commit
2b068456f8
@ -0,0 +1 @@
|
||||
30cbd1f3e9d2d47d653498143334128aac1f8fc0 SOURCES/bind-9.16.23.tar.xz
|
@ -0,0 +1 @@
|
||||
SOURCES/bind-9.16.23.tar.xz
|
@ -0,0 +1,550 @@
|
||||
From 040227009453b3f0aa7914c7a6a94dc57ad5269b Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Thu, 21 Jan 2021 10:46:20 +0100
|
||||
Subject: [PATCH] Enable custom pkcs11 native build
|
||||
|
||||
Share common parts like libisc, libcc and others. But provide native
|
||||
pkcs11 libraries as a new copy of libdns and libns.
|
||||
---
|
||||
bin/Makefile.in | 2 +-
|
||||
bin/confgen/Makefile.in | 2 +-
|
||||
bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++---------------
|
||||
bin/named-pkcs11/Makefile.in | 33 ++++++++++++++-------------
|
||||
configure.ac | 19 ++++++++++++++++
|
||||
lib/Makefile.in | 2 +-
|
||||
lib/dns-pkcs11/Makefile.in | 22 +++++++++---------
|
||||
lib/dns-pkcs11/tests/Makefile.in | 8 +++----
|
||||
lib/ns-pkcs11/Makefile.in | 26 ++++++++++-----------
|
||||
lib/ns-pkcs11/tests/Makefile.in | 12 +++++-----
|
||||
make/includes.in | 7 ++++++
|
||||
11 files changed, 101 insertions(+), 71 deletions(-)
|
||||
|
||||
diff --git a/bin/Makefile.in b/bin/Makefile.in
|
||||
index 9ad7f62..094775a 100644
|
||||
--- a/bin/Makefile.in
|
||||
+++ b/bin/Makefile.in
|
||||
@@ -11,7 +11,7 @@ srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
top_srcdir = @top_srcdir@
|
||||
|
||||
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
|
||||
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \
|
||||
@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
|
||||
TARGETS =
|
||||
|
||||
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
|
||||
index c126bf3..1b7512d 100644
|
||||
--- a/bin/confgen/Makefile.in
|
||||
+++ b/bin/confgen/Makefile.in
|
||||
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
|
||||
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
|
||||
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
|
||||
|
||||
-CDEFINES = @USE_PKCS11@
|
||||
+CDEFINES =
|
||||
CWARNINGS =
|
||||
|
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
|
||||
index ace0e5a..e0f6a00 100644
|
||||
--- a/bin/dnssec-pkcs11/Makefile.in
|
||||
+++ b/bin/dnssec-pkcs11/Makefile.in
|
||||
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
|
||||
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
|
||||
${OPENSSL_CFLAGS}
|
||||
|
||||
-CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
|
||||
+CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1
|
||||
CWARNINGS =
|
||||
|
||||
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||
|
||||
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
|
||||
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
|
||||
@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
|
||||
|
||||
NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
|
||||
|
||||
+# Add suffix to all targets
|
||||
+EXEEXT = -pkcs11@EXEEXT@
|
||||
+
|
||||
# Alphabetically
|
||||
-TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
|
||||
- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
|
||||
- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
|
||||
- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
|
||||
- dnssec-verify@EXEEXT@
|
||||
+TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \
|
||||
+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
|
||||
+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
|
||||
+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
|
||||
+ dnssec-verify${EXEEXT}
|
||||
|
||||
OBJS = dnssectool.@O@
|
||||
|
||||
@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
-dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
|
||||
-c ${srcdir}/dnssec-signzone.c
|
||||
|
||||
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
|
||||
-c ${srcdir}/dnssec-verify.c
|
||||
|
||||
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-revoke.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-settime.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
