set to the activation date minus the prepublication
interval, which defaults to 30 days.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543802"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-u</span></dt>
<dd><p>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
<dd><p>
Print a specific metadata value or set of metadata values.
The <code class="option">-p</code> option may be followed by one or more
of the following letters to indicate which value or values to print:
<code class="option">C</code> for the creation date,
<code class="option">P</code> for the publication date,
<code class="option">A</code> for the activation date,
<code class="option">R</code> for the revocation date,
<code class="option">I</code> for the inactivation date, or
<code class="option">D</code> for the deletion date.
To print all of the metadata, use <code class="option">-p all</code>.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543880"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2542138"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

434
contrib/bind9/bin/dnssec/dnssec-signzone.8
View file

@ -1,434 +0,0 @@
.\" Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (C) 2000-2003 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: dnssec\-signzone
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: June 05, 2009
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-SIGNZONE" "8" "June 05, 2009" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
dnssec\-signzone \- DNSSEC zone signing tool
.SH "SYNOPSIS"
.HP 16
\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-L\ \fR\fB\fIserial\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-P\fR] [\fB\-p\fR] [\fB\-R\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-T\ \fR\fB\fIttl\fR\fR] [\fB\-t\fR] [\fB\-u\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-X\ \fR\fB\fIextended\ end\-time\fR\fR] [\fB\-x\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
.SH "DESCRIPTION"
.PP
\fBdnssec\-signzone\fR
signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
\fIkeyset\fR
file for each child zone.
.SH "OPTIONS"
.PP
\-a
.RS 4
Verify all generated signatures.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class of the zone.
.RE
.PP
\-C
.RS 4
Compatibility mode: Generate a
\fIkeyset\-\fR\fI\fIzonename\fR\fR
file in addition to
\fIdsset\-\fR\fI\fIzonename\fR\fR
when signing a zone, for use by older versions of
\fBdnssec\-signzone\fR.
.RE
.PP
\-d \fIdirectory\fR
.RS 4
Look for
\fIdsset\-\fR
or
\fIkeyset\-\fR
files in
\fBdirectory\fR.
.RE
.PP
\-D
.RS 4
Output only those record types automatically managed by
\fBdnssec\-signzone\fR, i.e. RRSIG, NSEC, NSEC3 and NSEC3PARAM records. If smart signing (\fB\-S\fR) is used, DNSKEY records are also included. The resulting file can be included in the original zone file with
\fB$INCLUDE\fR. This option cannot be combined with
\fB\-O raw\fR
or serial number updating.
.RE
.PP
\-E \fIengine\fR
.RS 4
Uses a crypto hardware (OpenSSL engine) for the crypto operations it supports, for instance signing with private keys from a secure key store. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
.RE
.PP
\-g
.RS 4
Generate DS records for child zones from
\fIdsset\-\fR
or
\fIkeyset\-\fR
file. Existing DS records will be removed.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Key repository: Specify a directory to search for DNSSEC keys. If not specified, defaults to the current directory.
.RE
.PP
\-k \fIkey\fR
.RS 4
Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
.RE
.PP
\-l \fIdomain\fR
.RS 4
Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
.RE
.PP
\-s \fIstart\-time\fR
.RS 4
Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
\fBstart\-time\fR
is specified, the current time minus 1 hour (to allow for clock skew) is used.
.RE
.PP
\-e \fIend\-time\fR
.RS 4
Specify the date and time when the generated RRSIG records expire. As with
\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
\fBend\-time\fR
is specified, 30 days from the start time is used as a default.
\fBend\-time\fR
must be later than
\fBstart\-time\fR.
.RE
.PP
\-X \fIextended end\-time\fR
.RS 4
Specify the date and time when the generated RRSIG records for the DNSKEY RRset will expire. This is to be used in cases when the DNSKEY signatures need to persist longer than signatures on other records; e.g., when the private component of the KSK is kept offline and the KSK signature is to be refreshed manually.
.sp
As with
\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
\fBextended end\-time\fR
is specified, the value of
\fBend\-time\fR
is used as the default. (\fBend\-time\fR, in turn, defaults to 30 days from the start time.)
\fBextended end\-time\fR
must be later than
\fBstart\-time\fR.
.RE
.PP
\-f \fIoutput\-file\fR
.RS 4
The name of the output file containing the signed zone. The default is to append
\fI.signed\fR
to the input filename. If
\fBoutput\-file\fR
is set to
"\-", then the signed zone is written to the standard output, with a default output format of "full".
.RE
.PP
\-h
.RS 4
Prints a short summary of the options and arguments to
\fBdnssec\-signzone\fR.
.RE
.PP
\-i \fIinterval\fR
.RS 4
When a previously\-signed zone is passed as input, records may be resigned. The
\fBinterval\fR
option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
.sp
The default cycle interval is one quarter of the difference between the signature end and start times. So if neither
\fBend\-time\fR
or
\fBstart\-time\fR
are specified,
\fBdnssec\-signzone\fR
generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
.RE
.PP
\-I \fIinput\-format\fR
.RS 4
The format of the input zone file. Possible formats are
\fB"text"\fR
(default) and
\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be signed directly. The use of this option does not make much sense for non\-dynamic zones.
.RE
.PP
\-j \fIjitter\fR
.RS 4
When signing a zone with a fixed signature lifetime, all RRSIG records issued at the time of signing expires simultaneously. If the zone is incrementally signed, i.e. a previously\-signed zone is passed as input to the signer, all expired signatures have to be regenerated at about the same time. The
\fBjitter\fR
option specifies a jitter window that will be used to randomize the signature expire time, thus spreading incremental signature regeneration over time.
.sp
Signature lifetime jitter also to some extent benefits validators and servers by spreading out cache expiration, i.e. if large numbers of RRSIGs don't expire at the same time from all caches there will be less congestion than if all validators need to refetch at mostly the same time.
.RE
.PP
\-L \fIserial\fR
.RS 4
When writing a signed zone to 'raw' format, set the "source serial" value in the header to the specified serial number. (This is expected to be used primarily for testing purposes.)
.RE
.PP
\-n \fIncpus\fR
.RS 4
Specifies the number of threads to use. By default, one thread is started for each detected CPU.
.RE
.PP
\-N \fIsoa\-serial\-format\fR
.RS 4
The SOA serial number format of the signed zone. Possible formats are
\fB"keep"\fR
(default),
\fB"increment"\fR
and
\fB"unixtime"\fR.
.RS 4
.PP
\fB"keep"\fR
.RS 4
Do not modify the SOA serial number.
.RE
.PP
\fB"increment"\fR
.RS 4
Increment the SOA serial number using RFC 1982 arithmetics.
.RE
.PP
\fB"unixtime"\fR
.RS 4
Set the SOA serial number to the number of seconds since epoch.
.RE
.RE
.RE
.PP
\-o \fIorigin\fR
.RS 4
The zone origin. If not specified, the name of the zone file is assumed to be the origin.
.RE
.PP
\-O \fIoutput\-format\fR
.RS 4
The format of the output file containing the signed zone. Possible formats are
\fB"text"\fR
(default)
\fB"full"\fR, which is text output in a format suitable for processing by external scripts, and
\fB"raw"\fR
or
\fB"raw=N"\fR, which store the zone in a binary format for rapid loading by
\fBnamed\fR.
\fB"raw=N"\fR
specifies the format version of the raw zone file: if N is 0, the raw file can be read by any version of
\fBnamed\fR; if N is 1, the file can be read by release 9.9.0 or higher. The default is 1.
.RE
.PP
\-p
.RS 4
Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
.RE
.PP
\-P
.RS 4
Disable post sign verification tests.
.sp
The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests.
.RE
.PP
\-R
.RS 4
Remove signatures from keys that no longer exist.
.sp
Normally, when a previously\-signed zone is passed as input to the signer, and a DNSKEY record has been removed and replaced with a new one, signatures from the old key that are still within their validity period are retained. This allows the zone to continue to validate with cached copies of the old DNSKEY RRset. The
\fB\-R\fR
forces
\fBdnssec\-signzone\fR
to remove all orphaned signatures.
.RE
.PP
\-r \fIrandomdev\fR
.RS 4
Specifies the source of randomness. If the operating system does not provide a
\fI/dev/random\fR
or equivalent device, the default source of randomness is keyboard input.
\fIrandomdev\fR
specifies the name of a character device or file containing random data to be used instead of the default. The special value
\fIkeyboard\fR
indicates that keyboard input should be used.
.RE
.PP
\-S
.RS 4
Smart signing: Instructs
\fBdnssec\-signzone\fR
to search the key repository for keys that match the zone being signed, and to include them in the zone if appropriate.
.sp
When a key is found, its timing metadata is examined to determine how it should be used, according to the following rules. Each successive rule takes priority over the prior ones:
.RS 4
.PP
.RS 4
If no timing metadata has been set for the key, the key is published in the zone and used to sign the zone.
.RE
.PP
.RS 4
If the key's publication date is set and is in the past, the key is published in the zone.
.RE
.PP
.RS 4
If the key's activation date is set and in the past, the key is published (regardless of publication date) and used to sign the zone.
.RE
.PP
.RS 4
If the key's revocation date is set and in the past, and the key is published, then the key is revoked, and the revoked key is used to sign the zone.
.RE
.PP
.RS 4
If either of the key's unpublication or deletion dates are set and in the past, the key is NOT published or used to sign the zone, regardless of any other metadata.
.RE
.RE
.RE
.PP
\-T \fIttl\fR
.RS 4
Specifies a TTL to be used for new DNSKEY records imported into the zone from the key repository. If not specified, the default is the TTL value from the zone's SOA record. This option is ignored when signing without
\fB\-S\fR, since DNSKEY records are not imported from the key repository in that case. It is also ignored if there are any pre\-existing DNSKEY records at the zone apex, in which case new records' TTL values will be set to match them, or if any of the imported DNSKEY records had a default TTL value. In the event of a a conflict between TTL values in imported keys, the shortest one is used.
.RE
.PP
\-t
.RS 4
Print statistics at completion.
.RE
.PP
\-u
.RS 4
Update NSEC/NSEC3 chain when re\-signing a previously signed zone. With this option, a zone signed with NSEC can be switched to NSEC3, or a zone signed with NSEC3 can be switch to NSEC or to NSEC3 with different parameters. Without this option,
\fBdnssec\-signzone\fR
will retain the existing chain when re\-signing.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.PP
\-x
.RS 4
Only sign the DNSKEY RRset with key\-signing keys, and omit signatures from zone\-signing keys. (This is similar to the
\fBdnssec\-dnskey\-kskonly yes;\fR
zone option in
\fBnamed\fR.)
.RE
.PP
\-z
.RS 4
Ignore KSK flag on key when determining what to sign. This causes KSK\-flagged keys to sign all records, not just the DNSKEY RRset. (This is similar to the
\fBupdate\-check\-ksk no;\fR
zone option in
\fBnamed\fR.)
.RE
.PP
\-3 \fIsalt\fR
.RS 4
Generate an NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
.RE
.PP
\-H \fIiterations\fR
.RS 4
When generating an NSEC3 chain, use this many interations. The default is 10.
.RE
.PP
\-A
.RS 4
When generating an NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
.sp
Using this option twice (i.e.,
\fB\-AA\fR) turns the OPTOUT flag off for all records. This is useful when using the
\fB\-u\fR
option to modify an NSEC3 chain which previously had OPTOUT set.
.RE
.PP
zonefile
.RS 4
The file containing the zone to be signed.
.RE
.PP
key
.RS 4
Specify which keys should be used to sign the zone. If no keys are specified, then the zone will be examined for DNSKEY records at the zone apex. If these are found and there are matching private keys, in the current directory, then these will be used for signing.
.RE
.SH "EXAMPLE"
.PP
The following command signs the
\fBexample.com\fR
zone with the DSA key generated by
\fBdnssec\-keygen\fR
(Kexample.com.+003+17247). Because the
\fB\-S\fR
option is not being used, the zone's keys must be in the master file (\fIdb.example.com\fR). This invocation looks for
\fIdsset\fR
files, in the current directory, so that DS records can be imported from them (\fB\-g\fR).
.sp
.RS 4
.nf
% dnssec\-signzone \-g \-o example.com db.example.com \\
Kexample.com.+003+17247
db.example.com.signed
%
.fi
.RE
.PP
In the above example,
\fBdnssec\-signzone\fR
creates the file
\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a
\fInamed.conf\fR
file.
.PP
This example re\-signs a previously signed zone with default parameters. The private keys are assumed to be in the current directory.
.sp
.RS 4
.nf
% cp db.example.com.signed db.example.com
% dnssec\-signzone \-o example.com db.example.com
db.example.com.signed
%
.fi
.RE
.SH "SEE ALSO"
.PP
\fBdnssec\-keygen\fR(8),
BIND 9 Administrator Reference Manual,
RFC 4033.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2004\-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
.br
Copyright \(co 2000\-2003 Internet Software Consortium.
.br

3746
contrib/bind9/bin/dnssec/dnssec-signzone.c
View file

File diff suppressed because it is too large Load diff

782
contrib/bind9/bin/dnssec/dnssec-signzone.docbook
View file

@ -1,782 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-signzone</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-signzone</application></refname>
<refpurpose>DNSSEC zone signing tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2008</year>
<year>2009</year>
<year>2011</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-signzone</command>
<arg><option>-a</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-D</option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
<arg><option>-g</option></arg>
<arg><option>-h</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
<arg><option>-L <replaceable class="parameter">serial</replaceable></option></arg>
<arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
<arg><option>-j <replaceable class="parameter">jitter</replaceable></option></arg>
<arg><option>-N <replaceable class="parameter">soa-serial-format</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg>
<arg><option>-P</option></arg>
<arg><option>-p</option></arg>
<arg><option>-R</option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-S</option></arg>
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg><option>-T <replaceable class="parameter">ttl</replaceable></option></arg>
<arg><option>-t</option></arg>
<arg><option>-u</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-X <replaceable class="parameter">extended end-time</replaceable></option></arg>
<arg><option>-x</option></arg>
<arg><option>-z</option></arg>
<arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
<arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
<arg><option>-A</option></arg>
<arg choice="req">zonefile</arg>
<arg rep="repeat">key</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-signzone</command>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
zone. The security status of delegations from the signed zone
(that is, whether the child zones are secure or not) is
determined by the presence or absence of a
<filename>keyset</filename> file for each child zone.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem>
<para>
Verify all generated signatures.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class of the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Compatibility mode: Generate a
<filename>keyset-<replaceable>zonename</replaceable></filename>
file in addition to
<filename>dsset-<replaceable>zonename</replaceable></filename>
when signing a zone, for use by older versions of
<command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for <filename>dsset-</filename> or
<filename>keyset-</filename> files in <option>directory</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Output only those record types automatically managed by
<command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
NSEC3 and NSEC3PARAM records. If smart signing
(<option>-S</option>) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with <command>$INCLUDE</command>. This option
cannot be combined with <option>-O raw</option> or serial
number updating.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Uses a crypto hardware (OpenSSL engine) for the crypto operations
it supports, for instance signing with private keys from
a secure key store. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
Generate DS records for child zones from
<filename>dsset-</filename> or <filename>keyset-</filename>
file. Existing DS records will be removed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Key repository: Specify a directory to search for DNSSEC keys.
If not specified, defaults to the current directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">key</replaceable></term>
<listitem>
<para>
Treat specified key as a key signing key ignoring any
key flags. This option may be specified multiple times.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">start-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <option>start-time</option> is specified, the current
time minus 1 hour (to allow for clock skew) is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e <replaceable class="parameter">end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
expire. As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <option>end-time</option> is
specified, 30 days from the start time is used as a default.
<option>end-time</option> must be later than
<option>start-time</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-X <replaceable class="parameter">extended end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated RRSIG records
for the DNSKEY RRset will expire. This is to be used in cases
when the DNSKEY signatures need to persist longer than
signatures on other records; e.g., when the private component
of the KSK is kept offline and the KSK signature is to be
refreshed manually.
</para>
<para>
As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <option>extended end-time</option> is
specified, the value of <option>end-time</option> is used as
the default. (<option>end-time</option>, in turn, defaults to
30 days from the start time.) <option>extended end-time</option>
must be later than <option>start-time</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">output-file</replaceable></term>
<listitem>
<para>
The name of the output file containing the signed zone. The
default is to append <filename>.signed</filename> to
the input filename. If <option>output-file</option> is
set to <literal>"-"</literal>, then the signed zone is
written to the standard output, with a default output
format of "full".
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
When a previously-signed zone is passed as input, records
may be resigned. The <option>interval</option> option
specifies the cycle interval as an offset from the current
time (in seconds). If a RRSIG record expires after the
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
</para>
<para>
The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither
<option>end-time</option> or <option>start-time</option>
are specified, <command>dnssec-signzone</command>
generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing RRSIG records
are due to expire in less than 7.5 days, they would be
replaced.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">input-format</replaceable></term>
<listitem>
<para>
The format of the input zone file.
Possible formats are <command>"text"</command> (default)
and <command>"raw"</command>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be signed directly.
The use of this option does not make much sense for
non-dynamic zones.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-j <replaceable class="parameter">jitter</replaceable></term>
<listitem>
<para>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously-signed zone is passed as input to the signer,
all expired signatures have to be regenerated at about the
same time. The <option>jitter</option> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
</para>
<para>
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">serial</replaceable></term>
<listitem>
<para>
When writing a signed zone to 'raw' format, set the "source serial"
value in the header to the specified serial number. (This is
expected to be used primarily for testing purposes.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">ncpus</replaceable></term>
<listitem>
<para>
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-N <replaceable class="parameter">soa-serial-format</replaceable></term>
<listitem>
<para>
The SOA serial number format of the signed zone.
Possible formats are <command>"keep"</command> (default),
<command>"increment"</command> and
<command>"unixtime"</command>.
</para>
<variablelist>
<varlistentry>
<term><command>"keep"</command></term>
<listitem>
<para>Do not modify the SOA serial number.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>"increment"</command></term>
<listitem>
<para>Increment the SOA serial number using RFC 1982
arithmetics.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>"unixtime"</command></term>
<listitem>
<para>Set the SOA serial number to the number of seconds
since epoch.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">origin</replaceable></term>
<listitem>
<para>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-O <replaceable class="parameter">output-format</replaceable></term>
<listitem>
<para>
The format of the output file containing the signed zone.
Possible formats are <command>"text"</command> (default)
<command>"full"</command>, which is text output in a
format suitable for processing by external scripts,
and <command>"raw"</command> or <command>"raw=N"</command>,
which store the zone in a binary format for rapid loading
by <command>named</command>. <command>"raw=N"</command>
specifies the format version of the raw zone file: if N
is 0, the raw file can be read by any version of
<command>named</command>; if N is 1, the file can be
read by release 9.9.0 or higher. The default is 1.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P</term>
<listitem>
<para>
Disable post sign verification tests.
</para>
<para>
The post sign verification test ensures that for each algorithm
in use there is at least one non revoked self signed KSK key,
that all revoked KSK keys are self signed, and that all records
in the zone are signed by the algorithm.
This option skips these tests.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-R</term>
<listitem>
<para>
Remove signatures from keys that no longer exist.
</para>
<para>
Normally, when a previously-signed zone is passed as input
to the signer, and a DNSKEY record has been removed and
replaced with a new one, signatures from the old key
that are still within their validity period are retained.
This allows the zone to continue to validate with cached
copies of the old DNSKEY RRset. The <option>-R</option> forces
<command>dnssec-signzone</command> to remove all orphaned
signatures.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S</term>
<listitem>
<para>
Smart signing: Instructs <command>dnssec-signzone</command> to
search the key repository for keys that match the zone being
signed, and to include them in the zone if appropriate.
</para>
<para>
When a key is found, its timing metadata is examined to
determine how it should be used, according to the following
rules. Each successive rule takes priority over the prior
ones:
</para>
<variablelist>
<varlistentry>
<listitem>
<para>
If no timing metadata has been set for the key, the key is
published in the zone and used to sign the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If the key's publication date is set and is in the past, the
key is published in the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
used to sign the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If the key's revocation date is set and in the past, and the
key is published, then the key is revoked, and the revoked key
is used to sign the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>
If either of the key's unpublication or deletion dates are set
and in the past, the key is NOT published or used to sign the
zone, regardless of any other metadata.
</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Specifies a TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not
specified, the default is the TTL value from the zone's SOA
record. This option is ignored when signing without
<option>-S</option>, since DNSKEY records are not imported
from the key repository in that case. It is also ignored if
there are any pre-existing DNSKEY records at the zone apex,
in which case new records' TTL values will be set to match
them, or if any of the imported DNSKEY records had a default
TTL value. In the event of a a conflict between TTL values in
imported keys, the shortest one is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t</term>
<listitem>
<para>
Print statistics at completion.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u</term>
<listitem>
<para>
Update NSEC/NSEC3 chain when re-signing a previously signed
zone. With this option, a zone signed with NSEC can be
switched to NSEC3, or a zone signed with NSEC3 can
be switch to NSEC or to NSEC3 with different parameters.
Without this option, <command>dnssec-signzone</command> will
retain the existing chain when re-signing.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys. (This is similar to the
<command>dnssec-dnskey-kskonly yes;</command> zone option in
<command>named</command>.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Ignore KSK flag on key when determining what to sign. This
causes KSK-flagged keys to sign all records, not just the
DNSKEY RRset. (This is similar to the
<command>update-check-ksk no;</command> zone option in
<command>named</command>.)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-3 <replaceable class="parameter">salt</replaceable></term>
<listitem>
<para>
Generate an NSEC3 chain with the given hex encoded salt.
A dash (<replaceable class="parameter">salt</replaceable>) can
be used to indicate that no salt is to be used when generating the NSEC3 chain.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-H <replaceable class="parameter">iterations</replaceable></term>
<listitem>
<para>
When generating an NSEC3 chain, use this many interations. The
default is 10.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
When generating an NSEC3 chain set the OPTOUT flag on all
NSEC3 records and do not generate NSEC3 records for insecure
delegations.
</para>
<para>
Using this option twice (i.e., <option>-AA</option>)
turns the OPTOUT flag off for all records. This is useful
when using the <option>-u</option> option to modify an NSEC3
chain which previously had OPTOUT set.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonefile</term>
<listitem>
<para>
The file containing the zone to be signed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>key</term>
<listitem>
<para>
Specify which keys should be used to sign the zone. If
no keys are specified, then the zone will be examined
for DNSKEY records at the zone apex. If these are found and
there are matching private keys, in the current directory,
then these will be used for signing.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
The following command signs the <userinput>example.com</userinput>
zone with the DSA key generated by <command>dnssec-keygen</command>
(Kexample.com.+003+17247). Because the <command>-S</command> option
is not being used, the zone's keys must be in the master file
(<filename>db.example.com</filename>). This invocation looks
for <filename>dsset</filename> files, in the current directory,
so that DS records can be imported from them (<command>-g</command>).
</para>
<programlisting>% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%</programlisting>
<para>
In the above example, <command>dnssec-signzone</command> creates
the file <filename>db.example.com.signed</filename>. This
file should be referenced in a zone statement in a
<filename>named.conf</filename> file.
</para>
<para>
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
</para>
<programlisting>% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</programlisting>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4033</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

491
contrib/bind9/bin/dnssec/dnssec-signzone.html
View file

@ -1,491 +0,0 @@
<!--
- Copyright (C) 2004-2009, 2011 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-signzone</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.dnssec-signzone"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-L <em class="replaceable"><code>serial</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-P</code>] [<code class="option">-p</code>] [<code class="option">-R</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S</code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-T <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-t</code>] [<code class="option">-u</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-X <em class="replaceable"><code>extended end-time</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543626"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-signzone</strong></span>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
zone. The security status of delegations from the signed zone
(that is, whether the child zones are secure or not) is
determined by the presence or absence of a
<code class="filename">keyset</code> file for each child zone.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543641"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a</span></dt>
<dd><p>
Verify all generated signatures.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class of the zone.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: Generate a
<code class="filename">keyset-<em class="replaceable"><code>zonename</code></em></code>
file in addition to
<code class="filename">dsset-<em class="replaceable"><code>zonename</code></em></code>
when signing a zone, for use by older versions of
<span><strong class="command">dnssec-signzone</strong></span>.
</p></dd>
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Look for <code class="filename">dsset-</code> or
<code class="filename">keyset-</code> files in <code class="option">directory</code>.
</p></dd>
<dt><span class="term">-D</span></dt>
<dd><p>
Output only those record types automatically managed by
<span><strong class="command">dnssec-signzone</strong></span>, i.e. RRSIG, NSEC,
NSEC3 and NSEC3PARAM records. If smart signing
(<code class="option">-S</code>) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with <span><strong class="command">$INCLUDE</strong></span>. This option
cannot be combined with <code class="option">-O raw</code> or serial
number updating.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Uses a crypto hardware (OpenSSL engine) for the crypto operations
it supports, for instance signing with private keys from
a secure key store. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</p></dd>
<dt><span class="term">-g</span></dt>
<dd><p>
Generate DS records for child zones from
<code class="filename">dsset-</code> or <code class="filename">keyset-</code>
file. Existing DS records will be removed.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Key repository: Specify a directory to search for DNSSEC keys.
If not specified, defaults to the current directory.
</p></dd>
<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
<dd><p>
Treat specified key as a key signing key ignoring any
key flags. This option may be specified multiple times.
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
Generate a DLV set in addition to the key (DNSKEY) and DS sets.
The domain is appended to the name of the records.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
<dd><p>
Specify the date and time when the generated RRSIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <code class="option">start-time</code> is specified, the current
time minus 1 hour (to allow for clock skew) is used.
</p></dd>
<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
<dd><p>
Specify the date and time when the generated RRSIG records
expire. As with <code class="option">start-time</code>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <code class="option">end-time</code> is
specified, 30 days from the start time is used as a default.
<code class="option">end-time</code> must be later than
<code class="option">start-time</code>.
</p></dd>
<dt><span class="term">-X <em class="replaceable"><code>extended end-time</code></em></span></dt>
<dd>
<p>
Specify the date and time when the generated RRSIG records
for the DNSKEY RRset will expire. This is to be used in cases
when the DNSKEY signatures need to persist longer than
signatures on other records; e.g., when the private component
of the KSK is kept offline and the KSK signature is to be
refreshed manually.
</p>
<p>
As with <code class="option">start-time</code>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time relative to the current time is
indicated with now+N. If no <code class="option">extended end-time</code> is
specified, the value of <code class="option">end-time</code> is used as
the default. (<code class="option">end-time</code>, in turn, defaults to
30 days from the start time.) <code class="option">extended end-time</code>
must be later than <code class="option">start-time</code>.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
<dd><p>
The name of the output file containing the signed zone. The
default is to append <code class="filename">.signed</code> to
the input filename. If <code class="option">output-file</code> is
set to <code class="literal">"-"</code>, then the signed zone is
written to the standard output, with a default output
format of "full".
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-signzone</strong></span>.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
When a previously-signed zone is passed as input, records
may be resigned. The <code class="option">interval</code> option
specifies the cycle interval as an offset from the current
time (in seconds). If a RRSIG record expires after the
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
</p>
<p>
The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither
<code class="option">end-time</code> or <code class="option">start-time</code>
are specified, <span><strong class="command">dnssec-signzone</strong></span>
generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing RRSIG records
are due to expire in less than 7.5 days, they would be
replaced.
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
<dd><p>
The format of the input zone file.
Possible formats are <span><strong class="command">"text"</strong></span> (default)
and <span><strong class="command">"raw"</strong></span>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be signed directly.
The use of this option does not make much sense for
non-dynamic zones.
</p></dd>
<dt><span class="term">-j <em class="replaceable"><code>jitter</code></em></span></dt>
<dd>
<p>
When signing a zone with a fixed signature lifetime, all
RRSIG records issued at the time of signing expires
simultaneously. If the zone is incrementally signed, i.e.
a previously-signed zone is passed as input to the signer,
all expired signatures have to be regenerated at about the
same time. The <code class="option">jitter</code> option specifies a
jitter window that will be used to randomize the signature
expire time, thus spreading incremental signature
regeneration over time.
</p>
<p>
Signature lifetime jitter also to some extent benefits
validators and servers by spreading out cache expiration,
i.e. if large numbers of RRSIGs don't expire at the same time
from all caches there will be less congestion than if all
validators need to refetch at mostly the same time.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>serial</code></em></span></dt>
<dd><p>
When writing a signed zone to 'raw' format, set the "source serial"
value in the header to the specified serial number. (This is
expected to be used primarily for testing purposes.)
</p></dd>
<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
<dd><p>
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
</p></dd>
<dt><span class="term">-N <em class="replaceable"><code>soa-serial-format</code></em></span></dt>
<dd>
<p>
The SOA serial number format of the signed zone.
Possible formats are <span><strong class="command">"keep"</strong></span> (default),
<span><strong class="command">"increment"</strong></span> and
<span><strong class="command">"unixtime"</strong></span>.
</p>
<div class="variablelist"><dl>
<dt><span class="term"><span><strong class="command">"keep"</strong></span></span></dt>
<dd><p>Do not modify the SOA serial number.</p></dd>
<dt><span class="term"><span><strong class="command">"increment"</strong></span></span></dt>
<dd><p>Increment the SOA serial number using RFC 1982
arithmetics.</p></dd>
<dt><span class="term"><span><strong class="command">"unixtime"</strong></span></span></dt>
<dd><p>Set the SOA serial number to the number of seconds
since epoch.</p></dd>
</dl></div>
</dd>
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
<dd><p>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</p></dd>
<dt><span class="term">-O <em class="replaceable"><code>output-format</code></em></span></dt>
<dd><p>
The format of the output file containing the signed zone.
Possible formats are <span><strong class="command">"text"</strong></span> (default)
<span><strong class="command">"full"</strong></span>, which is text output in a
format suitable for processing by external scripts,
and <span><strong class="command">"raw"</strong></span> or <span><strong class="command">"raw=N"</strong></span>,
which store the zone in a binary format for rapid loading
by <span><strong class="command">named</strong></span>. <span><strong class="command">"raw=N"</strong></span>
specifies the format version of the raw zone file: if N
is 0, the raw file can be read by any version of
<span><strong class="command">named</strong></span>; if N is 1, the file can be
read by release 9.9.0 or higher. The default is 1.
</p></dd>
<dt><span class="term">-p</span></dt>
<dd><p>
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</p></dd>
<dt><span class="term">-P</span></dt>
<dd>
<p>
Disable post sign verification tests.
</p>
<p>
The post sign verification test ensures that for each algorithm
in use there is at least one non revoked self signed KSK key,
that all revoked KSK keys are self signed, and that all records
in the zone are signed by the algorithm.
This option skips these tests.
</p>
</dd>
<dt><span class="term">-R</span></dt>
<dd>
<p>
Remove signatures from keys that no longer exist.
</p>
<p>
Normally, when a previously-signed zone is passed as input
to the signer, and a DNSKEY record has been removed and
replaced with a new one, signatures from the old key
that are still within their validity period are retained.
This allows the zone to continue to validate with cached
copies of the old DNSKEY RRset. The <code class="option">-R</code> forces
<span><strong class="command">dnssec-signzone</strong></span> to remove all orphaned
signatures.
</p>
</dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-S</span></dt>
<dd>
<p>
Smart signing: Instructs <span><strong class="command">dnssec-signzone</strong></span> to
search the key repository for keys that match the zone being
signed, and to include them in the zone if appropriate.
</p>
<p>
When a key is found, its timing metadata is examined to
determine how it should be used, according to the following
rules. Each successive rule takes priority over the prior
ones:
</p>
<div class="variablelist"><dl>
<dt></dt>
<dd><p>
If no timing metadata has been set for the key, the key is
published in the zone and used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>
If the key's publication date is set and is in the past, the
key is published in the zone.
</p></dd>
<dt></dt>
<dd><p>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>
If the key's revocation date is set and in the past, and the
key is published, then the key is revoked, and the revoked key
is used to sign the zone.
</p></dd>
<dt></dt>
<dd><p>
If either of the key's unpublication or deletion dates are set
and in the past, the key is NOT published or used to sign the
zone, regardless of any other metadata.
</p></dd>
</dl></div>
</dd>
<dt><span class="term">-T <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Specifies a TTL to be used for new DNSKEY records imported
into the zone from the key repository. If not
specified, the default is the TTL value from the zone's SOA
record. This option is ignored when signing without
<code class="option">-S</code>, since DNSKEY records are not imported
from the key repository in that case. It is also ignored if
there are any pre-existing DNSKEY records at the zone apex,
in which case new records' TTL values will be set to match
them, or if any of the imported DNSKEY records had a default
TTL value. In the event of a a conflict between TTL values in
imported keys, the shortest one is used.
</p></dd>
<dt><span class="term">-t</span></dt>
<dd><p>
Print statistics at completion.
</p></dd>
<dt><span class="term">-u</span></dt>
<dd><p>
Update NSEC/NSEC3 chain when re-signing a previously signed
zone. With this option, a zone signed with NSEC can be
switched to NSEC3, or a zone signed with NSEC3 can
be switch to NSEC or to NSEC3 with different parameters.
Without this option, <span><strong class="command">dnssec-signzone</strong></span> will
retain the existing chain when re-signing.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-x</span></dt>
<dd><p>
Only sign the DNSKEY RRset with key-signing keys, and omit
signatures from zone-signing keys. (This is similar to the
<span><strong class="command">dnssec-dnskey-kskonly yes;</strong></span> zone option in
<span><strong class="command">named</strong></span>.)
</p></dd>
<dt><span class="term">-z</span></dt>
<dd><p>
Ignore KSK flag on key when determining what to sign. This
causes KSK-flagged keys to sign all records, not just the
DNSKEY RRset. (This is similar to the
<span><strong class="command">update-check-ksk no;</strong></span> zone option in
<span><strong class="command">named</strong></span>.)
</p></dd>
<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
<dd><p>
Generate an NSEC3 chain with the given hex encoded salt.
A dash (<em class="replaceable"><code>salt</code></em>) can
be used to indicate that no salt is to be used when generating the NSEC3 chain.
</p></dd>
<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
<dd><p>
When generating an NSEC3 chain, use this many interations. The
default is 10.
</p></dd>
<dt><span class="term">-A</span></dt>
<dd>
<p>
When generating an NSEC3 chain set the OPTOUT flag on all
NSEC3 records and do not generate NSEC3 records for insecure
delegations.
</p>
<p>
Using this option twice (i.e., <code class="option">-AA</code>)
turns the OPTOUT flag off for all records. This is useful
when using the <code class="option">-u</code> option to modify an NSEC3
chain which previously had OPTOUT set.
</p>
</dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
The file containing the zone to be signed.
</p></dd>
<dt><span class="term">key</span></dt>
<dd><p>
Specify which keys should be used to sign the zone. If
no keys are specified, then the zone will be examined
for DNSKEY records at the zone apex. If these are found and
there are matching private keys, in the current directory,
then these will be used for signing.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2545127"></a><h2>EXAMPLE</h2>
<p>
The following command signs the <strong class="userinput"><code>example.com</code></strong>
zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
(Kexample.com.+003+17247). Because the <span><strong class="command">-S</strong></span> option
is not being used, the zone's keys must be in the master file
(<code class="filename">db.example.com</code>). This invocation looks
for <code class="filename">dsset</code> files, in the current directory,
so that DS records can be imported from them (<span><strong class="command">-g</strong></span>).
</p>
<pre class="programlisting">% dnssec-signzone -g -o example.com db.example.com \
Kexample.com.+003+17247
db.example.com.signed
%</pre>
<p>
In the above example, <span><strong class="command">dnssec-signzone</strong></span> creates
the file <code class="filename">db.example.com.signed</code>. This
file should be referenced in a zone statement in a
<code class="filename">named.conf</code> file.
</p>
<p>
This example re-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
</p>
<pre class="programlisting">% cp db.example.com.signed db.example.com
% dnssec-signzone -o example.com db.example.com
db.example.com.signed
%</pre>
</div>
<div class="refsect1" lang="en">
<a name="id2545182"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2545207"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

97
contrib/bind9/bin/dnssec/dnssec-verify.8
View file

@ -1,97 +0,0 @@
.\" Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id$
.\"
.hy 0
.ad l
.\" Title: dnssec\-verify
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
.\" Date: April 12, 2012
.\" Manual: BIND9
.\" Source: BIND9
.\"
.TH "DNSSEC\-VERIFY" "8" "April 12, 2012" "BIND9" "BIND9"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.SH "NAME"
dnssec\-verify \- DNSSEC zone verification tool
.SH "SYNOPSIS"
.HP 14
\fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile}
.SH "DESCRIPTION"
.PP
\fBdnssec\-verify\fR
verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.
.SH "OPTIONS"
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class of the zone.
.RE
.PP
\-I \fIinput\-format\fR
.RS 4
The format of the input zone file. Possible formats are
\fB"text"\fR
(default) and
\fB"raw"\fR. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be verified independently. The use of this option does not make much sense for non\-dynamic zones.
.RE
.PP
\-o \fIorigin\fR
.RS 4
The zone origin. If not specified, the name of the zone file is assumed to be the origin.
.RE
.PP
\-v \fIlevel\fR
.RS 4
Sets the debugging level.
.RE
.PP
\-x
.RS 4
Only verify that the DNSKEY RRset is signed with key\-signing keys. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys. This corresponds to the
\fB\-x\fR
option in
\fBdnssec\-signzone\fR.
.RE
.PP
\-z
.RS 4
Ignore the KSK flag on the keys when determining whether the zone if correctly signed. Without this flag it is assumed that there will be a non\-revoked, self\-signed DNSKEY with the KSK flag set for each algorithm and that RRsets other than DNSKEY RRset will be signed with a different DNSKEY without the KSK flag set.
.sp
With this flag set, we only require that for each algorithm, there will be at least one non\-revoked, self\-signed DNSKEY, regardless of the KSK flag state, and that other RRsets will be signed by a non\-revoked key for the same algorithm that includes the self\-signed key; the same key may be used for both purposes. This corresponds to the
\fB\-z\fR
option in
\fBdnssec\-signzone\fR.
.RE
.PP
zonefile
.RS 4
The file containing the zone to be signed.
.RE
.SH "SEE ALSO"
.PP
\fBdnssec\-signzone\fR(8),
BIND 9 Administrator Reference Manual,
RFC 4033.
.SH "AUTHOR"
.PP
Internet Systems Consortium
.SH "COPYRIGHT"
Copyright \(co 2012 Internet Systems Consortium, Inc. ("ISC")
.br

328
contrib/bind9/bin/dnssec/dnssec-verify.c
View file

@ -1,328 +0,0 @@
/*
* Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-verify.c,v 1.1.2.1 2011/03/16 06:37:51 each Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <time.h>
#include <isc/app.h>
#include <isc/base32.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/event.h>
#include <isc/file.h>
#include <isc/hash.h>
#include <isc/hex.h>
#include <isc/mem.h>
#include <isc/mutex.h>
#include <isc/os.h>
#include <isc/print.h>
#include <isc/random.h>
#include <isc/rwlock.h>
#include <isc/serial.h>
#include <isc/stdio.h>
#include <isc/stdlib.h>
#include <isc/string.h>
#include <isc/time.h>
#include <isc/util.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/diff.h>
#include <dns/dnssec.h>
#include <dns/ds.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/master.h>
#include <dns/masterdump.h>
#include <dns/nsec.h>
#include <dns/nsec3.h>
#include <dns/rdata.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdataclass.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/result.h>
#include <dns/soa.h>
#include <dns/time.h>
#include <dst/dst.h>
#include "dnssectool.h"
const char *program = "dnssec-verify";
int verbose;
static isc_stdtime_t now;
static isc_mem_t *mctx = NULL;
static isc_entropy_t *ectx = NULL;
static dns_masterformat_t inputformat = dns_masterformat_text;
static dns_db_t *gdb; /* The database */
static dns_dbversion_t *gversion; /* The database version */
static dns_rdataclass_t gclass; /* The class */
static dns_name_t *gorigin; /* The database origin */
static isc_boolean_t ignore_kskflag = ISC_FALSE;
static isc_boolean_t keyset_kskonly = ISC_FALSE;
/*%
* Load the zone file from disk
*/
static void
loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
isc_buffer_t b;
int len;
dns_fixedname_t fname;
dns_name_t *name;
isc_result_t result;
len = strlen(origin);
isc_buffer_init(&b, origin, len);
isc_buffer_add(&b, len);
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
if (result != ISC_R_SUCCESS)
fatal("failed converting name '%s' to dns format: %s",
origin, isc_result_totext(result));
result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
rdclass, 0, NULL, db);
check_result(result, "dns_db_create()");
result = dns_db_load2(*db, file, inputformat);
if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
fatal("failed loading zone from '%s': %s",
file, isc_result_totext(result));
}
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
static void
usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
fprintf(stderr, "\n");
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "Options: (default value in parenthesis) \n");
fprintf(stderr, "\t-v debuglevel (0)\n");
fprintf(stderr, "\t-o origin:\n");
fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
fprintf(stderr, "\t-I format:\n");
fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
#ifdef USE_PKCS11
fprintf(stderr, "\t\tname of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
#endif
fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
"not ZSKs\n");
fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
exit(0);
}
int
main(int argc, char *argv[]) {
char *origin = NULL, *file = NULL;
char *inputformatstr = NULL;
isc_result_t result;
isc_log_t *log = NULL;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *classname = NULL;
dns_rdataclass_t rdclass;
char ch, *endp;
#define CMDLINE_FLAGS \
"m:o:I:c:E:v:xz"
/*
* Process memory debugging argument first.
*/
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'm':
if (strcasecmp(isc_commandline_argument, "record") == 0)
isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
if (strcasecmp(isc_commandline_argument, "trace") == 0)
isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
if (strcasecmp(isc_commandline_argument, "usage") == 0)
isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
if (strcasecmp(isc_commandline_argument, "size") == 0)
isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
if (strcasecmp(isc_commandline_argument, "mctx") == 0)
isc_mem_debugging |= ISC_MEM_DEBUGCTX;
break;
default:
break;
}
}
isc_commandline_reset = ISC_TRUE;
check_result(isc_app_start(), "isc_app_start");
result = isc_mem_create(0, 0, &mctx);
if (result != ISC_R_SUCCESS)
fatal("out of memory");
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'c':
classname = isc_commandline_argument;
break;
case 'E':
engine = isc_commandline_argument;
break;
case 'h':
usage();
break;
case 'I':
inputformatstr = isc_commandline_argument;
break;
case 'm':
break;
case 'o':
origin = isc_commandline_argument;
break;
case 'v':
endp = NULL;
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("verbose level must be numeric");
break;
case 'x':
keyset_kskonly = ISC_TRUE;
break;
case 'z':
ignore_kskflag = ISC_TRUE;
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
usage();
break;
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("could not create hash context");
result = dst_lib_init2(mctx, ectx, engine, ISC_ENTROPY_BLOCKING);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst: %s",
isc_result_totext(result));
isc_stdtime_get(&now);
rdclass = strtoclass(classname);
setup_logging(verbose, mctx, &log);
argc -= isc_commandline_index;
argv += isc_commandline_index;
if (argc < 1)
usage();
file = argv[0];
argc -= 1;
argv += 1;
POST(argc);
POST(argv);
if (origin == NULL)
origin = file;
if (inputformatstr != NULL) {
if (strcasecmp(inputformatstr, "text") == 0)
inputformat = dns_masterformat_text;
else if (strcasecmp(inputformatstr, "raw") == 0)
inputformat = dns_masterformat_raw;
else
fatal("unknown file format: %s\n", inputformatstr);
}
gdb = NULL;
fprintf(stderr, "Loading zone '%s' from file '%s'\n", origin, file);
loadzone(file, origin, rdclass, &gdb);
gorigin = dns_db_origin(gdb);
gclass = dns_db_class(gdb);
gversion = NULL;
result = dns_db_newversion(gdb, &gversion);
check_result(result, "dns_db_newversion()");
verifyzone(gdb, gversion, gorigin, mctx,
ignore_kskflag, keyset_kskonly);
dns_db_closeversion(gdb, &gversion, ISC_FALSE);
dns_db_detach(&gdb);
cleanup_logging(&log);
dst_lib_destroy();
isc_hash_destroy();
cleanup_entropy(&ectx);
dns_name_destroy();
if (verbose > 10)
isc_mem_stats(mctx, stdout);
isc_mem_destroy(&mctx);
(void) isc_app_finish();
return (0);
}