|
||||
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||
dnssec-importkey.@O@ ${OBJS} ${LIBS}
|
||||
|
||||
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
|
||||
index 98125dd..518a75f 100644
|
||||
--- a/bin/named-pkcs11/Makefile.in
|
||||
+++ b/bin/named-pkcs11/Makefile.in
|
||||
@@ -37,13 +37,14 @@ DBDRIVER_LIBS =
|
||||
|
||||
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
|
||||
|
||||
-DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@
|
||||
-DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@
|
||||
-DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
|
||||
-DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
|
||||
+# Skip building on PKCS11 variant
|
||||
+DLZDRIVER_OBJS =
|
||||
+DLZDRIVER_SRCS =
|
||||
+DLZDRIVER_INCLUDES =
|
||||
+DLZDRIVER_LIBS =
|
||||
|
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
|
||||
- ${NS_INCLUDES} ${DNS_INCLUDES} \
|
||||
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \
|
||||
${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
|
||||
${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
|
||||
${DBDRIVER_INCLUDES} \
|
||||
@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
|
||||
${LIBXML2_CFLAGS} \
|
||||
${MAXMINDDB_CFLAGS}
|
||||
|
||||
-CDEFINES = @CONTRIB_DLZ@
|
||||
+CDEFINES =
|
||||
|
||||
CWARNINGS =
|
||||
|
||||
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
|
||||
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||
BIND9LIBS = ../../lib/bind9/libbind9.@A@
|
||||
-NSLIBS = ../../lib/ns/libns.@A@
|
||||
+NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
|
||||
|
||||
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
|
||||
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
|
||||
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
|
||||
-NSDEPLIBS = ../../lib/ns/libns.@A@
|
||||
+NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
|
||||
|
||||
DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
|
||||
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
|
||||
@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||
|
||||
SUBDIRS = unix
|
||||
|
||||
-TARGETS = named@EXEEXT@ feature-test@EXEEXT@
|
||||
+TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@
|
||||
|
||||
GEOIP2LINKOBJS = geoip.@O@
|
||||
|
||||
@@ -151,7 +152,7 @@ server.@O@: server.c
|
||||
-DPRODUCT=\"${PRODUCT}\" \
|
||||
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
|
||||
|
||||
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
|
||||
+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
|
||||
export MAKE_SYMTABLE="yes"; \
|
||||
export BASEOBJS="${OBJS} ${UOBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||
-c ${top_srcdir}/bin/tests/system/feature-test.c
|
||||
|
||||
-feature-test@EXEEXT@: feature-test.@O@
|
||||
+feature-test-pkcs11@EXEEXT@: feature-test.@O@
|
||||
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
|
||||
-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
|
||||
|
||||
@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h
|
||||
installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||
|
||||
-install:: named@EXEEXT@ installdirs
|
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
+install:: named-pkcs11@EXEEXT@ installdirs
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
|
||||
|
||||
uninstall::
|
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
|
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
|
||||
|
||||
@DLZ_DRIVER_RULES@
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 032228b..64e3da0 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI)
|
||||
AC_SUBST(DST_GSSAPI_INC)
|
||||
AC_SUBST(DNS_GSSAPI_LIBS)
|
||||
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
|
||||
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
|
||||
|
||||
#
|
||||
# Applications linking with libdns also need to link with these libraries.
|
||||
#
|
||||
|
||||
AC_SUBST(DNS_CRYPTO_LIBS)
|
||||
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
|
||||
|
||||
#
|
||||
# was --with-lmdb specified?
|
||||
@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
|
||||
AC_SUBST(BIND9_NS_BUILDINCLUDE)
|
||||
AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
|
||||
AC_SUBST(BIND9_IRS_BUILDINCLUDE)
|
||||
+AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE)
|
||||
+AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE)
|
||||
if test "X$srcdir" != "X"; then
|
||||
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
|
||||
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
|
||||
@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then
|
||||
BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
|
||||
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
|
||||
BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
|
||||
+ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include"
|
||||
+ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include"
|
||||
else
|
||||
BIND9_ISC_BUILDINCLUDE=""
|
||||
BIND9_ISCCC_BUILDINCLUDE=""
|
||||
@@ -2343,6 +2349,8 @@ else
|
||||
BIND9_NS_BUILDINCLUDE=""
|
||||
BIND9_BIND9_BUILDINCLUDE=""
|
||||
BIND9_IRS_BUILDINCLUDE=""
|
||||
+ BIND9_DNS_PKCS11_BUILDINCLUDE=""
|
||||
+ BIND9_NS_PKCS11_BUILDINCLUDE=""
|
||||
fi
|
||||
|
||||
AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
|
||||
@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([
|
||||
bin/delv/Makefile
|
||||
bin/dig/Makefile
|
||||
bin/dnssec/Makefile
|
||||
+ bin/dnssec-pkcs11/Makefile
|
||||
bin/named/Makefile
|
||||
bin/named/unix/Makefile
|
||||
+ bin/named-pkcs11/Makefile
|
||||
+ bin/named-pkcs11/unix/Makefile
|
||||
bin/nsupdate/Makefile
|
||||
bin/pkcs11/Makefile
|
||||
bin/plugins/Makefile
|
||||
@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([
|
||||
lib/dns/include/dns/Makefile
|
||||
lib/dns/include/dst/Makefile
|
||||
lib/dns/tests/Makefile
|
||||
+ lib/dns-pkcs11/Makefile
|
||||
+ lib/dns-pkcs11/include/Makefile
|
||||
+ lib/dns-pkcs11/include/dns/Makefile
|
||||
+ lib/dns-pkcs11/include/dst/Makefile
|
||||
lib/irs/Makefile
|
||||
lib/irs/include/Makefile
|
||||
lib/irs/include/irs/Makefile
|
||||
@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([
|
||||
lib/ns/include/Makefile
|
||||
lib/ns/include/ns/Makefile
|
||||
lib/ns/tests/Makefile
|
||||
+ lib/ns-pkcs11/Makefile
|
||||
+ lib/ns-pkcs11/include/Makefile
|
||||
+ lib/ns-pkcs11/include/ns/Makefile
|
||||
+ lib/ns-pkcs11/tests/Makefile
|
||||
make/Makefile
|
||||
make/mkdep
|
||||
unit/unittest.sh
|
||||
diff --git a/lib/Makefile.in b/lib/Makefile.in
|
||||
index 833964e..058ba2f 100644
|
||||
--- a/lib/Makefile.in
|
||||
+++ b/lib/Makefile.in
|
||||
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
|
||||
# Attempt to disable parallel processing.
|
||||
.NOTPARALLEL:
|
||||
.NO_PARALLEL:
|
||||
-SUBDIRS = isc isccc dns ns isccfg bind9 irs
|
||||
+SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs
|
||||
TARGETS =
|
||||
|
||||
@BIND9_MAKE_RULES@
|
||||
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
|
||||
index 58bda3c..d6a45df 100644
|
||||
--- a/lib/dns-pkcs11/Makefile.in
|
||||
+++ b/lib/dns-pkcs11/Makefile.in
|
||||
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
||||
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
|
||||
${ISC_INCLUDES} \
|
||||
${FSTRM_CFLAGS} \
|
||||
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
|
||||
@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
||||
${LMDB_CFLAGS} \
|
||||
${MAXMINDDB_CFLAGS}
|
||||
|
||||
-CDEFINES = @USE_GSSAPI@
|
||||
+CDEFINES = @USE_GSSAPI@ @USE_PKCS11@
|
||||
|
||||
CWARNINGS =
|
||||
|
||||
@@ -135,15 +135,15 @@ version.@O@: version.c
|
||||
-DMAPAPI=\"${MAPAPI}\" \
|
||||
-c ${srcdir}/version.c
|
||||
|
||||
-libdns.@SA@: ${OBJS}
|
||||
+libdns-pkcs11.@SA@: ${OBJS}
|
||||
${AR} ${ARFLAGS} $@ ${OBJS}
|
||||
${RANLIB} $@
|
||||
|
||||
-libdns.la: ${OBJS}
|
||||
+libdns-pkcs11.la: ${OBJS}
|
||||
${LIBTOOL_MODE_LINK} \
|
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
|
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
|
||||
-release "${VERSION}" \
|
||||
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
|
||||
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
|
||||
|
||||
include: gen
|
||||