185
contrib/bind9/bin/dnssec/dnssec-verify.docbook
View file

@ -1,185 +0,0 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-verify.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
<refentry id="man.dnssec-verify">
<refentryinfo>
<date>April 12, 2012</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-verify</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-verify</application></refname>
<refpurpose>DNSSEC zone verification tool</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>2012</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-verify</command>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-x</option></arg>
<arg><option>-z</option></arg>
<arg choice="req">zonefile</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-verify</command>
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
chains are complete.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class of the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I <replaceable class="parameter">input-format</replaceable></term>
<listitem>
<para>
The format of the input zone file.
Possible formats are <command>"text"</command> (default)
and <command>"raw"</command>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be verified independently.
The use of this option does not make much sense for
non-dynamic zones.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">origin</replaceable></term>
<listitem>
<para>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x</term>
<listitem>
<para>
Only verify that the DNSKEY RRset is signed with key-signing
keys. Without this flag, it is assumed that the DNSKEY RRset
will be signed by all active keys. When this flag is set,
it will not be an error if the DNSKEY RRset is not signed
by zone-signing keys. This corresponds to the <option>-x</option>
option in <command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Ignore the KSK flag on the keys when determining whether
the zone if correctly signed. Without this flag it is
assumed that there will be a non-revoked, self-signed
DNSKEY with the KSK flag set for each algorithm and
that RRsets other than DNSKEY RRset will be signed with
a different DNSKEY without the KSK flag set.
</para>
<para>
With this flag set, we only require that for each algorithm,
there will be at least one non-revoked, self-signed DNSKEY,
regardless of the KSK flag state, and that other RRsets
will be signed by a non-revoked key for the same algorithm
that includes the self-signed key; the same key may be used
for both purposes. This corresponds to the <option>-z</option>
option in <command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonefile</term>
<listitem>
<para>
The file containing the zone to be signed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 4033</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->

117
contrib/bind9/bin/dnssec/dnssec-verify.html
View file

@ -1,117 +0,0 @@
<!--
- Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-verify</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
<a name="man.dnssec-verify"></a><div class="titlepage"></div>
<div class="refnamediv">
<h2>Name</h2>
<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543390"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-verify</strong></span>
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
chains are complete.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543402"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class of the zone.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
<dd><p>
The format of the input zone file.
Possible formats are <span><strong class="command">"text"</strong></span> (default)
and <span><strong class="command">"raw"</strong></span>.
This option is primarily intended to be used for dynamic
signed zones so that the dumped zone file in a non-text
format containing updates can be verified independently.
The use of this option does not make much sense for
non-dynamic zones.
</p></dd>
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
<dd><p>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-x</span></dt>
<dd><p>
Only verify that the DNSKEY RRset is signed with key-signing
keys. Without this flag, it is assumed that the DNSKEY RRset
will be signed by all active keys. When this flag is set,
it will not be an error if the DNSKEY RRset is not signed
by zone-signing keys. This corresponds to the <code class="option">-x</code>
option in <span><strong class="command">dnssec-signzone</strong></span>.
</p></dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
Ignore the KSK flag on the keys when determining whether
the zone if correctly signed. Without this flag it is
assumed that there will be a non-revoked, self-signed
DNSKEY with the KSK flag set for each algorithm and
that RRsets other than DNSKEY RRset will be signed with
a different DNSKEY without the KSK flag set.
</p>
<p>
With this flag set, we only require that for each algorithm,
there will be at least one non-revoked, self-signed DNSKEY,
regardless of the KSK flag state, and that other RRsets
will be signed by a non-revoked key for the same algorithm
that includes the self-signed key; the same key may be used
for both purposes. This corresponds to the <code class="option">-z</code>
option in <span><strong class="command">dnssec-signzone</strong></span>.
</p>
</dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
The file containing the zone to be signed.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543543"></a><h2>SEE ALSO</h2>
<p>
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4033</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543637"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>

1801
contrib/bind9/bin/dnssec/dnssectool.c
View file

File diff suppressed because it is too large Load diff

97
contrib/bind9/bin/dnssec/dnssectool.h
View file

@ -1,97 +0,0 @@
/*
* Copyright (C) 2004, 2007-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssectool.h,v 1.33 2011/10/20 23:46:51 tbox Exp $ */
#ifndef DNSSECTOOL_H
#define DNSSECTOOL_H 1
#include <isc/log.h>
#include <isc/stdtime.h>
#include <dns/rdatastruct.h>
#include <dst/dst.h>
#define check_dns_dbiterator_current(result) \
check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \
"dns_dbiterator_current()")
typedef void (fatalcallback_t)(void);
ISC_PLATFORM_NORETURN_PRE void
fatal(const char *format, ...)
ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
void
setfatalcallback(fatalcallback_t *callback);
void
check_result(isc_result_t result, const char *message);
void
vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
void
type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
#define TYPE_FORMATSIZE 20
void
sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))
void
setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp);
void
cleanup_logging(isc_log_t **logp);
void
setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx);
void
cleanup_entropy(isc_entropy_t **ectx);
dns_ttl_t strtottl(const char *str);
isc_stdtime_t
strtotime(const char *str, isc_int64_t now, isc_int64_t base);
dns_rdataclass_t
strtoclass(const char *str);
isc_result_t
try_dir(const char *dirname);
void
check_keyversion(dst_key_t *key, char *keystr);
void
set_keyversion(dst_key_t *key);
isc_boolean_t
key_collision(dst_key_t *key, dns_name_t *name, const char *dir,
isc_mem_t *mctx, isc_boolean_t *exact);
isc_boolean_t
is_delegation(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp);
void
verifyzone(dns_db_t *db, dns_dbversion_t *ver,
dns_name_t *origin, isc_mem_t *mctx,
isc_boolean_t ignore_kskflag, isc_boolean_t keyset_kskonly);
#endif /* DNSSEC_DNSSECTOOL_H */

185
contrib/bind9/bin/named/Makefile.in
View file

@ -1,185 +0,0 @@
# Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
# Copyright (C) 1998-2002 Internet Software Consortium.
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.116 2011/03/10 23:47:49 tbox Exp $
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
@BIND9_VERSION@
@BIND9_PRODUCT@
@BIND9_DESCRIPTION@
@BIND9_SRCID@
@BIND9_CONFIGARGS@
@BIND9_MAKE_INCLUDES@
#
# Add database drivers here.
#
DBDRIVER_OBJS =
DBDRIVER_SRCS =
DBDRIVER_INCLUDES =
DBDRIVER_LIBS =
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@
DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@
DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @USE_OPENSSL@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
SUBDIRS = unix
TARGETS = named@EXEEXT@ lwresd@EXEEXT@
OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
controlconf.@O@ interfacemgr.@O@ \
listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \
query.@O@ server.@O@ sortlist.@O@ statschannel.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
SYMOBJS = symtbl.@O@
SRCS = builtin.c client.c config.c control.c \
controlconf.c interfacemgr.c \
listenlist.c log.c logconf.c main.c notify.c \
query.c server.c sortlist.c statschannel.c symtbl.c symtbl-empty.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
MANPAGES = named.8 lwresd.8 named.conf.5
HTMLPAGES = named.html lwresd.html named.conf.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-DPRODUCT=\"${PRODUCT}\" \
-DDESCRIPTION=\"${DESCRIPTION}\" \
-DSRCID=\"${SRCID}\" \
-DCONFIGARGS="\"${CONFIGARGS}\"" \
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
bind.keys.h: ${top_srcdir}/bind.keys ${srcdir}/bindkeys.pl
${PERL} ${srcdir}/bindkeys.pl < ${top_srcdir}/bind.keys > $@
config.@O@: config.c bind.keys.h
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
-DSRCID=\"${SRCID}\" \
-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-DNS_SYSCONFDIR=\"${sysconfdir}\" \
-c ${srcdir}/config.c
named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
lwresd@EXEEXT@: named@EXEEXT@
rm -f lwresd@EXEEXT@
@LN@ named@EXEEXT@ lwresd@EXEEXT@
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
clean distclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
maintainer-clean::
rm -f bind.keys.h
bind9.xsl.h: bind9.xsl ${srcdir}/convertxsl.pl
${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
bind9.ver3.xsl.h: bind9.ver3.xsl ${srcdir}/convertxsl.pl
${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.ver3.xsl > bind9.ver3.xsl.h
depend: bind9.xsl.h bind9.ver3.xsl.h
statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
@DLZ_DRIVER_RULES@
named-symtbl.@O@: named-symtbl.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c

99
contrib/bind9/bin/named/bind.keys.h
View file

@ -1,99 +0,0 @@
/*
* Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp
* From bind.keys 1.7 2011/01/03 23:45:07 each Exp
*/
#define TRUSTED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. As of the current release, the only\n\
# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
# for any other zones MUST be configured elsewhere; if they are configured\n\
# here, they will not be recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
# named.conf options. To use the built-in DLV key, set\n\
# \"dnssec-lookaside auto;\". Without these options being set,\n\
# the keys in this file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of January 2011. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
\n\
trusted-keys {\n\
# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
# NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
# in named.conf.\n\
dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
TDN0YUuWrBNh\";\n\
\n\
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information.\n\
# NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
. 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
};\n\
"
#define MANAGED_KEYS "\
# The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
# which are included as part of BIND 9. As of the current release, the only\n\
# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\"). Trust anchors\n\
# for any other zones MUST be configured elsewhere; if they are configured\n\
# here, they will not be recognized or used by named.\n\
#\n\
# The built-in trust anchors are provided for convenience of configuration.\n\
# They are not activated within named.conf unless specifically switched on.\n\
# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
# named.conf options. To use the built-in DLV key, set\n\
# \"dnssec-lookaside auto;\". Without these options being set,\n\
# the keys in this file are ignored.\n\
#\n\
# This file is NOT expected to be user-configured.\n\
#\n\
# These keys are current as of January 2011. If any key fails to\n\
# initialize correctly, it may have expired. In that event you should\n\
# replace this file with a current version. The latest version of\n\
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
\n\
managed-keys {\n\
# ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
# NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
# in named.conf.\n\
dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
TDN0YUuWrBNh\";\n\
\n\
# ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
# for current trust anchor information.\n\
# NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
# in named.conf.\n\
. initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
QxA+Uk1ihz0=\";\n\
};\n\
"

738
contrib/bind9/bin/named/bind9.ver3.xsl
View file

@ -1,738 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
- Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id$ -->
<!-- %Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp % -->
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
<xsl:output method="html" indent="yes" version="4.0"/>
<xsl:template match="statistics[@version=&quot;3.0&quot;]">
<html>
<head>
<xsl:if test="system-property('xsl:vendor')!='Transformiix'">
<!-- Non Mozilla specific markup -->
<script type="text/javascript" src="https://www.google.com/jsapi"/>
<script type="text/javascript">
google.load("visualization", "1", {packages:["corechart"]});
google.setOnLoadCallback(loadGraphs);
var graphs=[];
function drawChart(chart_title,target,data) {
var data = google.visualization.arrayToDataTable(data);
var options = {
title: chart_title
};
var chart = new google.visualization.BarChart(document.getElementById(target));
chart.draw(data, options);
}
function loadGraphs(){
//alert("here we are!");
var g;
// Server Incoming query Types
while(g = graphs.shift()){
// alert("going for: " + g.target);
if(g.data.length > 1){
drawChart(g.title,g.target,g.data);
}
}
}
// Server Incoming Queries Types
graphs.push({
'title' : "Server Incoming Query Types",
'target': 'chart_incoming_qtypes',
'data': [['Type','Counter'],<xsl:for-each select="server/counters[@type=&quot;qtype&quot;]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
});
// Server Incoming Requests
graphs.push({
'title' : "Server Incoming Requests",
'target': 'chart_incoming_requests',
'data': [['Requests','Counter'],<xsl:for-each select="server/counters[@type=&quot;opcode&quot;]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]});
</script>
</xsl:if>
<style type="text/css">
body {
font-family: sans-serif;
background-color: #ffffff;
color: #000000;
font-size: 10pt;
}
.odd{
background-color: #f0f0f0;
}
.even{
background-color: #ffffff;
}
p.footer{
font-style:italic;
color: grey;
}
table {
border-collapse: collapse;
border: 1px solid grey;
}
table.counters{
border: 1px solid grey;
width: 500px;
}
table.counters th {
text-align: center;
border: 1px solid grey;
width: 120px;
}
table.counters td{
text-align:center;
}
table.counters tr:hover{
background-color: #99ddff;
}
.totals {
background-color: rgb(1,169,206);
color: #ffffff;
}
td, th {
padding-right: 5px;
padding-left: 5px;
border: 1px solid grey;
}
.header h1 {
color: rgb(1,169,206);
padding: 0px;
}
.content {
background-color: #ffffff;
color: #000000;
padding: 4px;
}
.item {
padding: 4px;
text-align: right;
}
.value {
padding: 4px;
font-weight: bold;
}
h2 {
color: grey;
font-size: 14pt;
width:500px;
text-align:center;
}
h3 {
color: #444444;
font-size: 12pt;
width:500px;
text-align:center;
}
h4 {
color: rgb(1,169,206);
font-size: 10pt;
width:500px;
text-align:center;
}
.pie {
width:500px;
height: 500px;
}
</style>
<title>ISC BIND 9 Statistics</title>
</head>
<body>
<div class="header">
<h1>ISC Bind 9 Configuration and Statistics</h1>
</div>
<hr/>
<h2>Server Times</h2>
<table class="counters">
<tr>
<th>Boot time:</th>
<td>
<xsl:value-of select="server/boot-time"/>
</td>
</tr>
<tr>
<th>Sample time:</th>
<td>
<xsl:value-of select="server/current-time"/>
</td>
</tr>
</table>
<br/>
<h2>Incoming Requests</h2>
<xsl:if test="system-property('xsl:vendor')!='Transformiix'">
<!-- Non Mozilla specific markup -->
<div class="pie" id="chart_incoming_requests">[no incoming requests]</div>
</xsl:if>
<table class="counters">
<xsl:for-each select="server/counters[@type=&quot;opcode&quot;]/counter">
<xsl:sort select="." data-type="number" order="descending"/>
<tr>
<th>
<xsl:value-of select="@name"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
<tr>
<th class="totals">Total:</th>
<td class="totals">
<xsl:value-of select="sum(server/counters[@type=&quot;opcode&quot;]/counter)"/>
</td>
</tr>
</table>
<br/>
<h3>Incoming Queries by Type</h3>
<xsl:if test="system-property('xsl:vendor')!='Transformiix'">
<!-- Non Mozilla specific markup -->
<div class="pie" id="chart_incoming_qtypes">[no incoming queries]</div>
</xsl:if>
<table class="counters">
<xsl:for-each select="server/counters[@type=&quot;qtype&quot;]/counter">
<xsl:sort select="." data-type="number" order="descending"/>
<xsl:variable name="css-class">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class}">
<th>
<xsl:value-of select="@name"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
<tr>
<th class="totals">Total:</th>
<td class="totals">
<xsl:value-of select="sum(server/counters[@type=&quot;qtype&quot;]/counter)"/>
</td>
</tr>
</table>
<br/>
<h2>Outgoing Queries per view</h2>
<xsl:for-each select="views/view[count(counters[@type=&quot;resqtype&quot;]/counter) &gt; 0]">
<h3>View <xsl:value-of select="@name"/></h3>
<xsl:if test="system-property('xsl:vendor')!='Transformiix'">
<!-- Non Mozilla specific markup -->
<script type="text/javascript">
graphs.push({
'title': "Outgoing queries for view: <xsl:value-of select="@name"/>",
'target': 'chart_outgoing_queries_view_<xsl:value-of select="@name"/>',
'data': [['Type','Counter'],<xsl:for-each select="counters[@type=&quot;resqtype&quot;]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
});
</script>
<xsl:variable name="target">
<xsl:value-of select="@name"/>
</xsl:variable>
<div class="pie" id="chart_outgoing_queries_view_{$target}"/>
</xsl:if>
<table class="counters">
<xsl:for-each select="counters[@type=&quot;resqtype&quot;]/counter">
<xsl:sort select="." data-type="number" order="descending"/>
<xsl:variable name="css-class1">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class1}">
<th>
<xsl:value-of select="@name"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
</table>
<br/>
</xsl:for-each>
<h2>Server Statistics</h2>
<xsl:if test="system-property('xsl:vendor')!='Transformiix'">
<!-- Non Mozilla specific markup -->
<script type="text/javascript">
graphs.push({
'title' : "Server Counters",
'target': 'chart_server_nsstat_restype',
'data': [['Type','Counter'],<xsl:for-each select="server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
});
</script>
<div class="pie" id="chart_server_nsstat_restype"/>
</xsl:if>
<table class="counters">
<xsl:for-each select="server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]">
<xsl:sort select="." data-type="number" order="descending"/>
<xsl:variable name="css-class2">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class2}">
<th>
<xsl:value-of select="@name"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
</table>
<br/>
<h2>Zone Maintenance Statistics</h2>
<xsl:if test="system-property('xsl:vendor')!='Transformiix'">
<script type="text/javascript">
graphs.push({
'title' : "Zone Maintenance Stats",
'target': 'chart_server_zone_maint',
'data': [['Type','Counter'],<xsl:for-each select="server/counters[@type=&quot;zonestat&quot;]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
});
</script>
<!-- Non Mozilla specific markup -->
<div class="pie" id="chart_server_zone_maint"/>
</xsl:if>
<table class="counters">
<xsl:for-each select="server/counters[@type=&quot;zonestat&quot;]/counter">
<xsl:sort select="." data-type="number" order="descending"/>
<xsl:variable name="css-class3">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class3}">
<th>
<xsl:value-of select="@name"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
</table>
<h2>Resolver Statistics (Common)</h2>
<table class="counters">
<xsl:for-each select="server/counters[@type=&quot;restat&quot;]/counter">
<xsl:sort select="." data-type="number" order="descending"/>
<xsl:variable name="css-class4">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class4}">
<th>
<xsl:value-of select="@name"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
</table>
<xsl:for-each select="views/view">
<h3>Resolver Statistics for View <xsl:value-of select="@name"/></h3>
<table class="counters">
<xsl:for-each select="counters[@type=&quot;resstats&quot;]/counter[.&gt;0]">
<xsl:sort select="." data-type="number" order="descending"/>
<xsl:variable name="css-class5">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class5}">
<th>
<xsl:value-of select="@name"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
</table>
</xsl:for-each>
<h3>Cache DB RRsets for View <xsl:value-of select="@name"/></h3>
<xsl:for-each select="views/view">
<table class="counters">
<xsl:for-each select="cache/rrset">
<xsl:variable name="css-class6">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class6}">
<th>
<xsl:value-of select="name"/>
</th>
<td>
<xsl:value-of select="counter"/>
</td>
</tr>
</xsl:for-each>
</table>
<br/>
</xsl:for-each>
<h2>Socket I/O Statistics</h2>
<table class="counters">
<xsl:for-each select="server/counters[@type=&quot;sockstat&quot;]/counter[.&gt;0]">
<xsl:variable name="css-class7">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class7}">
<th>
<xsl:value-of select="@name"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
</table>
<br/>
<br/>
<h2>Response Codes per view/zone</h2>
<xsl:for-each select="views/view[zones/zone/counters[@type=&quot;rcode&quot;]/counter &gt;0]">
<h3>View <xsl:value-of select="@name"/></h3>
<xsl:variable name="thisview">
<xsl:value-of select="@name"/>
</xsl:variable>
<xsl:for-each select="zones/zone">
<xsl:if test="counters[@type=&quot;rcode&quot;]/counter[. &gt; 0]">
<h4>Zone <xsl:value-of select="@name"/></h4>
<xsl:if test="system-property('xsl:vendor')!='Transformiix'">
<!-- Non Mozilla specific markup -->
<script type="text/javascript">
graphs.push({
'title': "Response Codes for zone <xsl:value-of select="@name"/>",
'target': 'chart_rescode_<xsl:value-of select="../../@name"/>_<xsl:value-of select="@name"/>',
'data': [['Type','Counter'],<xsl:for-each select="counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
});
</script>
<xsl:variable name="target">
<xsl:value-of select="@name"/>
</xsl:variable>
<div class="pie" id="chart_rescode_{$thisview}_{$target}"/>
</xsl:if>
<table class="counters">
<xsl:for-each select="counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]">
<xsl:sort select="."/>
<xsl:variable name="css-class10">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class10}">
<th>
<xsl:value-of select="@name"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
</table>
</xsl:if>
</xsl:for-each>
</xsl:for-each>
<h2>Received QTYPES per view/zone</h2>
<xsl:for-each select="views/view[zones/zone/counters[@type=&quot;qtype&quot;]/counter &gt;0]">
<h3>View <xsl:value-of select="@name"/></h3>
<xsl:variable name="thisview2">
<xsl:value-of select="@name"/>
</xsl:variable>
<xsl:for-each select="zones/zone">
<xsl:if test="counters[@type=&quot;qtype&quot;]/counter[count(.) &gt; 0]">
<h4>Zone <xsl:value-of select="@name"/></h4>
<xsl:if test="system-property('xsl:vendor')!='Transformiix'">
<!-- Non Mozilla specific markup -->
<script type="text/javascript">
graphs.push({
'title': "Query Types for zone <xsl:value-of select="@name"/>",
'target': 'chart_qtype_<xsl:value-of select="../../@name"/>_<xsl:value-of select="@name"/>',
'data': [['Type','Counter'],<xsl:for-each select="counters[@type=&quot;qtype&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
});
</script>
<xsl:variable name="target">
<xsl:value-of select="@name"/>
</xsl:variable>
<div class="pie" id="chart_qtype_{$thisview2}_{$target}"/>
</xsl:if>
<table class="counters">
<xsl:for-each select="counters[@type=&quot;qtype&quot;]/counter">
<xsl:sort select="."/>
<xsl:variable name="css-class11">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class11}">
<th>
<xsl:value-of select="@name"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
</table>
</xsl:if>
</xsl:for-each>
</xsl:for-each>
<h2>Network Status</h2>
<table class="counters">
<tr>
<th>ID</th>
<th>Name</th>
<th>Type</th>
<th>References</th>
<th>LocalAddress</th>
<th>PeerAddress</th>
<th>State</th>
</tr>
<xsl:for-each select="socketmgr/sockets/socket">
<xsl:sort select="id"/>
<xsl:variable name="css-class12">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class12}">
<td>
<xsl:value-of select="id"/>
</td>
<td>
<xsl:value-of select="name"/>
</td>
<td>
<xsl:value-of select="type"/>
</td>
<td>
<xsl:value-of select="references"/>
</td>
<td>
<xsl:value-of select="local-address"/>
</td>
<td>
<xsl:value-of select="peer-address"/>
</td>
<td>
<xsl:for-each select="states">
<xsl:value-of select="."/>
</xsl:for-each>
</td>
</tr>
</xsl:for-each>
</table>
<br/>
<h2>Task Manager Configuration</h2>
<table class="counters">
<tr>
<th class="even">Thread-Model</th>
<td>
<xsl:value-of select="taskmgr/thread-model/type"/>
</td>
</tr>
<tr class="odd">
<th>Worker Threads</th>
<td>
<xsl:value-of select="taskmgr/thread-model/worker-threads"/>
</td>
</tr>
<tr class="even">
<th>Default Quantum</th>
<td>
<xsl:value-of select="taskmgr/thread-model/default-quantum"/>
</td>
</tr>
<tr class="odd">
<th>Tasks Running</th>
<td>
<xsl:value-of select="taskmgr/thread-model/tasks-running"/>
</td>
</tr>
</table>
<br/>
<h2>Tasks</h2>
<table class="counters">
<tr>
<th>ID</th>
<th>Name</th>
<th>References</th>
<th>State</th>
<th>Quantum</th>
</tr>
<xsl:for-each select="taskmgr/tasks/task">
<xsl:sort select="name"/>
<xsl:variable name="css-class14">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class14}">
<td>
<xsl:value-of select="id"/>
</td>
<td>
<xsl:value-of select="name"/>
</td>
<td>
<xsl:value-of select="references"/>
</td>
<td>
<xsl:value-of select="state"/>
</td>
<td>
<xsl:value-of select="quantum"/>
</td>
</tr>
</xsl:for-each>
</table>
<br/>
<h2>Memory Usage Summary</h2>
<table class="counters">
<xsl:for-each select="memory/summary/*">
<xsl:variable name="css-class13">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class13}">
<th>
<xsl:value-of select="name()"/>
</th>
<td>
<xsl:value-of select="."/>
</td>
</tr>
</xsl:for-each>
</table>
<br/>
<h2>Memory Contexts</h2>
<table class="counters">
<tr>
<th>ID</th>
<th>Name</th>
<th>References</th>
<th>TotalUse</th>
<th>InUse</th>
<th>MaxUse</th>
<th>BlockSize</th>
<th>Pools</th>
<th>HiWater</th>
<th>LoWater</th>
</tr>
<xsl:for-each select="memory/contexts/context">
<xsl:sort select="total" data-type="number" order="descending"/>
<xsl:variable name="css-class14">
<xsl:choose>
<xsl:when test="position() mod 2 = 0">even</xsl:when>
<xsl:otherwise>odd</xsl:otherwise>
</xsl:choose>
</xsl:variable>
<tr class="{$css-class14}">
<td>
<xsl:value-of select="id"/>
</td>
<td>
<xsl:value-of select="name"/>
</td>
<td>
<xsl:value-of select="references"/>
</td>
<td>
<xsl:value-of select="total"/>
</td>
<td>
<xsl:value-of select="inuse"/>
</td>
<td>
<xsl:value-of select="maxinuse"/>
</td>
<td>
<xsl:value-of select="blocksize"/>
</td>
<td>
<xsl:value-of select="pools"/>
</td>
<td>
<xsl:value-of select="hiwater"/>
</td>
<td>
<xsl:value-of select="lowater"/>
</td>
</tr>
</xsl:for-each>
</table>
<hr/>
<p class="footer">Internet Systems Consortium Inc.<br/><a href="http://www.isc.org">http://www.isc.org</a></p>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

740
contrib/bind9/bin/named/bind9.ver3.xsl.h
View file

@ -1,740 +0,0 @@
/*
* Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp
* From <!-- %Id: bind9.xsl 1.21 2009/01/27 23:47:54 tbox Exp %
*/
static char xslmsg[] =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
"<!--\n"
" - Copyright (C) 2006-2009 Internet Systems Consortium, Inc. (\"ISC\")\n"
" -\n"
" - Permission to use, copy, modify, and/or distribute this software for any\n"
" - purpose with or without fee is hereby granted, provided that the above\n"
" - copyright notice and this permission notice appear in all copies.\n"
" -\n"
" - THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n"
" - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n"
" - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n"
" - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n"
" - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n"
" - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n"
" - PERFORMANCE OF THIS SOFTWARE.\n"
"-->\n"
"<!-- \045Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp \045 -->\n"
"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
" <xsl:template match=\"statistics[@version=&quot;3.0&quot;]\">\n"
" <html>\n"
" <head>\n"
" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
" <!-- Non Mozilla specific markup -->\n"
" <script type=\"text/javascript\" src=\"https://www.google.com/jsapi\"/>\n"
" <script type=\"text/javascript\">\n"
" \n"
" google.load(\"visualization\", \"1\", {packages:[\"corechart\"]});\n"
" google.setOnLoadCallback(loadGraphs);\n"
"\n"
" var graphs=[];\n"
" \n"
" function drawChart(chart_title,target,data) {\n"
" var data = google.visualization.arrayToDataTable(data);\n"
"\n"
" var options = {\n"
" title: chart_title\n"
" };\n"
" \n"
" var chart = new google.visualization.BarChart(document.getElementById(target));\n"
" chart.draw(data, options);\n"
" }\n"
" \n"
" function loadGraphs(){\n"
" //alert(\"here we are!\");\n"
" var g;\n"
" \n"
" // Server Incoming query Types\n"
" while(g = graphs.shift()){\n"
" // alert(\"going for: \" + g.target);\n"
" if(g.data.length > 1){\n"
" drawChart(g.title,g.target,g.data);\n"
" }\n"
" }\n"
" }\n"
" \n"
" // Server Incoming Queries Types \n"
" graphs.push({\n"
" 'title' : \"Server Incoming Query Types\",\n"
" 'target': 'chart_incoming_qtypes',\n"
" 'data': [['Type','Counter'],<xsl:for-each select=\"server/counters[@type=&quot;qtype&quot;]/counter\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
" });\n"
"\n"
"\n"
" // Server Incoming Requests \n"
" graphs.push({\n"
" 'title' : \"Server Incoming Requests\",\n"
" 'target': 'chart_incoming_requests',\n"
" 'data': [['Requests','Counter'],<xsl:for-each select=\"server/counters[@type=&quot;opcode&quot;]/counter\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]});\n"
" \n"
" \n"
" \n"
" \n"
" </script>\n"
" </xsl:if>\n"
" <style type=\"text/css\">\n"
" body {\n"
" font-family: sans-serif;\n"
" background-color: #ffffff;\n"
" color: #000000;\n"
" font-size: 10pt;\n"
" }\n"
" \n"
" .odd{\n"
" background-color: #f0f0f0;\n"
" }\n"
" \n"
" .even{\n"
" background-color: #ffffff;\n"
" }\n"
" \n"
" p.footer{\n"
" font-style:italic;\n"
" color: grey;\n"
" }\n"
"\n"
" table {\n"
" border-collapse: collapse;\n"
" border: 1px solid grey;\n"
" }\n"
"\n"
" table.counters{\n"
" border: 1px solid grey;\n"
" width: 500px;\n"
" }\n"
" \n"
" table.counters th {\n"
" text-align: center;\n"
" border: 1px solid grey;\n"
" width: 120px;\n"
" }\n"
" table.counters td{\n"
" text-align:center;\n"
" \n"
" }\n"
" \n"
" table.counters tr:hover{\n"
" background-color: #99ddff;\n"
" }\n"
" \n"
" .totals {\n"
" background-color: rgb(1,169,206);\n"
" color: #ffffff;\n"
" }\n"
"\n"
" td, th {\n"
" padding-right: 5px;\n"
" padding-left: 5px;\n"
" border: 1px solid grey;\n"
" }\n"
"\n"
" .header h1 {\n"
" color: rgb(1,169,206);\n"
" padding: 0px;\n"
" }\n"
"\n"
" .content {\n"
" background-color: #ffffff;\n"
" color: #000000;\n"
" padding: 4px;\n"
" }\n"
"\n"
" .item {\n"
" padding: 4px;\n"
" text-align: right;\n"
" }\n"
"\n"
" .value {\n"
" padding: 4px;\n"
" font-weight: bold;\n"
" }\n"
"\n"
"\n"
" h2 {\n"
" color: grey;\n"
" font-size: 14pt;\n"
" width:500px;\n"
" text-align:center;\n"
" }\n"
" \n"
" h3 {\n"
" color: #444444;\n"
" font-size: 12pt;\n"
" width:500px;\n"
" text-align:center;\n"
" \n"
" }\n"
" h4 {\n"
" color: rgb(1,169,206);\n"
" font-size: 10pt;\n"
" width:500px;\n"
" text-align:center;\n"
" \n"
" }\n"
"\n"
" .pie {\n"
" width:500px;\n"
" height: 500px;\n"
" }\n"
"\n"
" </style>\n"
" <title>ISC BIND 9 Statistics</title>\n"
" </head>\n"
" <body>\n"
" <div class=\"header\">\n"
" <h1>ISC Bind 9 Configuration and Statistics</h1>\n"
" </div>\n"
" <hr/>\n"
" <h2>Server Times</h2>\n"
" <table class=\"counters\">\n"
" <tr>\n"
" <th>Boot time:</th>\n"
" <td>\n"
" <xsl:value-of select=\"server/boot-time\"/>\n"
" </td>\n"
" </tr>\n"
" <tr>\n"
" <th>Sample time:</th>\n"
" <td>\n"
" <xsl:value-of select=\"server/current-time\"/>\n"
" </td>\n"
" </tr>\n"
" </table>\n"
" <br/>\n"
" <h2>Incoming Requests</h2>\n"
" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
" <!-- Non Mozilla specific markup -->\n"
" <div class=\"pie\" id=\"chart_incoming_requests\">[graph incoming requests]</div>\n"
" </xsl:if>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"server/counters[@type=&quot;opcode&quot;]/counter\">\n"
" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
" <tr>\n"
" <th>\n"
" <xsl:value-of select=\"@name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" <tr>\n"
" <th class=\"totals\">Total:</th>\n"
" <td class=\"totals\">\n"
" <xsl:value-of select=\"sum(server/counters[@type=&quot;opcode&quot;]/counter)\"/>\n"
" </td>\n"
" </tr>\n"
" </table>\n"
" <br/>\n"
" <h3>Incoming Queries by Type</h3>\n"
" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
" <!-- Non Mozilla specific markup -->\n"
" <div class=\"pie\" id=\"chart_incoming_qtypes\">[graph incoming qtypes]</div>\n"
" </xsl:if>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"server/counters[@type=&quot;qtype&quot;]/counter\">\n"
" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
" <xsl:variable name=\"css-class\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class}\">\n"
" <th>\n"
" <xsl:value-of select=\"@name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" <tr>\n"
" <th class=\"totals\">Total:</th>\n"
" <td class=\"totals\">\n"
" <xsl:value-of select=\"sum(server/counters[@type=&quot;qtype&quot;]/counter)\"/>\n"
" </td>\n"
" </tr>\n"
" </table>\n"
" <br/>\n"
" <h2>Outgoing Queries per view</h2>\n"
" <xsl:for-each select=\"views/view[count(counters[@type=&quot;resqtype&quot;]/counter) &gt; 0]\">\n"
" <h3>View <xsl:value-of select=\"@name\"/></h3>\n"
" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
" <!-- Non Mozilla specific markup -->\n"
" <script type=\"text/javascript\">\n"
" graphs.push({\n"
" 'title': \"Outgoing queries for view: <xsl:value-of select=\"@name\"/>\",\n"
" 'target': 'chart_outgoing_queries_view_<xsl:value-of select=\"@name\"/>',\n"
" 'data': [['Type','Counter'],<xsl:for-each select=\"counters[@type=&quot;resqtype&quot;]/counter\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
" });\n"
" \n"
" </script>\n"
" <xsl:variable name=\"target\">\n"
" <xsl:value-of select=\"@name\"/>\n"
" </xsl:variable>\n"
" <div class=\"pie\" id=\"chart_outgoing_queries_view_{$target}\"/>\n"
" </xsl:if>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"counters[@type=&quot;resqtype&quot;]/counter\">\n"
" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
" <xsl:variable name=\"css-class1\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class1}\">\n"
" <th>\n"
" <xsl:value-of select=\"@name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" </xsl:for-each>\n"
" <h2>Server Statistics</h2>\n"
" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
" <!-- Non Mozilla specific markup -->\n"
" <script type=\"text/javascript\">\n"
" graphs.push({\n"
" 'title' : \"Server Response Types\",\n"
" 'target': 'chart_server_nsstat_restype',\n"
" 'data': [['Type','Counter'],<xsl:for-each select=\"server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
" });\n"
" \n"
" </script>\n"
" <div class=\"pie\" id=\"chart_server_nsstat_restype\"/>\n"
" </xsl:if>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"server/counters[@type=&quot;nsstat&quot;]/counter[.&gt;0]\">\n"
" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
" <xsl:variable name=\"css-class2\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class2}\">\n"
" <th>\n"
" <xsl:value-of select=\"@name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" <h2>Zone Maintenance Statistics</h2>\n"
" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
" <script type=\"text/javascript\">\n"
" graphs.push({\n"
" 'title' : \"Zone Maintenance Stats\",\n"
" 'target': 'chart_server_zone_maint',\n"
" 'data': [['Type','Counter'],<xsl:for-each select=\"server/counters[@type=&quot;zonestat&quot;]/counter\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
" });\n"
"\n"
" </script>\n"
" <!-- Non Mozilla specific markup -->\n"
" <div class=\"pie\" id=\"chart_server_zone_maint\"/>\n"
" </xsl:if>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"server/counters[@type=&quot;zonestat&quot;]/counter\">\n"
" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
" <xsl:variable name=\"css-class3\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class3}\">\n"
" <th>\n"
" <xsl:value-of select=\"@name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <h2>Resolver Statistics (Common)</h2>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"server/counters[@type=&quot;restat&quot;]/counter\">\n"
" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
" <xsl:variable name=\"css-class4\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class4}\">\n"
" <th>\n"
" <xsl:value-of select=\"@name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <xsl:for-each select=\"views/view\">\n"
" <h3>Resolver Statistics for View <xsl:value-of select=\"@name\"/></h3>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"counters[@type=&quot;resstats&quot;]/counter[.&gt;0]\">\n"
" <xsl:sort select=\".\" data-type=\"number\" order=\"descending\"/>\n"
" <xsl:variable name=\"css-class5\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class5}\">\n"
" <th>\n"
" <xsl:value-of select=\"@name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" </xsl:for-each>\n"
" <h3>Cache DB RRsets for View <xsl:value-of select=\"@name\"/></h3>\n"
" <xsl:for-each select=\"views/view\">\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"cache/rrset\">\n"
" <xsl:variable name=\"css-class6\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class6}\">\n"
" <th>\n"
" <xsl:value-of select=\"name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\"counter\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" </xsl:for-each>\n"
" <h2>Socket I/O Statistics</h2>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"server/counters[@type=&quot;sockstat&quot;]/counter[.&gt;0]\">\n"
" <xsl:variable name=\"css-class7\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class7}\">\n"
" <th>\n"
" <xsl:value-of select=\"@name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" <br/>\n"
" <h2>Response Codes per view/zone</h2>\n"
" <xsl:for-each select=\"views/view[zones/zone/counters[@type=&quot;rcode&quot;]/counter &gt;0]\">\n"
" <h3>View <xsl:value-of select=\"@name\"/></h3>\n"
" <xsl:variable name=\"thisview\">\n"
" <xsl:value-of select=\"@name\"/>\n"
" </xsl:variable>\n"
" <xsl:for-each select=\"zones/zone\">\n"
" <xsl:if test=\"counters[@type=&quot;rcode&quot;]/counter[. &gt; 0]\">\n"
" <h4>Zone <xsl:value-of select=\"@name\"/></h4>\n"
" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
" <!-- Non Mozilla specific markup -->\n"
" <script type=\"text/javascript\">\n"
" graphs.push({\n"
" 'title': \"Response Codes for zone <xsl:value-of select=\"@name\"/>\",\n"
" 'target': 'chart_rescode_<xsl:value-of select=\"../../@name\"/>_<xsl:value-of select=\"@name\"/>',\n"
" 'data': [['Type','Counter'],<xsl:for-each select=\"counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
" });\n"
"\n"
" </script>\n"
" <xsl:variable name=\"target\">\n"
" <xsl:value-of select=\"@name\"/>\n"
" </xsl:variable>\n"
" <div class=\"pie\" id=\"chart_rescode_{$thisview}_{$target}\"/>\n"
" </xsl:if>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"counters[@type=&quot;rcode&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]\">\n"
" <xsl:sort select=\".\"/>\n"
" <xsl:variable name=\"css-class10\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class10}\">\n"
" <th>\n"
" <xsl:value-of select=\"@name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" </xsl:if>\n"
" </xsl:for-each>\n"
" </xsl:for-each>\n"
" <h2>Received QTYPES per view/zone</h2>\n"
" <xsl:for-each select=\"views/view[zones/zone/counters[@type=&quot;qtype&quot;]/counter &gt;0]\">\n"
" <h3>View <xsl:value-of select=\"@name\"/></h3>\n"
" <xsl:variable name=\"thisview2\">\n"
" <xsl:value-of select=\"@name\"/>\n"
" </xsl:variable>\n"
" <xsl:for-each select=\"zones/zone\">\n"
" <xsl:if test=\"counters[@type=&quot;qtype&quot;]/counter[count(.) &gt; 0]\">\n"
" <h4>Zone <xsl:value-of select=\"@name\"/></h4>\n"
" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"
" <!-- Non Mozilla specific markup -->\n"
" <script type=\"text/javascript\">\n"
" graphs.push({\n"
" 'title': \"Query Types for zone <xsl:value-of select=\"@name\"/>\",\n"
" 'target': 'chart_qtype_<xsl:value-of select=\"../../@name\"/>_<xsl:value-of select=\"@name\"/>',\n"
" 'data': [['Type','Counter'],<xsl:for-each select=\"counters[@type=&quot;qtype&quot;]/counter[.&gt;0 and @name != &quot;QryAuthAns&quot;]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"
" });\n"
"\n"
" </script>\n"
" <xsl:variable name=\"target\">\n"
" <xsl:value-of select=\"@name\"/>\n"
" </xsl:variable>\n"
" <div class=\"pie\" id=\"chart_qtype_{$thisview2}_{$target}\"/>\n"
" </xsl:if>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"counters[@type=&quot;qtype&quot;]/counter\">\n"
" <xsl:sort select=\".\"/>\n"
" <xsl:variable name=\"css-class11\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class11}\">\n"
" <th>\n"
" <xsl:value-of select=\"@name\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" </xsl:if>\n"
" </xsl:for-each>\n"
" </xsl:for-each>\n"
" <h2>Network Status</h2>\n"
" <table class=\"counters\">\n"
" <tr>\n"
" <th>ID</th>\n"
" <th>Name</th>\n"
" <th>Type</th>\n"
" <th>References</th>\n"
" <th>LocalAddress</th>\n"
" <th>PeerAddress</th>\n"
" <th>State</th>\n"
" </tr>\n"
" <xsl:for-each select=\"socketmgr/sockets/socket\">\n"
" <xsl:sort select=\"id\"/>\n"
" <xsl:variable name=\"css-class12\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class12}\">\n"
" <td>\n"
" <xsl:value-of select=\"id\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"name\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"type\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"references\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"local-address\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"peer-address\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:for-each select=\"states\">\n"
" <xsl:value-of select=\".\"/>\n"
" </xsl:for-each>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" <h2>Task Manager Configuration</h2>\n"
" <table class=\"counters\">\n"
" <tr>\n"
" <th class=\"even\">Thread-Model</th>\n"
" <td>\n"
" <xsl:value-of select=\"taskmgr/thread-model/type\"/>\n"
" </td>\n"
" </tr>\n"
" <tr class=\"odd\">\n"
" <th>Worker Threads</th>\n"
" <td>\n"
" <xsl:value-of select=\"taskmgr/thread-model/worker-threads\"/>\n"
" </td>\n"
" </tr>\n"
" <tr class=\"even\">\n"
" <th>Default Quantum</th>\n"
" <td>\n"
" <xsl:value-of select=\"taskmgr/thread-model/default-quantum\"/>\n"
" </td>\n"
" </tr>\n"
" <tr class=\"odd\">\n"
" <th>Tasks Running</th>\n"
" <td>\n"
" <xsl:value-of select=\"taskmgr/thread-model/tasks-running\"/>\n"
" </td>\n"
" </tr>\n"
" </table>\n"
" <br/>\n"
" <h2>Tasks</h2>\n"
" <table class=\"counters\">\n"
" <tr>\n"
" <th>ID</th>\n"
" <th>Name</th>\n"
" <th>References</th>\n"
" <th>State</th>\n"
" <th>Quantum</th>\n"
" </tr>\n"
" <xsl:for-each select=\"taskmgr/tasks/task\">\n"
" <xsl:sort select=\"name\"/>\n"
" <xsl:variable name=\"css-class14\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class14}\">\n"
" <td>\n"
" <xsl:value-of select=\"id\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"name\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"references\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"state\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"quantum\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" <h2>Memory Usage Summary</h2>\n"
" <table class=\"counters\">\n"
" <xsl:for-each select=\"memory/summary/*\">\n"
" <xsl:variable name=\"css-class13\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class13}\">\n"
" <th>\n"
" <xsl:value-of select=\"name()\"/>\n"
" </th>\n"
" <td>\n"
" <xsl:value-of select=\".\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" <h2>Memory Contexts</h2>\n"
" <table class=\"counters\">\n"
" <tr>\n"
" <th>ID</th>\n"
" <th>Name</th>\n"
" <th>References</th>\n"
" <th>TotalUse</th>\n"
" <th>InUse</th>\n"
" <th>MaxUse</th>\n"
" <th>BlockSize</th>\n"
" <th>Pools</th>\n"
" <th>HiWater</th>\n"
" <th>LoWater</th>\n"
" </tr>\n"
" <xsl:for-each select=\"memory/contexts/context\">\n"
" <xsl:sort select=\"total\" data-type=\"number\" order=\"descending\"/>\n"
" <xsl:variable name=\"css-class14\">\n"
" <xsl:choose>\n"
" <xsl:when test=\"position() mod 2 = 0\">even</xsl:when>\n"
" <xsl:otherwise>odd</xsl:otherwise>\n"
" </xsl:choose>\n"
" </xsl:variable>\n"
" <tr class=\"{$css-class14}\">\n"
" <td>\n"
" <xsl:value-of select=\"id\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"name\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"references\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"total\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"inuse\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"maxinuse\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"blocksize\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"pools\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"hiwater\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"lowater\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <hr/>\n"
" <p class=\"footer\">Internet Systems Consortium Inc.<br/><a href=\"http://www.isc.org\">http://www.isc.org</a></p>\n"
" </body>\n"
" </html>\n"
" </xsl:template>\n"
"</xsl:stylesheet>\n";