${MAKE} include/dns/enumtype.h
|
||||
@@ -174,22 +174,22 @@ gen: gen.c
|
||||
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
|
||||
${BUILD_LIBS} ${LFS_LIBS}
|
||||
|
||||
-timestamp: include libdns.@A@
|
||||
+timestamp: include libdns-pkcs11.@A@
|
||||
touch timestamp
|
||||
|
||||
-testdirs: libdns.@A@
|
||||
+testdirs: libdns-pkcs11.@A@
|
||||
|
||||
installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
|
||||
|
||||
install:: timestamp installdirs
|
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
|
||||
|
||||
uninstall::
|
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
|
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
|
||||
|
||||
clean distclean::
|
||||
- rm -f libdns.@A@ timestamp
|
||||
+ rm -f libdns-pkcs11.@A@ timestamp
|
||||
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
|
||||
rm -f include/dns/rdatastruct.h
|
||||
rm -f dnstap.pb-c.c dnstap.pb-c.h
|
||||
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
|
||||
index 3bb5e01..c96fe7d 100644
|
||||
--- a/lib/dns-pkcs11/tests/Makefile.in
|
||||
+++ b/lib/dns-pkcs11/tests/Makefile.in
|
||||
@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
|
||||
+CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
|
||||
${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \
|
||||
${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
|
||||
-CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\""
|
||||
+CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
|
||||
|
||||
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||
ISCDEPLIBS = ../../isc/libisc.@A@
|
||||
-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||
-DNSDEPLIBS = ../libdns.@A@
|
||||
+DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||
+DNSDEPLIBS = ../libdns-pkcs11.@A@
|
||||
|
||||
LIBS = @LIBS@ @CMOCKA_LIBS@
|
||||
|
||||
diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
|
||||
index bc683ce..7a9d2f2 100644
|
||||
--- a/lib/ns-pkcs11/Makefile.in
|
||||
+++ b/lib/ns-pkcs11/Makefile.in
|
||||
@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \
|
||||
- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
|
||||
+CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \
|
||||
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
|
||||
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
|
||||
${FSTRM_CFLAGS}
|
||||
|
||||
-CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\"
|
||||
+CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
|
||||
|
||||
CWARNINGS =
|
||||
|
||||
@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@
|
||||
|
||||
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||
|
||||
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||
|
||||
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
|
||||
|
||||
LIBS = @LIBS@
|
||||
|
||||
@@ -60,28 +60,28 @@ version.@O@: version.c
|
||||
-DMAJOR=\"${MAJOR}\" \
|
||||
-c ${srcdir}/version.c
|
||||
|
||||
-libns.@SA@: ${OBJS}
|
||||
+libns-pkcs11.@SA@: ${OBJS}
|
||||
${AR} ${ARFLAGS} $@ ${OBJS}
|
||||
${RANLIB} $@
|
||||
|
||||
-libns.la: ${OBJS}
|
||||
+libns-pkcs11.la: ${OBJS}
|
||||
${LIBTOOL_MODE_LINK} \
|
||||
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \
|
||||
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \
|
||||
-release "${VERSION}" \
|
||||
- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
|
||||
+ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
|
||||
|
||||
-timestamp: libns.@A@
|
||||
+timestamp: libns-pkcs11.@A@
|
||||
touch timestamp
|
||||
|
||||
installdirs:
|
||||
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
|
||||
|
||||
install:: timestamp installdirs
|
||||
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \
|
||||
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \
|
||||
${DESTDIR}${libdir}
|
||||
|
||||
uninstall::
|
||||
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@
|
||||
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@
|
||||
|
||||
clean distclean::
|
||||
- rm -f libns.@A@ timestamp
|
||||
+ rm -f libns-pkcs11.@A@ timestamp
|
||||
diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in
|
||||
index 4c3e694..c1b6d99 100644
|
||||
--- a/lib/ns-pkcs11/tests/Makefile.in
|
||||
+++ b/lib/ns-pkcs11/tests/Makefile.in
|
||||
@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@