492
contrib/bind9/bin/named/bind9.xsl
View file

@ -1,492 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
- Copyright (C) 2006-2009 Internet Systems Consortium, Inc. ("ISC")
-
- Permission to use, copy, modify, and/or distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp $ -->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns="http://www.w3.org/1999/xhtml">
<xsl:template match="isc/bind/statistics">
<html>
<head>
<style type="text/css">
body {
font-family: sans-serif;
background-color: #ffffff;
color: #000000;
}
table {
border-collapse: collapse;
}
tr.rowh {
text-align: center;
border: 1px solid #000000;
background-color: #8080ff;
color: #ffffff;
}
tr.row {
text-align: right;
border: 1px solid #000000;
background-color: teal;
color: #ffffff;
}
tr.lrow {
text-align: left;
border: 1px solid #000000;
background-color: teal;
color: #ffffff;
}
td, th {
padding-right: 5px;
padding-left: 5px;
}
.header h1 {
background-color: teal;
color: #ffffff;
padding: 4px;
}
.content {
background-color: #ffffff;
color: #000000;
padding: 4px;
}
.item {
padding: 4px;
align: right;
}
.value {
padding: 4px;
font-weight: bold;
}
div.statcounter h2 {
text-align: center;
font-size: large;
border: 1px solid #000000;
background-color: #8080ff;
color: #ffffff;
}
div.statcounter dl {
float: left;
margin-top: 0;
margin-bottom: 0;
margin-left: 0;
margin-right: 0;
}
div.statcounter dt {
width: 200px;
text-align: center;
font-weight: bold;
border: 0.5px solid #000000;
background-color: #8080ff;
color: #ffffff;
}
div.statcounter dd {
width: 200px;
text-align: right;
border: 0.5px solid #000000;
background-color: teal;
color: #ffffff;
margin-left: 0;
margin-right: 0;
}
div.statcounter br {
clear: left;
}
</style>
<title>BIND 9 Statistics</title>
</head>
<body>
<div class="header">
<h1>Bind 9 Configuration and Statistics</h1>
</div>
<br/>
<table>
<tr class="rowh"><th colspan="2">Times</th></tr>
<tr class="lrow">
<td>boot-time</td>
<td><xsl:value-of select="server/boot-time"/></td>
</tr>
<tr class="lrow">
<td>current-time</td>
<td><xsl:value-of select="server/current-time"/></td>
</tr>
</table>
<br/>
<table>
<tr class="rowh"><th colspan="2">Incoming Requests</th></tr>
<xsl:for-each select="server/requests/opcode">
<tr class="lrow">
<td><xsl:value-of select="name"/></td>
<td><xsl:value-of select="counter"/></td>
</tr>
</xsl:for-each>
</table>
<br/>
<table>
<tr class="rowh"><th colspan="2">Incoming Queries</th></tr>
<xsl:for-each select="server/queries-in/rdtype">
<tr class="lrow">
<td><xsl:value-of select="name"/></td>
<td><xsl:value-of select="counter"/></td>
</tr>
</xsl:for-each>
</table>
<br/>
<xsl:for-each select="views/view">
<table>
<tr class="rowh">
<th colspan="2">Outgoing Queries from View <xsl:value-of select="name"/></th>
</tr>
<xsl:for-each select="rdtype">
<tr class="lrow">
<td><xsl:value-of select="name"/></td>
<td><xsl:value-of select="counter"/></td>
</tr>
</xsl:for-each>
</table>
<br/>
</xsl:for-each>
<br/>
<div class="statcounter">
<h2>Server Statistics</h2>
<xsl:for-each select="server/nsstat">
<dl>
<dt><xsl:value-of select="name"/></dt>
<dd><xsl:value-of select="counter"/></dd>
</dl>
</xsl:for-each>
<br/>
</div>
<div class="statcounter">
<h2>Zone Maintenance Statistics</h2>
<xsl:for-each select="server/zonestat">
<dl>
<dt><xsl:value-of select="name"/></dt>
<dd><xsl:value-of select="counter"/></dd>
</dl>
</xsl:for-each>
<br />
</div>
<div class="statcounter">
<h2>Resolver Statistics (Common)</h2>
<xsl:for-each select="server/resstat">
<dl>
<dt><xsl:value-of select="name"/></dt>
<dd><xsl:value-of select="counter"/></dd>
</dl>
</xsl:for-each>
<br />
</div>
<xsl:for-each select="views/view">
<div class="statcounter">
<h2>Resolver Statistics for View <xsl:value-of select="name"/></h2>
<xsl:for-each select="resstat">
<dl>
<dt><xsl:value-of select="name"/></dt>
<dd><xsl:value-of select="counter"/></dd>
</dl>
</xsl:for-each>
<br />
</div>
</xsl:for-each>
<br />
<xsl:for-each select="views/view">
<table>
<tr class="rowh">
<th colspan="2">Cache DB RRsets for View <xsl:value-of select="name"/></th>
</tr>
<xsl:for-each select="cache/rrset">
<tr class="lrow">
<td><xsl:value-of select="name"/></td>
<td><xsl:value-of select="counter"/></td>
</tr>
</xsl:for-each>
</table>
<br/>
</xsl:for-each>
<div class="statcounter">
<h2>Socket I/O Statistics</h2>
<xsl:for-each select="server/sockstat">
<dl>
<dt><xsl:value-of select="name"/></dt>
<dd><xsl:value-of select="counter"/></dd>
</dl>
</xsl:for-each>
<br/>
</div>
<br/>
<xsl:for-each select="views/view">
<table>
<tr class="rowh">
<th colspan="10">Zones for View <xsl:value-of select="name"/></th>
</tr>
<tr class="rowh">
<th>Name</th>
<th>Class</th>
<th>Serial</th>
<th>Success</th>
<th>Referral</th>
<th>NXRRSET</th>
<th>NXDOMAIN</th>
<th>Failure</th>
<th>XfrReqDone</th>
<th>XfrRej</th>
</tr>
<xsl:for-each select="zones/zone">
<tr class="lrow">
<td>
<xsl:value-of select="name"/>
</td>
<td>
<xsl:value-of select="rdataclass"/>
</td>
<td>
<xsl:value-of select="serial"/>
</td>
<td>
<xsl:value-of select="counters/QrySuccess"/>
</td>
<td>
<xsl:value-of select="counters/QryReferral"/>
</td>
<td>
<xsl:value-of select="counters/QryNxrrset"/>
</td>
<td>
<xsl:value-of select="counters/QryNXDOMAIN"/>
</td>
<td>
<xsl:value-of select="counters/QryFailure"/>
</td>
<td>
<xsl:value-of select="counters/XfrReqDone"/>
</td>
<td>
<xsl:value-of select="counters/XfrRej"/>
</td>
</tr>
</xsl:for-each>
</table>
<br/>
</xsl:for-each>
<br/>
<table>
<tr class="rowh">
<th colspan="7">Network Status</th>
</tr>
<tr class="rowh">
<th>ID</th>
<th>Name</th>
<th>Type</th>
<th>References</th>
<th>LocalAddress</th>
<th>PeerAddress</th>
<th>State</th>
</tr>
<xsl:for-each select="socketmgr/sockets/socket">
<tr class="lrow">
<td>
<xsl:value-of select="id"/>
</td>
<td>
<xsl:value-of select="name"/>
</td>
<td>
<xsl:value-of select="type"/>
</td>
<td>
<xsl:value-of select="references"/>
</td>
<td>
<xsl:value-of select="local-address"/>
</td>
<td>
<xsl:value-of select="peer-address"/>
</td>
<td>
<xsl:for-each select="states">
<xsl:value-of select="."/>
</xsl:for-each>
</td>
</tr>
</xsl:for-each>
</table>
<br/>
<table>
<tr class="rowh">
<th colspan="2">Task Manager Configuration</th>
</tr>
<tr class="lrow">
<td>Thread-Model</td>
<td>
<xsl:value-of select="taskmgr/thread-model/type"/>
</td>
</tr>
<tr class="lrow">
<td>Worker Threads</td>
<td>
<xsl:value-of select="taskmgr/thread-model/worker-threads"/>
</td>
</tr>
<tr class="lrow">
<td>Default Quantum</td>
<td>
<xsl:value-of select="taskmgr/thread-model/default-quantum"/>
</td>
</tr>
<tr class="lrow">
<td>Tasks Running</td>
<td>
<xsl:value-of select="taskmgr/thread-model/tasks-running"/>
</td>
</tr>
</table>
<br/>
<table>
<tr class="rowh">
<th colspan="5">Tasks</th>
</tr>
<tr class="rowh">
<th>ID</th>
<th>Name</th>
<th>References</th>
<th>State</th>
<th>Quantum</th>
</tr>
<xsl:for-each select="taskmgr/tasks/task">
<tr class="lrow">
<td>
<xsl:value-of select="id"/>
</td>
<td>
<xsl:value-of select="name"/>
</td>
<td>
<xsl:value-of select="references"/>
</td>
<td>
<xsl:value-of select="state"/>
</td>
<td>
<xsl:value-of select="quantum"/>
</td>
</tr>
</xsl:for-each>
</table>
<br />
<table>
<tr class="rowh">
<th colspan="4">Memory Usage Summary</th>
</tr>
<xsl:for-each select="memory/summary/*">
<tr class="lrow">
<td><xsl:value-of select="name()"/></td>
<td><xsl:value-of select="."/></td>
</tr>
</xsl:for-each>
</table>
<br />
<table>
<tr class="rowh">
<th colspan="10">Memory Contexts</th>
</tr>
<tr class="rowh">
<th>ID</th>
<th>Name</th>
<th>References</th>
<th>TotalUse</th>
<th>InUse</th>
<th>MaxUse</th>
<th>BlockSize</th>
<th>Pools</th>
<th>HiWater</th>
<th>LoWater</th>
</tr>
<xsl:for-each select="memory/contexts/context">
<tr class="lrow">
<td>
<xsl:value-of select="id"/>
</td>
<td>
<xsl:value-of select="name"/>
</td>
<td>
<xsl:value-of select="references"/>
</td>
<td>
<xsl:value-of select="total"/>
</td>
<td>
<xsl:value-of select="inuse"/>
</td>
<td>
<xsl:value-of select="maxinuse"/>
</td>
<td>
<xsl:value-of select="blocksize"/>
</td>
<td>
<xsl:value-of select="pools"/>
</td>
<td>
<xsl:value-of select="hiwater"/>
</td>
<td>
<xsl:value-of select="lowater"/>
</td>
</tr>
</xsl:for-each>
</table>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

497
contrib/bind9/bin/named/bind9.xsl.h
View file

@ -1,497 +0,0 @@
/*
* Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp
* From bind9.xsl 1.21 2009/01/27 23:47:54 tbox Exp
*/
static char xslmsg[] =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
"<!--\n"
" - Copyright (C) 2006-2009 Internet Systems Consortium, Inc. (\"ISC\")\n"
" -\n"
" - Permission to use, copy, modify, and/or distribute this software for any\n"
" - purpose with or without fee is hereby granted, provided that the above\n"
" - copyright notice and this permission notice appear in all copies.\n"
" -\n"
" - THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n"
" - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n"
" - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n"
" - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n"
" - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n"
" - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n"
" - PERFORMANCE OF THIS SOFTWARE.\n"
"-->\n"
"\n"
"<!-- \045Id: bind9.xsl,v 1.21 2009/01/27 23:47:54 tbox Exp \045 -->\n"
"\n"
"<xsl:stylesheet version=\"1.0\"\n"
" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n"
" xmlns=\"http://www.w3.org/1999/xhtml\">\n"
" <xsl:template match=\"isc/bind/statistics\">\n"
" <html>\n"
" <head>\n"
" <style type=\"text/css\">\n"
"body {\n"
" font-family: sans-serif;\n"
" background-color: #ffffff;\n"
" color: #000000;\n"
"}\n"
"\n"
"table {\n"
" border-collapse: collapse;\n"
"}\n"
"\n"
"tr.rowh {\n"
" text-align: center;\n"
" border: 1px solid #000000;\n"
" background-color: #8080ff;\n"
" color: #ffffff;\n"
"}\n"
"\n"
"tr.row {\n"
" text-align: right;\n"
" border: 1px solid #000000;\n"
" background-color: teal;\n"
" color: #ffffff;\n"
"}\n"
"\n"
"tr.lrow {\n"
" text-align: left;\n"
" border: 1px solid #000000;\n"
" background-color: teal;\n"
" color: #ffffff;\n"
"}\n"
"\n"
"td, th {\n"
" padding-right: 5px;\n"
" padding-left: 5px;\n"
"}\n"
"\n"
".header h1 {\n"
" background-color: teal;\n"
" color: #ffffff;\n"
" padding: 4px;\n"
"}\n"
"\n"
".content {\n"
" background-color: #ffffff;\n"
" color: #000000;\n"
" padding: 4px;\n"
"}\n"
"\n"
".item {\n"
" padding: 4px;\n"
" align: right;\n"
"}\n"
"\n"
".value {\n"
" padding: 4px;\n"
" font-weight: bold;\n"
"}\n"
"\n"
"div.statcounter h2 {\n"
" text-align: center;\n"
" font-size: large;\n"
" border: 1px solid #000000;\n"
" background-color: #8080ff;\n"
" color: #ffffff;\n"
"}\n"
"\n"
"div.statcounter dl {\n"
" float: left;\n"
" margin-top: 0;\n"
" margin-bottom: 0;\n"
" margin-left: 0;\n"
" margin-right: 0;\n"
"}\n"
"\n"
"div.statcounter dt {\n"
" width: 200px;\n"
" text-align: center;\n"
" font-weight: bold;\n"
" border: 0.5px solid #000000;\n"
" background-color: #8080ff;\n"
" color: #ffffff;\n"
"}\n"
"\n"
"div.statcounter dd {\n"
" width: 200px;\n"
" text-align: right;\n"
" border: 0.5px solid #000000;\n"
" background-color: teal;\n"
" color: #ffffff;\n"
" margin-left: 0;\n"
" margin-right: 0;\n"
"}\n"
"\n"
"div.statcounter br {\n"
" clear: left;\n"
"}\n"
" </style>\n"
" <title>BIND 9 Statistics</title>\n"
" </head>\n"
" <body>\n"
" <div class=\"header\">\n"
" <h1>Bind 9 Configuration and Statistics</h1>\n"
" </div>\n"
"\n"
" <br/>\n"
"\n"
" <table>\n"
" <tr class=\"rowh\"><th colspan=\"2\">Times</th></tr>\n"
" <tr class=\"lrow\">\n"
" <td>boot-time</td>\n"
" <td><xsl:value-of select=\"server/boot-time\"/></td>\n"
" </tr>\n"
" <tr class=\"lrow\">\n"
" <td>current-time</td>\n"
" <td><xsl:value-of select=\"server/current-time\"/></td>\n"
" </tr>\n"
" </table>\n"
"\n"
" <br/>\n"
"\n"
" <table>\n"
" <tr class=\"rowh\"><th colspan=\"2\">Incoming Requests</th></tr>\n"
" <xsl:for-each select=\"server/requests/opcode\">\n"
" <tr class=\"lrow\">\n"
" <td><xsl:value-of select=\"name\"/></td>\n"
" <td><xsl:value-of select=\"counter\"/></td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
"\n"
" <br/>\n"
"\n"
" <table>\n"
" <tr class=\"rowh\"><th colspan=\"2\">Incoming Queries</th></tr>\n"
" <xsl:for-each select=\"server/queries-in/rdtype\">\n"
" <tr class=\"lrow\">\n"
" <td><xsl:value-of select=\"name\"/></td>\n"
" <td><xsl:value-of select=\"counter\"/></td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
"\n"
" <br/>\n"
"\n"
" <xsl:for-each select=\"views/view\">\n"
" <table>\n"
" <tr class=\"rowh\">\n"
" <th colspan=\"2\">Outgoing Queries from View <xsl:value-of select=\"name\"/></th>\n"
" </tr>\n"
" <xsl:for-each select=\"rdtype\">\n"
" <tr class=\"lrow\">\n"
" <td><xsl:value-of select=\"name\"/></td>\n"
" <td><xsl:value-of select=\"counter\"/></td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" </xsl:for-each>\n"
"\n"
" <br/>\n"
"\n"
" <div class=\"statcounter\">\n"
" <h2>Server Statistics</h2>\n"
" <xsl:for-each select=\"server/nsstat\">\n"
" <dl>\n"
" <dt><xsl:value-of select=\"name\"/></dt>\n"
" <dd><xsl:value-of select=\"counter\"/></dd>\n"
" </dl>\n"
" </xsl:for-each>\n"
" <br/>\n"
" </div>\n"
"\n"
" <div class=\"statcounter\">\n"
" <h2>Zone Maintenance Statistics</h2>\n"
" <xsl:for-each select=\"server/zonestat\">\n"
" <dl>\n"
" <dt><xsl:value-of select=\"name\"/></dt>\n"
" <dd><xsl:value-of select=\"counter\"/></dd>\n"
" </dl>\n"
" </xsl:for-each>\n"
" <br />\n"
" </div>\n"
"\n"
" <div class=\"statcounter\">\n"
" <h2>Resolver Statistics (Common)</h2>\n"
" <xsl:for-each select=\"server/resstat\">\n"
" <dl>\n"
" <dt><xsl:value-of select=\"name\"/></dt>\n"
" <dd><xsl:value-of select=\"counter\"/></dd>\n"
" </dl>\n"
" </xsl:for-each>\n"
" <br />\n"
" </div>\n"
"\n"
" <xsl:for-each select=\"views/view\">\n"
" <div class=\"statcounter\">\n"
" <h2>Resolver Statistics for View <xsl:value-of select=\"name\"/></h2>\n"
" <xsl:for-each select=\"resstat\">\n"
" <dl>\n"
" <dt><xsl:value-of select=\"name\"/></dt>\n"
" <dd><xsl:value-of select=\"counter\"/></dd>\n"
" </dl>\n"
" </xsl:for-each>\n"
" <br />\n"
" </div>\n"
" </xsl:for-each>\n"
"\n"
" <br />\n"
"\n"
" <xsl:for-each select=\"views/view\">\n"
" <table>\n"
" <tr class=\"rowh\">\n"
" <th colspan=\"2\">Cache DB RRsets for View <xsl:value-of select=\"name\"/></th>\n"
" </tr>\n"
" <xsl:for-each select=\"cache/rrset\">\n"
" <tr class=\"lrow\">\n"
" <td><xsl:value-of select=\"name\"/></td>\n"
" <td><xsl:value-of select=\"counter\"/></td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" </xsl:for-each>\n"
"\n"
" <div class=\"statcounter\">\n"
" <h2>Socket I/O Statistics</h2>\n"
" <xsl:for-each select=\"server/sockstat\">\n"
" <dl>\n"
" <dt><xsl:value-of select=\"name\"/></dt>\n"
" <dd><xsl:value-of select=\"counter\"/></dd>\n"
" </dl>\n"
" </xsl:for-each>\n"
" <br/>\n"
" </div>\n"
"\n"
" <br/>\n"
"\n"
" <xsl:for-each select=\"views/view\">\n"
" <table>\n"
" <tr class=\"rowh\">\n"
" <th colspan=\"10\">Zones for View <xsl:value-of select=\"name\"/></th>\n"
" </tr>\n"
" <tr class=\"rowh\">\n"
" <th>Name</th>\n"
" <th>Class</th>\n"
" <th>Serial</th>\n"
" <th>Success</th>\n"
" <th>Referral</th>\n"
" <th>NXRRSET</th>\n"
" <th>NXDOMAIN</th>\n"
" <th>Failure</th>\n"
" <th>XfrReqDone</th>\n"
" <th>XfrRej</th>\n"
" </tr>\n"
" <xsl:for-each select=\"zones/zone\">\n"
" <tr class=\"lrow\">\n"
" <td>\n"
" <xsl:value-of select=\"name\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"rdataclass\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"serial\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"counters/QrySuccess\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"counters/QryReferral\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"counters/QryNxrrset\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"counters/QryNXDOMAIN\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"counters/QryFailure\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"counters/XfrReqDone\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"counters/XfrRej\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" </xsl:for-each>\n"
"\n"
" <br/>\n"
"\n"
" <table>\n"
" <tr class=\"rowh\">\n"
" <th colspan=\"7\">Network Status</th>\n"
" </tr>\n"
" <tr class=\"rowh\">\n"
" <th>ID</th>\n"
" <th>Name</th>\n"
" <th>Type</th>\n"
" <th>References</th>\n"
" <th>LocalAddress</th>\n"
" <th>PeerAddress</th>\n"
" <th>State</th>\n"
" </tr>\n"
" <xsl:for-each select=\"socketmgr/sockets/socket\">\n"
" <tr class=\"lrow\">\n"
" <td>\n"
" <xsl:value-of select=\"id\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"name\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"type\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"references\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"local-address\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"peer-address\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:for-each select=\"states\">\n"
" <xsl:value-of select=\".\"/>\n"
" </xsl:for-each>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br/>\n"
" <table>\n"
" <tr class=\"rowh\">\n"
" <th colspan=\"2\">Task Manager Configuration</th>\n"
" </tr>\n"
" <tr class=\"lrow\">\n"
" <td>Thread-Model</td>\n"
" <td>\n"
" <xsl:value-of select=\"taskmgr/thread-model/type\"/>\n"
" </td>\n"
" </tr>\n"
" <tr class=\"lrow\">\n"
" <td>Worker Threads</td>\n"
" <td>\n"
" <xsl:value-of select=\"taskmgr/thread-model/worker-threads\"/>\n"
" </td>\n"
" </tr>\n"
" <tr class=\"lrow\">\n"
" <td>Default Quantum</td>\n"
" <td>\n"
" <xsl:value-of select=\"taskmgr/thread-model/default-quantum\"/>\n"
" </td>\n"
" </tr>\n"
" <tr class=\"lrow\">\n"
" <td>Tasks Running</td>\n"
" <td>\n"
" <xsl:value-of select=\"taskmgr/thread-model/tasks-running\"/>\n"
" </td>\n"
" </tr>\n"
" </table>\n"
" <br/>\n"
" <table>\n"
" <tr class=\"rowh\">\n"
" <th colspan=\"5\">Tasks</th>\n"
" </tr>\n"
" <tr class=\"rowh\">\n"
" <th>ID</th>\n"
" <th>Name</th>\n"
" <th>References</th>\n"
" <th>State</th>\n"
" <th>Quantum</th>\n"
" </tr>\n"
" <xsl:for-each select=\"taskmgr/tasks/task\">\n"
" <tr class=\"lrow\">\n"
" <td>\n"
" <xsl:value-of select=\"id\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"name\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"references\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"state\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"quantum\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br />\n"
" <table>\n"
" <tr class=\"rowh\">\n"
" <th colspan=\"4\">Memory Usage Summary</th>\n"
" </tr>\n"
" <xsl:for-each select=\"memory/summary/*\">\n"
" <tr class=\"lrow\">\n"
" <td><xsl:value-of select=\"name()\"/></td>\n"
" <td><xsl:value-of select=\".\"/></td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
" <br />\n"
" <table>\n"
" <tr class=\"rowh\">\n"
" <th colspan=\"10\">Memory Contexts</th>\n"
" </tr>\n"
" <tr class=\"rowh\">\n"
" <th>ID</th>\n"
" <th>Name</th>\n"
" <th>References</th>\n"
" <th>TotalUse</th>\n"
" <th>InUse</th>\n"
" <th>MaxUse</th>\n"
" <th>BlockSize</th>\n"
" <th>Pools</th>\n"
" <th>HiWater</th>\n"
" <th>LoWater</th>\n"
" </tr>\n"
" <xsl:for-each select=\"memory/contexts/context\">\n"
" <tr class=\"lrow\">\n"
" <td>\n"
" <xsl:value-of select=\"id\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"name\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"references\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"total\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"inuse\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"maxinuse\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"blocksize\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"pools\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"hiwater\"/>\n"
" </td>\n"
" <td>\n"
" <xsl:value-of select=\"lowater\"/>\n"
" </td>\n"
" </tr>\n"
" </xsl:for-each>\n"
" </table>\n"
"\n"
" </body>\n"
" </html>\n"
" </xsl:template>\n"
"</xsl:stylesheet>\n";