|
||||
|
||||
WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach
|
||||
|
||||
-CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
|
||||
+CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
|
||||
${OPENSSL_CFLAGS} \
|
||||
@CMOCKA_CFLAGS@
|
||||
-CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
|
||||
+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
|
||||
|
||||
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||
ISCDEPLIBS = ../../isc/libisc.@A@
|
||||
-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||
-DNSDEPLIBS = ../../dns/libdns.@A@
|
||||
-NSLIBS = ../libns.@A@
|
||||
-NSDEPLIBS = ../libns.@A@
|
||||
+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||
+DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@
|
||||
+NSLIBS = ../libns-pkcs11.@A@
|
||||
+NSDEPLIBS = ../libns-pkcs11.@A@
|
||||
|
||||
LIBS = @LIBS@ @CMOCKA_LIBS@
|
||||
|
||||
diff --git a/make/includes.in b/make/includes.in
|
||||
index b8317d3..b73b0c4 100644
|
||||
--- a/make/includes.in
|
||||
+++ b/make/includes.in
|
||||
@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
|
||||
|
||||
TEST_INCLUDES = \
|
||||
-I${top_srcdir}/lib/tests/include
|
||||
+
|
||||
+DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \
|
||||
+ -I${top_srcdir}/lib/dns-pkcs11/include
|
||||
+
|
||||
+NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \
|
||||
+ -I${top_srcdir}/lib/ns-pkcs11/include
|
||||
+
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,59 @@
|
||||
From e645046202006750f87531e21e3ff7c26fba3466 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 30 Jan 2019 14:37:17 +0100
|
||||
Subject: [PATCH] Create feature-test in source directory
|
||||
|
||||
Feature-test tool is used in system tests to test compiled in changes.
|
||||
Because we build more variants of named with different configuration,
|
||||
compile feature-test for each of them this way.
|
||||
---
|
||||
bin/named/Makefile.in | 12 +++++++++++-
|
||||
bin/tests/system/conf.sh.in | 2 +-
|
||||
2 files changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
|
||||
index 37053a7..ed9add2 100644
|
||||
--- a/bin/named/Makefile.in
|
||||
+++ b/bin/named/Makefile.in
|
||||
@@ -91,7 +91,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||
|
||||
SUBDIRS = unix
|
||||
|
||||
-TARGETS = named@EXEEXT@
|
||||
+TARGETS = named@EXEEXT@ feature-test@EXEEXT@
|
||||
|
||||
GEOIP2LINKOBJS = geoip.@O@
|
||||
|
||||
@@ -154,6 +154,16 @@ named@EXEEXT@: ${OBJS} ${DEPLIBS}
|
||||
export BASEOBJS="${OBJS} ${UOBJS}"; \
|
||||
${FINALBUILDCMD}
|
||||
|
||||
+# Bit of hack, do not produce intermediate .o object for featuretest
|
||||
+feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
|
||||
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||
+ -c ${top_srcdir}/bin/tests/system/feature-test.c
|
||||
+
|
||||
+feature-test@EXEEXT@: feature-test.@O@
|
||||
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
|
||||
+ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
|
||||
+
|
||||
+
|
||||
clean distclean maintainer-clean::
|
||||
rm -f ${TARGETS} ${OBJS}
|
||||
|
||||
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
|
||||
index 7934930..e84fde2 100644
|
||||
--- a/bin/tests/system/conf.sh.in
|
||||
+++ b/bin/tests/system/conf.sh.in
|
||||
@@ -37,7 +37,7 @@ DELV=$TOP/bin/delv/delv
|
||||
DIG=$TOP/bin/dig/dig
|
||||
DNSTAPREAD=$TOP/bin/tools/dnstap-read
|
||||
DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
|
||||
-FEATURETEST=$TOP/bin/tests/system/feature-test
|
||||
+FEATURETEST=$TOP/bin/named/feature-test
|
||||
FSTRM_CAPTURE=@FSTRM_CAPTURE@
|
||||
HOST=$TOP/bin/dig/host
|
||||
IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,959 @@
|
||||
From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
||||
Subject: [PATCH] FIPS tests changes
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Squashed commit of the following:
|
||||
|
||||
commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 20:35:13 2018 +0100
|
||||
|
||||
Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
|
||||
|
||||
commit ab303db70082db76ecf36493d0b82ef3e8750cad
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 18:11:10 2018 +0100
|
||||
|
||||
Changed root key to be RSASHA256
|
||||
|
||||
Change bad trusted key to be the same algorithm.