576
contrib/bind9/bin/named/builtin.c
View file

@ -1,576 +0,0 @@
/*
* Copyright (C) 2004, 2005, 2007, 2009-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: builtin.c,v 1.26 2012/01/21 19:44:18 each Exp $ */
/*! \file
* \brief
* The built-in "version", "hostname", "id", "authors" and "empty" databases.
*/
#include <config.h>
#include <string.h>
#include <stdio.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/util.h>
#include <dns/result.h>
#include <dns/sdb.h>
#include <named/builtin.h>
#include <named/globals.h>
#include <named/server.h>
#include <named/os.h>
typedef struct builtin builtin_t;
static isc_result_t do_version_lookup(dns_sdblookup_t *lookup);
static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup);
static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup);
static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
static isc_result_t do_empty_lookup(dns_sdblookup_t *lookup);
static isc_result_t do_dns64_lookup(dns_sdblookup_t *lookup);
/*
* We can't use function pointers as the db_data directly
* because ANSI C does not guarantee that function pointers
* can safely be cast to void pointers and back.
*/
struct builtin {
isc_result_t (*do_lookup)(dns_sdblookup_t *lookup);
char *server;
char *contact;
};
static builtin_t version_builtin = { do_version_lookup, NULL, NULL };
static builtin_t hostname_builtin = { do_hostname_lookup, NULL, NULL };
static builtin_t authors_builtin = { do_authors_lookup, NULL, NULL };
static builtin_t id_builtin = { do_id_lookup, NULL, NULL };
static builtin_t empty_builtin = { do_empty_lookup, NULL, NULL };
static builtin_t dns64_builtin = { do_dns64_lookup, NULL, NULL };
static dns_sdbimplementation_t *builtin_impl;
static dns_sdbimplementation_t *dns64_impl;
/*
* Pre computed HEX * 16 or 1 table.
*/
static const unsigned char hex16[256] = {
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*00*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*10*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*20*/
0, 16, 32, 48, 64, 80, 96,112,128,144, 1, 1, 1, 1, 1, 1, /*30*/
1,160,176,192,208,224,240, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*40*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*50*/
1,160,176,192,208,224,240, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*60*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*70*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*80*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*90*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*A0*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*B0*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*C0*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*D0*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, /*E0*/
1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 /*F0*/
};
const unsigned char decimal[] = "0123456789";
static size_t
dns64_rdata(unsigned char *v, size_t start, unsigned char *rdata) {
size_t i, j = 0;
for (i = 0; i < 4U; i++) {
unsigned char c = v[start++];
if (start == 7U)
start++;
if (c > 99) {
rdata[j++] = 3;
rdata[j++] = decimal[c/100]; c = c % 100;
rdata[j++] = decimal[c/10]; c = c % 10;
rdata[j++] = decimal[c];
} else if (c > 9) {
rdata[j++] = 2;
rdata[j++] = decimal[c/10]; c = c % 10;
rdata[j++] = decimal[c];
} else {
rdata[j++] = 1;
rdata[j++] = decimal[c];
}
}
memcpy(&rdata[j], "\07in-addr\04arpa", 14);
return (j + 14);
}
static isc_result_t
dns64_cname(const dns_name_t *zone, const dns_name_t *name,
dns_sdblookup_t *lookup)
{
size_t zlen, nlen, j, len;
unsigned char v[16], n;
unsigned int i;
unsigned char rdata[sizeof("123.123.123.123.in-addr.arpa.")];
unsigned char *ndata;
/*
* The combined length of the zone and name is 74.
*
* The minimum zone length is 10 ((3)ip6(4)arpa(0)).
*
* The length of name should always be even as we are expecting
* a series of nibbles.
*/
zlen = zone->length;
nlen = name->length;
if ((zlen + nlen) > 74U || zlen < 10U || (nlen % 2) != 0U)
return (ISC_R_NOTFOUND);
/*
* We assume the zone name is well formed.
*/
/*
* XXXMPA We could check the dns64 suffix here if we need to.
*/
/*
* Check that name is a series of nibbles.
* Compute the byte values that correspond to the nibbles as we go.
*
* Shift the final result 4 bits, by setting 'i' to 1, if we if we
* have a odd number of nibbles so that "must be zero" tests below
* are byte aligned and we correctly return ISC_R_NOTFOUND or
* ISC_R_SUCCESS. We will not generate a CNAME in this case.
*/
ndata = name->ndata;
i = (nlen % 4) == 2U ? 1 : 0;
j = nlen;
memset(v, 0, sizeof(v));
while (j != 0U) {
INSIST((i/2) < sizeof(v));
if (ndata[0] != 1)
return (ISC_R_NOTFOUND);
n = hex16[ndata[1]&0xff];
if (n == 1)
return (ISC_R_NOTFOUND);
v[i/2] = n | (v[i/2]>>4);
j -= 2;
ndata += 2;
i++;
}
/*
* If we get here then we know name only consisted of nibbles.
* Now we need to determine if the name exists or not and whether
* it corresponds to a empty node in the zone or there should be
* a CNAME.
*/
#define ZLEN(x) (10 + (x)/2)
switch (zlen) {
case ZLEN(32): /* prefix len 32 */
/*
* The nibbles that map to this byte must be zero for 'name'
* to exist in the zone.
*/
if (nlen > 16U && v[(nlen-1)/4 - 4] != 0)
return (ISC_R_NOTFOUND);
/*
* If the total length is not 74 then this is a empty node
* so return success.
*/
if (nlen + zlen != 74U)
return (ISC_R_SUCCESS);
len = dns64_rdata(v, 8, rdata);
break;
case ZLEN(40): /* prefix len 40 */
/*
* The nibbles that map to this byte must be zero for 'name'
* to exist in the zone.
*/
if (nlen > 12U && v[(nlen-1)/4 - 3] != 0)
return (ISC_R_NOTFOUND);
/*
* If the total length is not 74 then this is a empty node
* so return success.
*/
if (nlen + zlen != 74U)
return (ISC_R_SUCCESS);
len = dns64_rdata(v, 6, rdata);
break;
case ZLEN(48): /* prefix len 48 */
/*
* The nibbles that map to this byte must be zero for 'name'
* to exist in the zone.
*/
if (nlen > 8U && v[(nlen-1)/4 - 2] != 0)
return (ISC_R_NOTFOUND);
/*
* If the total length is not 74 then this is a empty node
* so return success.
*/
if (nlen + zlen != 74U)
return (ISC_R_SUCCESS);
len = dns64_rdata(v, 5, rdata);
break;
case ZLEN(56): /* prefix len 56 */
/*
* The nibbles that map to this byte must be zero for 'name'
* to exist in the zone.
*/
if (nlen > 4U && v[(nlen-1)/4 - 1] != 0)
return (ISC_R_NOTFOUND);
/*
* If the total length is not 74 then this is a empty node
* so return success.
*/
if (nlen + zlen != 74U)
return (ISC_R_SUCCESS);
len = dns64_rdata(v, 4, rdata);
break;
case ZLEN(64): /* prefix len 64 */
/*
* The nibbles that map to this byte must be zero for 'name'
* to exist in the zone.
*/
if (v[(nlen-1)/4] != 0)
return (ISC_R_NOTFOUND);
/*
* If the total length is not 74 then this is a empty node
* so return success.
*/
if (nlen + zlen != 74U)
return (ISC_R_SUCCESS);
len = dns64_rdata(v, 3, rdata);
break;
case ZLEN(96): /* prefix len 96 */
/*
* If the total length is not 74 then this is a empty node
* so return success.
*/
if (nlen + zlen != 74U)
return (ISC_R_SUCCESS);
len = dns64_rdata(v, 0, rdata);
break;
default:
/*
* This should never be reached unless someone adds a
* zone declaration with this internal type to named.conf.
*/
return (ISC_R_NOTFOUND);
}
return (dns_sdb_putrdata(lookup, dns_rdatatype_cname, 600, rdata, len));
}
static isc_result_t
builtin_lookup(const char *zone, const char *name, void *dbdata,
dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods,
dns_clientinfo_t *clientinfo)
{
builtin_t *b = (builtin_t *) dbdata;
UNUSED(zone);
UNUSED(methods);
UNUSED(clientinfo);
if (strcmp(name, "@") == 0)
return (b->do_lookup(lookup));
else
return (ISC_R_NOTFOUND);
}
static isc_result_t
dns64_lookup(const dns_name_t *zone, const dns_name_t *name, void *dbdata,
dns_sdblookup_t *lookup, dns_clientinfomethods_t *methods,
dns_clientinfo_t *clientinfo)
{
builtin_t *b = (builtin_t *) dbdata;
UNUSED(methods);
UNUSED(clientinfo);
if (name->labels == 0 && name->length == 0)
return (b->do_lookup(lookup));
else
return (dns64_cname(zone, name, lookup));
}
static isc_result_t
put_txt(dns_sdblookup_t *lookup, const char *text) {
unsigned char buf[256];
unsigned int len = strlen(text);
if (len > 255)
len = 255; /* Silently truncate */
buf[0] = len;
memcpy(&buf[1], text, len);
return (dns_sdb_putrdata(lookup, dns_rdatatype_txt, 0, buf, len + 1));
}
static isc_result_t
do_version_lookup(dns_sdblookup_t *lookup) {
if (ns_g_server->version_set) {
if (ns_g_server->version == NULL)
return (ISC_R_SUCCESS);
else
return (put_txt(lookup, ns_g_server->version));
} else {
return (put_txt(lookup, ns_g_version));
}
}
static isc_result_t
do_hostname_lookup(dns_sdblookup_t *lookup) {
if (ns_g_server->hostname_set) {
if (ns_g_server->hostname == NULL)
return (ISC_R_SUCCESS);
else
return (put_txt(lookup, ns_g_server->hostname));
} else {
char buf[256];
isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
if (result != ISC_R_SUCCESS)
return (result);
return (put_txt(lookup, buf));
}
}
static isc_result_t
do_authors_lookup(dns_sdblookup_t *lookup) {
isc_result_t result;
const char **p;
static const char *authors[] = {
"Mark Andrews",
"Curtis Blackburn",
"James Brister",
"Ben Cottrell",
"John H. DuBois III",
"Francis Dupont",
"Michael Graff",
"Andreas Gustafsson",
"Bob Halley",
"Evan Hunt",
"JINMEI Tatuya",
"David Lawrence",
"Scott Mann",
"Danny Mayer",
"Damien Neil",
"Matt Nelson",
"Jeremy C. Reed",
"Michael Sawyer",
"Brian Wellington",
NULL
};
/*
* If a version string is specified, disable the authors.bind zone.
*/
if (ns_g_server->version_set)
return (ISC_R_SUCCESS);
for (p = authors; *p != NULL; p++) {
result = put_txt(lookup, *p);
if (result != ISC_R_SUCCESS)
return (result);
}
return (ISC_R_SUCCESS);
}
static isc_result_t
do_id_lookup(dns_sdblookup_t *lookup) {
if (ns_g_server->server_usehostname) {
char buf[256];
isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
if (result != ISC_R_SUCCESS)
return (result);
return (put_txt(lookup, buf));
}
if (ns_g_server->server_id == NULL)
return (ISC_R_SUCCESS);
else
return (put_txt(lookup, ns_g_server->server_id));
}
static isc_result_t
do_dns64_lookup(dns_sdblookup_t *lookup) {
UNUSED(lookup);
return (ISC_R_SUCCESS);
}
static isc_result_t
do_empty_lookup(dns_sdblookup_t *lookup) {
UNUSED(lookup);
return (ISC_R_SUCCESS);
}
static isc_result_t
builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) {
isc_result_t result;
const char *contact = "hostmaster";
const char *server = "@";
builtin_t *b = (builtin_t *) dbdata;
UNUSED(zone);
UNUSED(dbdata);
if (b == &empty_builtin) {
server = ".";
contact = ".";
} else {
if (b->server != NULL)
server = b->server;
if (b->contact != NULL)
contact = b->contact;
}
result = dns_sdb_putsoa(lookup, server, contact, 0);
if (result != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
result = dns_sdb_putrr(lookup, "ns", 0, server);
if (result != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
return (ISC_R_SUCCESS);
}
static isc_result_t
builtin_create(const char *zone, int argc, char **argv,
void *driverdata, void **dbdata)
{
REQUIRE(argc >= 1);
UNUSED(zone);
UNUSED(driverdata);
if (strcmp(argv[0], "empty") == 0 || strcmp(argv[0], "dns64") == 0) {
if (argc != 3)
return (DNS_R_SYNTAX);
} else if (argc != 1)
return (DNS_R_SYNTAX);
if (strcmp(argv[0], "version") == 0)
*dbdata = &version_builtin;
else if (strcmp(argv[0], "hostname") == 0)
*dbdata = &hostname_builtin;
else if (strcmp(argv[0], "authors") == 0)
*dbdata = &authors_builtin;
else if (strcmp(argv[0], "id") == 0)
*dbdata = &id_builtin;
else if (strcmp(argv[0], "empty") == 0 ||
strcmp(argv[0], "dns64") == 0) {
builtin_t *empty;
char *server;
char *contact;
/*
* We don't want built-in zones to fail. Fallback to
* the static configuration if memory allocation fails.
*/
empty = isc_mem_get(ns_g_mctx, sizeof(*empty));
server = isc_mem_strdup(ns_g_mctx, argv[1]);
contact = isc_mem_strdup(ns_g_mctx, argv[2]);
if (empty == NULL || server == NULL || contact == NULL) {
if (strcmp(argv[0], "empty") == 0)
*dbdata = &empty_builtin;
else
*dbdata = &dns64_builtin;
if (server != NULL)
isc_mem_free(ns_g_mctx, server);
if (contact != NULL)
isc_mem_free(ns_g_mctx, contact);
if (empty != NULL)
isc_mem_put(ns_g_mctx, empty, sizeof (*empty));
} else {
if (strcmp(argv[0], "empty") == 0)
memcpy(empty, &empty_builtin,
sizeof (empty_builtin));
else
memcpy(empty, &dns64_builtin,
sizeof (empty_builtin));
empty->server = server;
empty->contact = contact;
*dbdata = empty;
}
} else
return (ISC_R_NOTIMPLEMENTED);
return (ISC_R_SUCCESS);
}
static void
builtin_destroy(const char *zone, void *driverdata, void **dbdata) {
builtin_t *b = (builtin_t *) *dbdata;
UNUSED(zone);
UNUSED(driverdata);
/*
* Don't free the static versions.
*/
if (*dbdata == &version_builtin || *dbdata == &hostname_builtin ||
*dbdata == &authors_builtin || *dbdata == &id_builtin ||
*dbdata == &empty_builtin || *dbdata == &dns64_builtin)
return;
isc_mem_free(ns_g_mctx, b->server);
isc_mem_free(ns_g_mctx, b->contact);
isc_mem_put(ns_g_mctx, b, sizeof (*b));
}
static dns_sdbmethods_t builtin_methods = {
builtin_lookup,
builtin_authority,
NULL, /* allnodes */
builtin_create,
builtin_destroy,
NULL
};
static dns_sdbmethods_t dns64_methods = {
NULL,
builtin_authority,
NULL, /* allnodes */
builtin_create,
builtin_destroy,
dns64_lookup,
};
isc_result_t
ns_builtin_init(void) {
RUNTIME_CHECK(dns_sdb_register("_builtin", &builtin_methods, NULL,
DNS_SDBFLAG_RELATIVEOWNER |
DNS_SDBFLAG_RELATIVERDATA,
ns_g_mctx, &builtin_impl)
== ISC_R_SUCCESS);
RUNTIME_CHECK(dns_sdb_register("_dns64", &dns64_methods, NULL,
DNS_SDBFLAG_RELATIVEOWNER |
DNS_SDBFLAG_RELATIVERDATA |
DNS_SDBFLAG_DNS64,
ns_g_mctx, &dns64_impl)
== ISC_R_SUCCESS);
return (ISC_R_SUCCESS);
}
void
ns_builtin_deinit(void) {
dns_sdb_unregister(&builtin_impl);
dns_sdb_unregister(&dns64_impl);
}

2918
contrib/bind9/bin/named/client.c
View file

File diff suppressed because it is too large Load diff

863
contrib/bind9/bin/named/config.c
View file

@ -1,863 +0,0 @@
/*
* Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.123 2012/01/06 23:46:41 tbox Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <isc/buffer.h>
#include <isc/log.h>
#include <isc/mem.h>
#include <isc/parseint.h>
#include <isc/region.h>
#include <isc/result.h>
#include <isc/sockaddr.h>
#include <isc/string.h>
#include <isc/util.h>
#include <isccfg/namedconf.h>
#include <dns/fixedname.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dns/rdatatype.h>
#include <dns/tsig.h>
#include <dns/zone.h>
#include <dst/dst.h>
#include <named/config.h>
#include <named/globals.h>
#include "bind.keys.h"
/*% default configuration */
static char defaultconf[] = "\
options {\n\
# blackhole {none;};\n"
#ifndef WIN32
" coresize default;\n\
datasize default;\n\
files unlimited;\n\
stacksize default;\n"
#endif
"# session-keyfile \"" NS_LOCALSTATEDIR "/run/named/session.key\";\n\
session-keyname local-ddns;\n\
session-keyalg hmac-sha256;\n\
deallocate-on-exit true;\n\
# directory <none>\n\
dump-file \"named_dump.db\";\n\
fake-iquery no;\n\
has-old-clients false;\n\
heartbeat-interval 60;\n\
host-statistics no;\n\
interface-interval 60;\n\
listen-on {any;};\n\
listen-on-v6 {none;};\n\
match-mapped-addresses no;\n\
max-rsa-exponent-size 0; /* no limit */\n\
memstatistics-file \"named.memstats\";\n\
multiple-cnames no;\n\
# named-xfer <obsolete>;\n\
# pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
bindkeys-file \"" NS_SYSCONFDIR "/bind.keys\";\n\
port 53;\n\
recursing-file \"named.recursing\";\n\
secroots-file \"named.secroots\";\n\
"
#ifdef PATH_RANDOMDEV
"\
random-device \"" PATH_RANDOMDEV "\";\n\
"
#endif
"\
recursive-clients 1000;\n\
resolver-query-timeout 10;\n\
rrset-order { order random; };\n\
serial-queries 20;\n\
serial-query-rate 20;\n\
server-id none;\n\
statistics-file \"named.stats\";\n\
statistics-interval 60;\n\
tcp-clients 100;\n\
tcp-listen-queue 3;\n\
# tkey-dhkey <none>\n\
# tkey-gssapi-credential <none>\n\
# tkey-domain <none>\n\
transfers-per-ns 2;\n\
transfers-in 10;\n\
transfers-out 10;\n\
treat-cr-as-space true;\n\
use-id-pool true;\n\
use-ixfr true;\n\
edns-udp-size 4096;\n\
max-udp-size 4096;\n\
request-nsid false;\n\
reserved-sockets 512;\n\
\n\
/* DLV */\n\
dnssec-lookaside . trust-anchor dlv.isc.org;\n\
\n\
/* view */\n\
allow-notify {none;};\n\
allow-update-forwarding {none;};\n\
allow-query-cache { localnets; localhost; };\n\
allow-query-cache-on { any; };\n\
allow-recursion { localnets; localhost; };\n\
allow-recursion-on { any; };\n\
# allow-v6-synthesis <obsolete>;\n\
# sortlist <none>\n\
# topology <none>\n\
auth-nxdomain false;\n\
minimal-responses false;\n\
recursion true;\n\
provide-ixfr true;\n\
request-ixfr true;\n\
fetch-glue no;\n\
rfc2308-type1 no;\n\
additional-from-auth true;\n\
additional-from-cache true;\n\
query-source address *;\n\
query-source-v6 address *;\n\
notify-source *;\n\
notify-source-v6 *;\n\
cleaning-interval 0; /* now meaningless */\n\
min-roots 2;\n\
lame-ttl 600;\n\
max-ncache-ttl 10800; /* 3 hours */\n\
max-cache-ttl 604800; /* 1 week */\n\
transfer-format many-answers;\n\
max-cache-size 0;\n\
check-names master fail;\n\
check-names slave warn;\n\
check-names response ignore;\n\
check-dup-records warn;\n\
check-mx warn;\n\
check-spf warn;\n\
acache-enable no;\n\
acache-cleaning-interval 60;\n\
max-acache-size 16M;\n\
dnssec-enable yes;\n\
dnssec-validation yes; \n\
dnssec-accept-expired no;\n\
clients-per-query 10;\n\
max-clients-per-query 100;\n\
zero-no-soa-ttl-cache no;\n\
nsec3-test-zone no;\n\
allow-new-zones no;\n\
"
#ifdef ALLOW_FILTER_AAAA_ON_V4
" filter-aaaa-on-v4 no;\n\
filter-aaaa { any; };\n\
"
#endif
" /* zone */\n\
allow-query {any;};\n\
allow-query-on {any;};\n\
allow-transfer {any;};\n\
notify yes;\n\
# also-notify <none>\n\
notify-delay 5;\n\
notify-to-soa no;\n\
dialup no;\n\
# forward <none>\n\
# forwarders <none>\n\
maintain-ixfr-base no;\n\
# max-ixfr-log-size <obsolete>\n\
transfer-source *;\n\
transfer-source-v6 *;\n\
alt-transfer-source *;\n\
alt-transfer-source-v6 *;\n\
max-transfer-time-in 120;\n\
max-transfer-time-out 120;\n\
max-transfer-idle-in 60;\n\
max-transfer-idle-out 60;\n\
max-retry-time 1209600; /* 2 weeks */\n\
min-retry-time 500;\n\
max-refresh-time 2419200; /* 4 weeks */\n\
min-refresh-time 300;\n\
multi-master no;\n\
dnssec-secure-to-insecure no;\n\
sig-validity-interval 30; /* days */\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
sig-signing-type 65534;\n\
inline-signing no;\n\
zone-statistics terse;\n\
max-journal-size unlimited;\n\
ixfr-from-differences false;\n\
check-wildcard yes;\n\
check-sibling yes;\n\
check-integrity yes;\n\
check-mx-cname warn;\n\
check-srv-cname warn;\n\
zero-no-soa-ttl yes;\n\
update-check-ksk yes;\n\
serial-update-method increment;\n\
dnssec-update-mode maintain;\n\
dnssec-dnskey-kskonly no;\n\
dnssec-loadkeys-interval 60;\n\
try-tcp-refresh yes; /* BIND 8 compat */\n\
};\n\
"
"#\n\
# Zones in the \"_bind\" view are NOT counted in the count of zones.\n\
#\n\
view \"_bind\" chaos {\n\
recursion no;\n\
notify no;\n\
allow-new-zones no;\n\
\n\
zone \"version.bind\" chaos {\n\
type master;\n\
database \"_builtin version\";\n\
};\n\
\n\
zone \"hostname.bind\" chaos {\n\
type master;\n\
database \"_builtin hostname\";\n\
};\n\
\n\
zone \"authors.bind\" chaos {\n\
type master;\n\
database \"_builtin authors\";\n\
};\n\
\n\
zone \"id.server\" chaos {\n\
type master;\n\
database \"_builtin id\";\n\
};\n\
};\n\
"
"#\n\
# Default trusted key(s) for builtin DLV support\n\
# (used if \"dnssec-lookaside auto;\" is set and\n\
# sysconfdir/bind.keys doesn't exist).\n\
#\n\
# BEGIN MANAGED KEYS\n"
/* Imported from bind.keys.h: */
MANAGED_KEYS
"# END MANAGED KEYS\n\
";
isc_result_t
ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
isc_buffer_t b;
isc_buffer_init(&b, defaultconf, sizeof(defaultconf) - 1);
isc_buffer_add(&b, sizeof(defaultconf) - 1);
return (cfg_parse_buffer(parser, &b, &cfg_type_namedconf, conf));
}
isc_result_t
ns_config_get(const cfg_obj_t **maps, const char *name, const cfg_obj_t **obj) {
int i;
for (i = 0;; i++) {
if (maps[i] == NULL)
return (ISC_R_NOTFOUND);
if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
return (ISC_R_SUCCESS);
}
}
isc_result_t
ns_checknames_get(const cfg_obj_t **maps, const char *which,
const cfg_obj_t **obj)
{
const cfg_listelt_t *element;
const cfg_obj_t *checknames;
const cfg_obj_t *type;
const cfg_obj_t *value;
int i;
for (i = 0;; i++) {
if (maps[i] == NULL)
return (ISC_R_NOTFOUND);
checknames = NULL;
if (cfg_map_get(maps[i], "check-names",
&checknames) == ISC_R_SUCCESS) {
/*
* Zone map entry is not a list.
*/
if (checknames != NULL && !cfg_obj_islist(checknames)) {
*obj = checknames;
return (ISC_R_SUCCESS);
}
for (element = cfg_list_first(checknames);
element != NULL;
element = cfg_list_next(element)) {
value = cfg_listelt_value(element);
type = cfg_tuple_get(value, "type");
if (strcasecmp(cfg_obj_asstring(type),
which) == 0) {
*obj = cfg_tuple_get(value, "mode");
return (ISC_R_SUCCESS);
}
}
}
}
}
int
ns_config_listcount(const cfg_obj_t *list) {
const cfg_listelt_t *e;
int i = 0;
for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e))
i++;
return (i);
}
isc_result_t
ns_config_getclass(const cfg_obj_t *classobj, dns_rdataclass_t defclass,
dns_rdataclass_t *classp) {
isc_textregion_t r;
isc_result_t result;
if (!cfg_obj_isstring(classobj)) {
*classp = defclass;
return (ISC_R_SUCCESS);
}
DE_CONST(cfg_obj_asstring(classobj), r.base);
r.length = strlen(r.base);
result = dns_rdataclass_fromtext(classp, &r);
if (result != ISC_R_SUCCESS)
cfg_obj_log(classobj, ns_g_lctx, ISC_LOG_ERROR,
"unknown class '%s'", r.base);
return (result);
}
isc_result_t
ns_config_gettype(const cfg_obj_t *typeobj, dns_rdatatype_t deftype,
dns_rdatatype_t *typep) {
isc_textregion_t r;
isc_result_t result;
if (!cfg_obj_isstring(typeobj)) {
*typep = deftype;
return (ISC_R_SUCCESS);
}
DE_CONST(cfg_obj_asstring(typeobj), r.base);
r.length = strlen(r.base);
result = dns_rdatatype_fromtext(typep, &r);
if (result != ISC_R_SUCCESS)
cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR,
"unknown type '%s'", r.base);
return (result);
}
dns_zonetype_t
ns_config_getzonetype(const cfg_obj_t *zonetypeobj) {
dns_zonetype_t ztype = dns_zone_none;
const char *str;
str = cfg_obj_asstring(zonetypeobj);
if (strcasecmp(str, "master") == 0)
ztype = dns_zone_master;
else if (strcasecmp(str, "slave") == 0)
ztype = dns_zone_slave;
else if (strcasecmp(str, "stub") == 0)
ztype = dns_zone_stub;
else if (strcasecmp(str, "static-stub") == 0)
ztype = dns_zone_staticstub;
else if (strcasecmp(str, "redirect") == 0)
ztype = dns_zone_redirect;
else
INSIST(0);
return (ztype);
}
isc_result_t
ns_config_getiplist(const cfg_obj_t *config, const cfg_obj_t *list,
in_port_t defport, isc_mem_t *mctx,
isc_sockaddr_t **addrsp, isc_uint32_t *countp)
{
int count, i = 0;
const cfg_obj_t *addrlist;
const cfg_obj_t *portobj;
const cfg_listelt_t *element;
isc_sockaddr_t *addrs;
in_port_t port;
isc_result_t result;
INSIST(addrsp != NULL && *addrsp == NULL);
INSIST(countp != NULL);
addrlist = cfg_tuple_get(list, "addresses");
count = ns_config_listcount(addrlist);
portobj = cfg_tuple_get(list, "port");
if (cfg_obj_isuint32(portobj)) {
isc_uint32_t val = cfg_obj_asuint32(portobj);
if (val > ISC_UINT16_MAX) {
cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
"port '%u' out of range", val);
return (ISC_R_RANGE);
}
port = (in_port_t) val;
} else if (defport != 0)
port = defport;
else {
result = ns_config_getport(config, &port);
if (result != ISC_R_SUCCESS)
return (result);
}
addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t));
if (addrs == NULL)
return (ISC_R_NOMEMORY);
for (element = cfg_list_first(addrlist);
element != NULL;
element = cfg_list_next(element), i++)
{
INSIST(i < count);
addrs[i] = *cfg_obj_assockaddr(cfg_listelt_value(element));
if (isc_sockaddr_getport(&addrs[i]) == 0)
isc_sockaddr_setport(&addrs[i], port);
}
INSIST(i == count);
*addrsp = addrs;
*countp = count;
return (ISC_R_SUCCESS);
}
void
ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
isc_uint32_t count)
{
INSIST(addrsp != NULL && *addrsp != NULL);
isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t));
*addrsp = NULL;
}
static isc_result_t
get_masters_def(const cfg_obj_t *cctx, const char *name,
const cfg_obj_t **ret)
{
isc_result_t result;
const cfg_obj_t *masters = NULL;
const cfg_listelt_t *elt;
result = cfg_map_get(cctx, "masters", &masters);
if (result != ISC_R_SUCCESS)
return (result);
for (elt = cfg_list_first(masters);
elt != NULL;
elt = cfg_list_next(elt)) {
const cfg_obj_t *list;
const char *listname;
list = cfg_listelt_value(elt);
listname = cfg_obj_asstring(cfg_tuple_get(list, "name"));
if (strcasecmp(listname, name) == 0) {
*ret = list;
return (ISC_R_SUCCESS);
}
}
return (ISC_R_NOTFOUND);
}
isc_result_t
ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,
isc_mem_t *mctx, isc_sockaddr_t **addrsp,
dns_name_t ***keysp, isc_uint32_t *countp)
{
isc_uint32_t addrcount = 0, keycount = 0, i = 0;
isc_uint32_t listcount = 0, l = 0, j;
isc_uint32_t stackcount = 0, pushed = 0;
isc_result_t result;
const cfg_listelt_t *element;
const cfg_obj_t *addrlist;
const cfg_obj_t *portobj;
in_port_t port;
dns_fixedname_t fname;
isc_sockaddr_t *addrs = NULL;
dns_name_t **keys = NULL;
struct { const char *name; } *lists = NULL;
struct {
const cfg_listelt_t *element;
in_port_t port;
} *stack = NULL;
REQUIRE(addrsp != NULL && *addrsp == NULL);
REQUIRE(keysp != NULL && *keysp == NULL);
REQUIRE(countp != NULL);
newlist:
addrlist = cfg_tuple_get(list, "addresses");
portobj = cfg_tuple_get(list, "port");
if (cfg_obj_isuint32(portobj)) {
isc_uint32_t val = cfg_obj_asuint32(portobj);
if (val > ISC_UINT16_MAX) {
cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
"port '%u' out of range", val);
result = ISC_R_RANGE;
goto cleanup;
}
port = (in_port_t) val;
} else {
result = ns_config_getport(config, &port);
if (result != ISC_R_SUCCESS)
goto cleanup;
}
result = ISC_R_NOMEMORY;
element = cfg_list_first(addrlist);
resume:
for ( ;
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *addr;
const cfg_obj_t *key;
const char *keystr;
isc_buffer_t b;
addr = cfg_tuple_get(cfg_listelt_value(element),
"masterselement");
key = cfg_tuple_get(cfg_listelt_value(element), "key");
if (!cfg_obj_issockaddr(addr)) {
const char *listname = cfg_obj_asstring(addr);
isc_result_t tresult;
/* Grow lists? */
if (listcount == l) {
void * new;
isc_uint32_t newlen = listcount + 16;
size_t newsize, oldsize;
newsize = newlen * sizeof(*lists);
oldsize = listcount * sizeof(*lists);
new = isc_mem_get(mctx, newsize);
if (new == NULL)
goto cleanup;
if (listcount != 0) {
memcpy(new, lists, oldsize);
isc_mem_put(mctx, lists, oldsize);
}
lists = new;
listcount = newlen;
}
/* Seen? */
for (j = 0; j < l; j++)
if (strcasecmp(lists[j].name, listname) == 0)
break;
if (j < l)
continue;
tresult = get_masters_def(config, listname, &list);
if (tresult == ISC_R_NOTFOUND) {
cfg_obj_log(addr, ns_g_lctx, ISC_LOG_ERROR,
"masters \"%s\" not found", listname);
result = tresult;
goto cleanup;
}
if (tresult != ISC_R_SUCCESS)
goto cleanup;
lists[l++].name = listname;
/* Grow stack? */
if (stackcount == pushed) {
void * new;
isc_uint32_t newlen = stackcount + 16;
size_t newsize, oldsize;
newsize = newlen * sizeof(*stack);
oldsize = stackcount * sizeof(*stack);
new = isc_mem_get(mctx, newsize);
if (new == NULL)
goto cleanup;
if (stackcount != 0) {
memcpy(new, stack, oldsize);
isc_mem_put(mctx, stack, oldsize);
}
stack = new;
stackcount = newlen;
}
/*
* We want to resume processing this list on the
* next element.
*/
stack[pushed].element = cfg_list_next(element);
stack[pushed].port = port;
pushed++;
goto newlist;
}
if (i == addrcount) {
void * new;
isc_uint32_t newlen = addrcount + 16;
size_t newsize, oldsize;
newsize = newlen * sizeof(isc_sockaddr_t);
oldsize = addrcount * sizeof(isc_sockaddr_t);
new = isc_mem_get(mctx, newsize);
if (new == NULL)
goto cleanup;
if (addrcount != 0) {
memcpy(new, addrs, oldsize);
isc_mem_put(mctx, addrs, oldsize);
}
addrs = new;
addrcount = newlen;
newsize = newlen * sizeof(dns_name_t *);
oldsize = keycount * sizeof(dns_name_t *);
new = isc_mem_get(mctx, newsize);
if (new == NULL)
goto cleanup;
if (keycount != 0) {
memcpy(new, keys, oldsize);
isc_mem_put(mctx, keys, oldsize);
}
keys = new;
keycount = newlen;
}
addrs[i] = *cfg_obj_assockaddr(addr);
if (isc_sockaddr_getport(&addrs[i]) == 0)
isc_sockaddr_setport(&addrs[i], port);
keys[i] = NULL;
i++; /* Increment here so that cleanup on error works. */
if (!cfg_obj_isstring(key))
continue;
keys[i - 1] = isc_mem_get(mctx, sizeof(dns_name_t));
if (keys[i - 1] == NULL)
goto cleanup;
dns_name_init(keys[i - 1], NULL);
keystr = cfg_obj_asstring(key);
isc_buffer_constinit(&b, keystr, strlen(keystr));
isc_buffer_add(&b, strlen(keystr));
dns_fixedname_init(&fname);
result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
dns_rootname, 0, NULL);
if (result != ISC_R_SUCCESS)
goto cleanup;
result = dns_name_dup(dns_fixedname_name(&fname), mctx,
keys[i - 1]);
if (result != ISC_R_SUCCESS)
goto cleanup;
}
if (pushed != 0) {
pushed--;
element = stack[pushed].element;
port = stack[pushed].port;
goto resume;
}
if (i < addrcount) {
void * new;
size_t newsize, oldsize;
newsize = i * sizeof(isc_sockaddr_t);
oldsize = addrcount * sizeof(isc_sockaddr_t);
if (i != 0) {
new = isc_mem_get(mctx, newsize);
if (new == NULL)
goto cleanup;
memcpy(new, addrs, newsize);
} else
new = NULL;
isc_mem_put(mctx, addrs, oldsize);
addrs = new;
addrcount = i;
newsize = i * sizeof(dns_name_t *);
oldsize = keycount * sizeof(dns_name_t *);
if (i != 0) {
new = isc_mem_get(mctx, newsize);
if (new == NULL)
goto cleanup;
memcpy(new, keys, newsize);
} else
new = NULL;
isc_mem_put(mctx, keys, oldsize);
keys = new;
keycount = i;
}
if (lists != NULL)
isc_mem_put(mctx, lists, listcount * sizeof(*lists));
if (stack != NULL)
isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
INSIST(keycount == addrcount);
*addrsp = addrs;
*keysp = keys;
*countp = addrcount;
return (ISC_R_SUCCESS);
cleanup:
if (addrs != NULL)
isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t));
if (keys != NULL) {
for (j = 0; j < i; j++) {
if (keys[j] == NULL)
continue;
if (dns_name_dynamic(keys[j]))
dns_name_free(keys[j], mctx);
isc_mem_put(mctx, keys[j], sizeof(dns_name_t));
}
isc_mem_put(mctx, keys, keycount * sizeof(dns_name_t *));
}
if (lists != NULL)
isc_mem_put(mctx, lists, listcount * sizeof(*lists));
if (stack != NULL)
isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
return (result);
}
void
ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
dns_name_t ***keysp, isc_uint32_t count)
{
unsigned int i;
dns_name_t **keys = *keysp;
INSIST(addrsp != NULL && *addrsp != NULL);
isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t));
for (i = 0; i < count; i++) {
if (keys[i] == NULL)
continue;
if (dns_name_dynamic(keys[i]))
dns_name_free(keys[i], mctx);
isc_mem_put(mctx, keys[i], sizeof(dns_name_t));
}
isc_mem_put(mctx, *keysp, count * sizeof(dns_name_t *));
*addrsp = NULL;
*keysp = NULL;
}
isc_result_t
ns_config_getport(const cfg_obj_t *config, in_port_t *portp) {
const cfg_obj_t *maps[3];
const cfg_obj_t *options = NULL;
const cfg_obj_t *portobj = NULL;
isc_result_t result;
int i;
(void)cfg_map_get(config, "options", &options);
i = 0;
if (options != NULL)
maps[i++] = options;
maps[i++] = ns_g_defaults;
maps[i] = NULL;
result = ns_config_get(maps, "port", &portobj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
"port '%u' out of range",
cfg_obj_asuint32(portobj));
return (ISC_R_RANGE);
}
*portp = (in_port_t)cfg_obj_asuint32(portobj);
return (ISC_R_SUCCESS);
}
struct keyalgorithms {
const char *str;
enum { hmacnone, hmacmd5, hmacsha1, hmacsha224,
hmacsha256, hmacsha384, hmacsha512 } hmac;
unsigned int type;
isc_uint16_t size;
} algorithms[] = {
{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
{ "hmac-sha384", hmacsha384, DST_ALG_HMACSHA384, 384 },
{ "hmac-sha512", hmacsha512, DST_ALG_HMACSHA512, 512 },
{ NULL, hmacnone, DST_ALG_UNKNOWN, 0 }
};
isc_result_t
ns_config_getkeyalgorithm(const char *str, dns_name_t **name,
isc_uint16_t *digestbits)
{
return (ns_config_getkeyalgorithm2(str, name, NULL, digestbits));
}
isc_result_t
ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
unsigned int *typep, isc_uint16_t *digestbits)
{
int i;
size_t len = 0;
isc_uint16_t bits;
isc_result_t result;
for (i = 0; algorithms[i].str != NULL; i++) {
len = strlen(algorithms[i].str);
if (strncasecmp(algorithms[i].str, str, len) == 0 &&
(str[len] == '\0' ||
(algorithms[i].size != 0 && str[len] == '-')))
break;
}
if (algorithms[i].str == NULL)
return (ISC_R_NOTFOUND);
if (str[len] == '-') {
result = isc_parse_uint16(&bits, str + len + 1, 10);
if (result != ISC_R_SUCCESS)
return (result);
if (bits > algorithms[i].size)
return (ISC_R_RANGE);
} else if (algorithms[i].size == 0)
bits = 128;
else
bits = algorithms[i].size;
if (name != NULL) {
switch (algorithms[i].hmac) {
case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
case hmacsha384: *name = dns_tsig_hmacsha384_name; break;
case hmacsha512: *name = dns_tsig_hmacsha512_name; break;
default:
INSIST(0);
}
}
if (typep != NULL)
*typep = algorithms[i].type;
if (digestbits != NULL)
*digestbits = bits;
return (ISC_R_SUCCESS);
}