|
||||
|
||||
commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 16:56:17 2018 +0100
|
||||
|
||||
Change used key to not use hmac-md5
|
||||
|
||||
Fix upforwd test, do not use hmac-md5
|
||||
|
||||
commit aec891571626f053acfb4d0a247240cbc21a84e9
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 15:54:11 2018 +0100
|
||||
|
||||
Increase bitsize of DSA key to pass FIPS 140-2 mode.
|
||||
|
||||
commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 15:41:08 2018 +0100
|
||||
|
||||
Fix tsig and rndc tests for disabled md5
|
||||
|
||||
Use hmac-sha256 instead of hmac-md5.
|
||||
|
||||
commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 13:21:00 2018 +0100
|
||||
|
||||
Add md5 availability detection to featuretest
|
||||
|
||||
commit f389a918803e2853e4b55fed62765dc4a492e34f
|
||||
Author: Petr Menšík <pemensik@redhat.com>
|
||||
Date: Wed Mar 7 10:44:23 2018 +0100
|
||||
|
||||
Change tests to not use hmac-md5 algorithms if not required
|
||||
|
||||
Use hmac-sha256 instead of default hmac-md5 for allow-query
|
||||
---
|
||||
bin/tests/system/acl/ns2/named1.conf.in | 4 +-
|
||||
bin/tests/system/acl/ns2/named2.conf.in | 4 +-
|
||||
bin/tests/system/acl/ns2/named3.conf.in | 6 +-
|
||||
bin/tests/system/acl/ns2/named4.conf.in | 4 +-
|
||||
bin/tests/system/acl/ns2/named5.conf.in | 4 +-
|
||||
bin/tests/system/acl/tests.sh | 32 ++++-----
|
||||
.../system/allow-query/ns2/named10.conf.in | 2 +-
|
||||
.../system/allow-query/ns2/named11.conf.in | 4 +-
|
||||
.../system/allow-query/ns2/named12.conf.in | 2 +-
|
||||
.../system/allow-query/ns2/named30.conf.in | 2 +-
|
||||
.../system/allow-query/ns2/named31.conf.in | 4 +-
|
||||
.../system/allow-query/ns2/named32.conf.in | 2 +-
|
||||
.../system/allow-query/ns2/named40.conf.in | 4 +-
|
||||
bin/tests/system/allow-query/tests.sh | 18 ++---
|
||||
bin/tests/system/catz/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/catz/ns2/named.conf.in | 2 +-
|
||||
bin/tests/system/checkconf/bad-tsig.conf | 2 +-
|
||||
bin/tests/system/checkconf/good.conf | 2 +-
|
||||
bin/tests/system/feature-test.c | 14 ++++
|
||||
bin/tests/system/notify/ns5/named.conf.in | 6 +-
|
||||
bin/tests/system/notify/tests.sh | 6 +-
|
||||
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
|
||||
bin/tests/system/nsupdate/setup.sh | 6 +-
|
||||
bin/tests/system/nsupdate/tests.sh | 15 +++--
|
||||
bin/tests/system/rndc/setup.sh | 2 +-
|
||||
bin/tests/system/rndc/tests.sh | 23 ++++---
|
||||
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
|
||||
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
|
||||
bin/tests/system/tsig/setup.sh | 5 ++
|
||||
bin/tests/system/tsig/tests.sh | 65 ++++++++++++-------
|
||||
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
|
||||
bin/tests/system/upforwd/tests.sh | 2 +-
|
||||
33 files changed, 162 insertions(+), 108 deletions(-)
|
||||
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
|
||||
index 60f22e1..249f672 100644
|
||||
--- a/bin/tests/system/acl/ns2/named1.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named1.conf.in
|
||||
@@ -33,12 +33,12 @@ options {
|
||||
};
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
|
||||
index ada97bc..f82d858 100644
|
||||
--- a/bin/tests/system/acl/ns2/named2.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named2.conf.in
|
||||
@@ -33,12 +33,12 @@ options {
|
||||
};
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
|
||||
index 97684e4..de6a2e9 100644
|
||||
--- a/bin/tests/system/acl/ns2/named3.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named3.conf.in
|
||||
@@ -33,17 +33,17 @@ options {
|
||||
};
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key three {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
|
||||
index 462b3fa..994b35c 100644
|
||||
--- a/bin/tests/system/acl/ns2/named4.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named4.conf.in
|
||||
@@ -33,12 +33,12 @@ options {
|
||||
};
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
|
||||
index 728da58..8f00d09 100644
|
||||
--- a/bin/tests/system/acl/ns2/named5.conf.in
|
||||
+++ b/bin/tests/system/acl/ns2/named5.conf.in
|
||||
@@ -35,12 +35,12 @@ options {
|
||||
};
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
|
||||
index be59d64..13d5bdc 100644
|
||||
--- a/bin/tests/system/acl/tests.sh
|
||||
+++ b/bin/tests/system/acl/tests.sh
|
||||