219
contrib/bind9/bin/named/control.c
View file

@ -1,219 +0,0 @@
/*
* Copyright (C) 2004-2007, 2009-2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
/*! \file */
#include <config.h>
#include <isc/app.h>
#include <isc/event.h>
#include <isc/mem.h>
#include <isc/string.h>
#include <isc/timer.h>
#include <isc/util.h>
#include <dns/result.h>
#include <isccc/alist.h>
#include <isccc/cc.h>
#include <isccc/result.h>
#include <named/control.h>
#include <named/log.h>
#include <named/os.h>
#include <named/server.h>
#ifdef HAVE_LIBSCF
#include <named/ns_smf_globals.h>
#endif
static isc_boolean_t
command_compare(const char *text, const char *command) {
unsigned int commandlen = strlen(command);
if (strncasecmp(text, command, commandlen) == 0 &&
(text[commandlen] == '\0' ||
text[commandlen] == ' ' ||
text[commandlen] == '\t'))
return (ISC_TRUE);
return (ISC_FALSE);
}
/*%
* This function is called to process the incoming command
* when a control channel message is received.
*/
isc_result_t
ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
isccc_sexpr_t *data;
char *command = NULL;
isc_result_t result;
int log_level;
#ifdef HAVE_LIBSCF
ns_smf_want_disable = 0;
#endif
data = isccc_alist_lookup(message, "_data");
if (data == NULL) {
/*
* No data section.
*/
return (ISC_R_FAILURE);
}
result = isccc_cc_lookupstring(data, "type", &command);
if (result != ISC_R_SUCCESS) {
/*
* We have no idea what this is.
*/
return (result);
}
/*
* Compare the 'command' parameter against all known control commands.
*/
if (command_compare(command, NS_COMMAND_NULL) ||
command_compare(command, NS_COMMAND_STATUS)) {
log_level = ISC_LOG_DEBUG(1);
} else {
log_level = ISC_LOG_INFO;
}
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, log_level,
"received control channel command '%s'",
command);
if (command_compare(command, NS_COMMAND_RELOAD)) {
result = ns_server_reloadcommand(ns_g_server, command, text);
} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
result = ns_server_reconfigcommand(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_REFRESH)) {
result = ns_server_refreshcommand(ns_g_server, command, text);
} else if (command_compare(command, NS_COMMAND_RETRANSFER)) {
result = ns_server_retransfercommand(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_HALT)) {
#ifdef HAVE_LIBSCF
/*
* If we are managed by smf(5), AND in chroot, then
* we cannot connect to the smf repository, so just
* return with an appropriate message back to rndc.
*/
if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
result = ns_smf_add_message(text);
return (result);
}
/*
* If we are managed by smf(5) but not in chroot,
* try to disable ourselves the smf way.
*/
if (ns_smf_got_instance == 1 && ns_smf_chroot == 0)
ns_smf_want_disable = 1;
/*
* If ns_smf_got_instance = 0, ns_smf_chroot
* is not relevant and we fall through to
* isc_app_shutdown below.
*/
#endif
/* Do not flush master files */
ns_server_flushonshutdown(ns_g_server, ISC_FALSE);
ns_os_shutdownmsg(command, text);
isc_app_shutdown();
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_STOP)) {
/*
* "stop" is the same as "halt" except it does
* flush master files.
*/
#ifdef HAVE_LIBSCF
if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
result = ns_smf_add_message(text);
return (result);
}
if (ns_smf_got_instance == 1 && ns_smf_chroot == 0)
ns_smf_want_disable = 1;
#endif
ns_server_flushonshutdown(ns_g_server, ISC_TRUE);
ns_os_shutdownmsg(command, text);
isc_app_shutdown();
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_DUMPSTATS)) {
result = ns_server_dumpstats(ns_g_server);
} else if (command_compare(command, NS_COMMAND_QUERYLOG)) {
result = ns_server_togglequerylog(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
ns_server_dumpdb(ns_g_server, command);
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_SECROOTS)) {
result = ns_server_dumpsecroots(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_TRACE)) {
result = ns_server_setdebuglevel(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
ns_g_debuglevel = 0;
isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_FLUSH)) {
result = ns_server_flushcache(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_FLUSHNAME)) {
result = ns_server_flushnode(ns_g_server, command, ISC_FALSE);
} else if (command_compare(command, NS_COMMAND_FLUSHTREE)) {
result = ns_server_flushnode(ns_g_server, command, ISC_TRUE);
} else if (command_compare(command, NS_COMMAND_STATUS)) {
result = ns_server_status(ns_g_server, text);
} else if (command_compare(command, NS_COMMAND_TSIGLIST)) {
result = ns_server_tsiglist(ns_g_server, text);
} else if (command_compare(command, NS_COMMAND_TSIGDELETE)) {
result = ns_server_tsigdelete(ns_g_server, command, text);
} else if (command_compare(command, NS_COMMAND_FREEZE)) {
result = ns_server_freeze(ns_g_server, ISC_TRUE, command,
text);
} else if (command_compare(command, NS_COMMAND_UNFREEZE) ||
command_compare(command, NS_COMMAND_THAW)) {
result = ns_server_freeze(ns_g_server, ISC_FALSE, command,
text);
} else if (command_compare(command, NS_COMMAND_SYNC)) {
result = ns_server_sync(ns_g_server, command, text);
} else if (command_compare(command, NS_COMMAND_RECURSING)) {
result = ns_server_dumprecursing(ns_g_server);
} else if (command_compare(command, NS_COMMAND_TIMERPOKE)) {
result = ISC_R_SUCCESS;
isc_timermgr_poke(ns_g_timermgr);
} else if (command_compare(command, NS_COMMAND_NULL)) {
result = ISC_R_SUCCESS;
} else if (command_compare(command, NS_COMMAND_NOTIFY)) {
result = ns_server_notifycommand(ns_g_server, command, text);
} else if (command_compare(command, NS_COMMAND_VALIDATION)) {
result = ns_server_validation(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_SIGN) ||
command_compare(command, NS_COMMAND_LOADKEYS)) {
result = ns_server_rekey(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_ADDZONE)) {
result = ns_server_add_zone(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_DELZONE)) {
result = ns_server_del_zone(ns_g_server, command);
} else if (command_compare(command, NS_COMMAND_SIGNING)) {
result = ns_server_signing(ns_g_server, command, text);
} else {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
"unknown control channel command '%s'",
command);
result = DNS_R_UNKNOWNCOMMAND;
}
return (result);
}

1458
contrib/bind9/bin/named/controlconf.c
View file

File diff suppressed because it is too large Load diff

57
contrib/bind9/bin/named/convertxsl.pl
View file

@ -1,57 +0,0 @@
#!/usr/bin/env perl
#
# Copyright (C) 2006-2008, 2012 Internet Systems Consortium, Inc. ("ISC")
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $
use strict;
use warnings;
my $rev = '$Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $';
$rev =~ s/\$//g;
$rev =~ s/,v//g;
$rev =~ s/Id: //;
my $xsl = "unknown";
my $lines = '';
while (<>) {
chomp;
# pickout the id for comment.
$xsl = $_ if (/<!-- .Id:.* -->/);
# convert Id string to a form not recognisable by cvs.
$_ =~ s/<!-- .Id:(.*). -->/<!-- \\045Id: $1\\045 -->/;
s/[\ \t]+/ /g;
s/\>\ \</\>\</g;
s/\"/\\\"/g;
s/^/\t\"/;
s/$/\\n\"/;
if ($lines eq "") {
$lines .= $_;
} else {
$lines .= "\n" . $_;
}
}
$xsl =~ s/\$//g;
$xsl =~ s/<!-- Id: //;
$xsl =~ s/ -->.*//;
$xsl =~ s/,v//;
print "/*\n * Generated by $rev \n * From $xsl\n */\n";
print 'static char xslmsg[] =',"\n";
print $lines;
print ';', "\n";

27
contrib/bind9/bin/named/include/dlz/dlz_dlopen_driver.h
View file

@ -1,27 +0,0 @@
/*
* Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dlz_dlopen_driver.h,v 1.4 2011/03/17 09:25:53 fdupont Exp $ */
#ifndef DLZ_DLOPEN_DRIVER_H
#define DLZ_DLOPEN_DRIVER_H
isc_result_t
dlz_dlopen_init(isc_mem_t *mctx);
void
dlz_dlopen_clear(void);
#endif

31
contrib/bind9/bin/named/include/named/builtin.h
View file

@ -1,31 +0,0 @@
/*
* Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: builtin.h,v 1.6 2007/06/19 23:46:59 tbox Exp $ */
#ifndef NAMED_BUILTIN_H
#define NAMED_BUILTIN_H 1
/*! \file */
#include <isc/types.h>
isc_result_t ns_builtin_init(void);
void ns_builtin_deinit(void);
#endif /* NAMED_BUILTIN_H */

387
contrib/bind9/bin/named/include/named/client.h
View file

@ -1,387 +0,0 @@
/*
* Copyright (C) 2004-2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id$ */
#ifndef NAMED_CLIENT_H
#define NAMED_CLIENT_H 1
/*****
***** Module Info
*****/
/*! \file
* \brief
* This module defines two objects, ns_client_t and ns_clientmgr_t.
*
* An ns_client_t object handles incoming DNS requests from clients
* on a given network interface.
*
* Each ns_client_t object can handle only one TCP connection or UDP
* request at a time. Therefore, several ns_client_t objects are
* typically created to serve each network interface, e.g., one
* for handling TCP requests and a few (one per CPU) for handling
* UDP requests.
*
* Incoming requests are classified as queries, zone transfer
* requests, update requests, notify requests, etc, and handed off
* to the appropriate request handler. When the request has been
* fully handled (which can be much later), the ns_client_t must be
* notified of this by calling one of the following functions
* exactly once in the context of its task:
* \code
* ns_client_send() (sending a non-error response)
* ns_client_sendraw() (sending a raw response)
* ns_client_error() (sending an error response)
* ns_client_next() (sending no response)
*\endcode
* This will release any resources used by the request and
* and allow the ns_client_t to listen for the next request.
*
* A ns_clientmgr_t manages a number of ns_client_t objects.
* New ns_client_t objects are created by calling
* ns_clientmgr_createclients(). They are destroyed by
* destroying their manager.
*/
/***
*** Imports
***/
#include <isc/buffer.h>
#include <isc/magic.h>
#include <isc/stdtime.h>
#include <isc/quota.h>
#include <isc/queue.h>
#include <dns/db.h>
#include <dns/fixedname.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dns/rdatatype.h>
#include <dns/tcpmsg.h>
#include <dns/types.h>
#include <named/types.h>
#include <named/query.h>
/***
*** Types
***/
/*% nameserver client structure */
struct ns_client {
unsigned int magic;
isc_mem_t * mctx;
ns_clientmgr_t * manager;
int state;
int newstate;
int naccepts;
int nreads;
int nsends;
int nrecvs;
int nupdates;
int nctls;
int references;
isc_boolean_t needshutdown; /*
* Used by clienttest to get
* the client to go from
* inactive to free state
* by shutting down the
* client's task.
*/
unsigned int attributes;
isc_task_t * task;
dns_view_t * view;
dns_dispatch_t * dispatch;
isc_socket_t * udpsocket;
isc_socket_t * tcplistener;
isc_socket_t * tcpsocket;
unsigned char * tcpbuf;
dns_tcpmsg_t tcpmsg;
isc_boolean_t tcpmsg_valid;
isc_timer_t * timer;
isc_boolean_t timerset;
dns_message_t * message;
isc_socketevent_t * sendevent;
isc_socketevent_t * recvevent;
unsigned char * recvbuf;
dns_rdataset_t * opt;
isc_uint16_t udpsize;
isc_uint16_t extflags;
isc_int16_t ednsversion; /* -1 noedns */
void (*next)(ns_client_t *);
void (*shutdown)(void *arg, isc_result_t result);
void *shutdown_arg;
ns_query_t query;
isc_stdtime_t requesttime;
isc_stdtime_t now;
dns_name_t signername; /*%< [T]SIG key name */
dns_name_t * signer; /*%< NULL if not valid sig */
isc_boolean_t mortal; /*%< Die after handling request */
isc_quota_t *tcpquota;
isc_quota_t *recursionquota;
ns_interface_t *interface;
isc_sockaddr_t peeraddr;
isc_boolean_t peeraddr_valid;
isc_netaddr_t destaddr;
struct in6_pktinfo pktinfo;
isc_event_t ctlevent;
#ifdef ALLOW_FILTER_AAAA_ON_V4
dns_v4_aaaa_t filter_aaaa;
#endif
/*%
* Information about recent FORMERR response(s), for
* FORMERR loop avoidance. This is separate for each
* client object rather than global only to avoid
* the need for locking.
*/
struct {
isc_sockaddr_t addr;
isc_stdtime_t time;
dns_messageid_t id;
} formerrcache;
ISC_LINK(ns_client_t) link;
ISC_LINK(ns_client_t) rlink;
ISC_QLINK(ns_client_t) ilink;
};
typedef ISC_QUEUE(ns_client_t) client_queue_t;
typedef ISC_LIST(ns_client_t) client_list_t;
#define NS_CLIENT_MAGIC ISC_MAGIC('N','S','C','c')
#define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
#define NS_CLIENTATTR_TCP 0x001
#define NS_CLIENTATTR_RA 0x002 /*%< Client gets recursive service */
#define NS_CLIENTATTR_PKTINFO 0x004 /*%< pktinfo is valid */
#define NS_CLIENTATTR_MULTICAST 0x008 /*%< recv'd from multicast */
#define NS_CLIENTATTR_WANTDNSSEC 0x010 /*%< include dnssec records */
#define NS_CLIENTATTR_WANTNSID 0x020 /*%< include nameserver ID */
#ifdef ALLOW_FILTER_AAAA_ON_V4
#define NS_CLIENTATTR_FILTER_AAAA 0x040 /*%< suppress AAAAs */
#define NS_CLIENTATTR_FILTER_AAAA_RC 0x080 /*%< recursing for A against AAAA */
#endif
#define NS_CLIENTATTR_WANTAD 0x100 /*%< want AD in response if possible */
extern unsigned int ns_client_requests;
/***
*** Functions
***/
/*%
* Note! These ns_client_ routines MUST be called ONLY from the client's
* task in order to ensure synchronization.
*/
void
ns_client_send(ns_client_t *client);
/*%
* Finish processing the current client request and
* send client->message as a response.
* \brief
* Note! These ns_client_ routines MUST be called ONLY from the client's
* task in order to ensure synchronization.
*/
void
ns_client_sendraw(ns_client_t *client, dns_message_t *msg);
/*%
* Finish processing the current client request and
* send msg as a response using client->message->id for the id.
*/
void
ns_client_error(ns_client_t *client, isc_result_t result);
/*%
* Finish processing the current client request and return
* an error response to the client. The error response
* will have an RCODE determined by 'result'.
*/
void
ns_client_next(ns_client_t *client, isc_result_t result);
/*%
* Finish processing the current client request,
* return no response to the client.
*/
isc_boolean_t
ns_client_shuttingdown(ns_client_t *client);
/*%
* Return ISC_TRUE iff the client is currently shutting down.
*/
void
ns_client_attach(ns_client_t *source, ns_client_t **target);
/*%
* Attach '*targetp' to 'source'.
*/
void
ns_client_detach(ns_client_t **clientp);
/*%
* Detach '*clientp' from its client.
*/
isc_result_t
ns_client_replace(ns_client_t *client);
/*%
* Try to replace the current client with a new one, so that the
* current one can go off and do some lengthy work without
* leaving the dispatch/socket without service.
*/
void
ns_client_settimeout(ns_client_t *client, unsigned int seconds);
/*%
* Set a timer in the client to go off in the specified amount of time.
*/
isc_result_t
ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
isc_timermgr_t *timermgr, ns_clientmgr_t **managerp);
/*%
* Create a client manager.
*/
void
ns_clientmgr_destroy(ns_clientmgr_t **managerp);
/*%
* Destroy a client manager and all ns_client_t objects
* managed by it.
*/
isc_result_t
ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
ns_interface_t *ifp, isc_boolean_t tcp);
/*%
* Create up to 'n' clients listening on interface 'ifp'.
* If 'tcp' is ISC_TRUE, the clients will listen for TCP connections,
* otherwise for UDP requests.
*/
isc_sockaddr_t *
ns_client_getsockaddr(ns_client_t *client);
/*%
* Get the socket address of the client whose request is
* currently being processed.
*/
isc_result_t
ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,
dns_acl_t *acl, isc_boolean_t default_allow);
/*%
* Convenience function for client request ACL checking.
*
* Check the current client request against 'acl'. If 'acl'
* is NULL, allow the request iff 'default_allow' is ISC_TRUE.
* If netaddr is NULL, check the ACL against client->peeraddr;
* otherwise check it against netaddr.
*
* Notes:
*\li This is appropriate for checking allow-update,
* allow-query, allow-transfer, etc. It is not appropriate
* for checking the blackhole list because we treat positive
* matches as "allow" and negative matches as "deny"; in
* the case of the blackhole list this would be backwards.
*
* Requires:
*\li 'client' points to a valid client.
*\li 'netaddr' points to a valid address, or is NULL.
*\li 'acl' points to a valid ACL, or is NULL.
*
* Returns:
*\li ISC_R_SUCCESS if the request should be allowed
* \li DNS_R_REFUSED if the request should be denied
*\li No other return values are possible.
*/
isc_result_t
ns_client_checkacl(ns_client_t *client,
isc_sockaddr_t *sockaddr,
const char *opname, dns_acl_t *acl,
isc_boolean_t default_allow,
int log_level);
/*%
* Like ns_client_checkaclsilent, except the outcome of the check is
* logged at log level 'log_level' if denied, and at debug 3 if approved.
* Log messages will refer to the request as an 'opname' request.
*
* Requires:
*\li 'client' points to a valid client.
*\li 'sockaddr' points to a valid address, or is NULL.
*\li 'acl' points to a valid ACL, or is NULL.
*\li 'opname' points to a null-terminated string.
*/
void
ns_client_log(ns_client_t *client, isc_logcategory_t *category,
isc_logmodule_t *module, int level,
const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
void
ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
isc_logmodule_t *module, int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5, 0);
void
ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
dns_rdataclass_t rdclass, char *buf, size_t len);
#define NS_CLIENT_ACLMSGSIZE(x) \
(DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + \
DNS_RDATACLASS_FORMATSIZE + sizeof(x) + sizeof("'/'"))
void
ns_client_recursing(ns_client_t *client);
/*%
* Add client to end of th recursing list.
*/
void
ns_client_killoldestquery(ns_client_t *client);
/*%
* Kill the oldest recursive query (recursing list head).
*/
void
ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager);
/*%
* Dump the outstanding recursive queries to 'f'.
*/
void
ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
/*%
* Replace the qname.
*/
isc_boolean_t
ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
dns_rdataclass_t rdclass, void *arg);
/*%
* Isself callback.
*/
isc_result_t
ns_client_sourceip(dns_clientinfo_t *ci, isc_sockaddr_t **addrp);
#endif /* NAMED_CLIENT_H */

Some files were not shown because too many files have changed in this diff Show more