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
|
||||
# key "one" should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
|
||||
# any other key should be fine
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
copy_setports ns2/named2.conf.in ns2/named.conf
|
||||
@@ -39,18 +39,18 @@ sleep 5
|
||||
# prefix 10/8 should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# any other address should work, as long as it sends key "one"
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
echo_i "testing nested ACL processing"
|
||||
@@ -62,31 +62,31 @@ sleep 5
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# but only one or the other should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
t=`expr $t + 1`
|
||||
@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
|
||||
# and other values? right out
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
|
||||
@@ -108,31 +108,31 @@ sleep 5
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should succeed
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
# should fail
|
||||
t=`expr $t + 1`
|
||||
$DIG $DIGOPTS tsigzone. \
|
||||
- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||
+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||
|
||||
echo_i "testing allow-query-on ACL processing"
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
index 7d43e36..f7b25f9 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
index 2952518..121557e 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||
@@ -10,12 +10,12 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234efgh8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
index 0c01071..ceabbb5 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
index 4c17292..9cd9d1f 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
index a2690a4..f488730 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||
@@ -10,12 +10,12 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234efgh8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
index a0708c8..51fa457 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
index 687768e..d24d6d2 100644
|
||||
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||
@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
|
||||
acl badaccept { 10.53.0.1; };
|
||||
|
||||
key one {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
key two {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "1234efgh8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
|
||||
index fe40635..543c663 100644
|
||||
--- a/bin/tests/system/allow-query/tests.sh
|
||||
+++ b/bin/tests/system/allow-query/tests.sh
|
||||
@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key allowed - query allowed"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key not allowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: key disallowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key allowed - query allowed"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key not allowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
|
||||
|
||||
echo_i "test $n: views key disallowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -500,7 +500,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key allowed - query allowed"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -510,7 +510,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key not allowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
@@ -520,7 +520,7 @@ status=`expr $status + $ret`
|
||||
n=`expr $n + 1`
|
||||
echo_i "test $n: zone key disallowed - query refused"
|
||||
ret=0
|
||||
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
||||
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
||||
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
|
||||
index 1218669..e62715e 100644
|
||||
--- a/bin/tests/system/catz/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/catz/ns1/named.conf.in
|
||||
@@ -61,5 +61,5 @@ zone "catalog4.example" {
|
||||
|
||||
key tsig_key. {
|
||||
secret "LSAnCU+Z";
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
};
|
||||
diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
|
||||
index 30333e6..4005152 100644
|
||||
--- a/bin/tests/system/catz/ns2/named.conf.in
|
||||
+++ b/bin/tests/system/catz/ns2/named.conf.in
|
||||
@@ -70,5 +70,5 @@ zone "catalog4.example" {
|
||||
|
||||
key tsig_key. {
|
||||
secret "LSAnCU+Z";
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
};
|
||||
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
|
||||
index 21be03e..e57c308 100644
|
||||
--- a/bin/tests/system/checkconf/bad-tsig.conf
|
||||
+++ b/bin/tests/system/checkconf/bad-tsig.conf
|
||||
@@ -11,7 +11,7 @@
|
||||
|
||||
/* Bad secret */
|
||||
key "badtsig" {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha256;
|
||||
secret "jEdD+BPKg==";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
||||
index e09b9e8..2e824b3 100644
|
||||
--- a/bin/tests/system/checkconf/good.conf
|
||||
+++ b/bin/tests/system/checkconf/good.conf
|
||||
@@ -210,6 +210,6 @@ dyndb "name" "library.so" {
|
||||
system;
|
||||
};
|
||||
key "mykey" {
|
||||
- algorithm "hmac-md5";
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "qwertyuiopasdfgh";
|
||||
};
|
||||
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
|
||||
index 877504f..577660a 100644
|
||||
--- a/bin/tests/system/feature-test.c
|
||||
+++ b/bin/tests/system/feature-test.c
|
||||
@@ -14,6 +14,7 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
+#include <isc/md.h>
|
||||
#include <isc/net.h>
|
||||
#include <isc/print.h>
|
||||
#include <isc/util.h>
|
||||
@@ -186,6 +187,19 @@ main(int argc, char **argv) {
|
||||
#endif /* ifdef DLZ_FILESYSTEM */
|
||||
}
|
||||
|
||||
+ if (strcmp(argv[1], "--md5") == 0) {
|
||||
+ unsigned char digest[ISC_MAX_MD_SIZE];
|
||||
+ const unsigned char test[] = "test";
|
||||
+ unsigned int size = sizeof(digest);
|
||||
+
|
||||
+ if (isc_md(ISC_MD_MD5, test, sizeof(test),
|
||||
+ digest, &size) == ISC_R_SUCCESS) {
|
||||
+ return (0);
|
||||
+ } else {
|
||||
+ return (1);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (strcmp(argv[1], "--with-idn") == 0) {
|
||||
#ifdef HAVE_LIBIDN2
|
||||
return (0);
|
||||
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
|
||||
index 1ee8df4..2b75d9a 100644
|
||||
--- a/bin/tests/system/notify/ns5/named.conf.in
|
||||
+++ b/bin/tests/system/notify/ns5/named.conf.in
|
||||
@@ -10,17 +10,17 @@
|
||||
*/
|
||||
|
||||
key "a" {
|
||||
- algorithm "hmac-md5";
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "aaaaaaaaaaaaaaaaaaaa";
|
||||
};
|
||||
|
||||
key "b" {
|
||||
- algorithm "hmac-md5";
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "bbbbbbbbbbbbbbbbbbbb";
|
||||
};
|
||||
|
||||
key "c" {
|
||||
- algorithm "hmac-md5";
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "cccccccccccccccccccc";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
|
||||
index 3d7e0b7..ec4d9a7 100644
|
||||
--- a/bin/tests/system/notify/tests.sh
|
||||
+++ b/bin/tests/system/notify/tests.sh
|
||||
@@ -212,16 +212,16 @@ ret=0
|
||||
$NSUPDATE << EOF
|
||||
server 10.53.0.5 ${PORT}
|
||||
zone x21
|
||||
-key a aaaaaaaaaaaaaaaaaaaa
|
||||
+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
|
||||
update add added.x21 0 in txt "test string"
|
||||
send
|
||||
EOF
|
||||
|
||||
for i in 1 2 3 4 5 6 7 8 9
|
||||
do
|
||||
- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
||||
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
||||
txt > dig.out.b.ns5.test$n || ret=1
|
||||
- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
|
||||
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
|
||||
txt > dig.out.c.ns5.test$n || ret=1
|
||||
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
|
||||
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
|
||||
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
index b51e700..436c97d 100644
|
||||
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
@@ -37,7 +37,7 @@ controls {
|
||||
};
|
||||
|
||||
key altkey {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha512;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
index da6b3b4..c547e47 100644
|
||||
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||
@@ -32,7 +32,7 @@ controls {
|
||||
};
|
||||
|
||||
key altkey {
|
||||
- algorithm hmac-md5;
|
||||
+ algorithm hmac-sha512;
|
||||
secret "1234abcd8765";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
||||
index c055da3..4e1242b 100644
|
||||
--- a/bin/tests/system/nsupdate/setup.sh
|
||||
+++ b/bin/tests/system/nsupdate/setup.sh
|
||||
@@ -56,7 +56,11 @@ EOF
|
||||
|
||||
$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
|
||||
|
||||
-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
||||
+if $FEATURETEST --md5; then
|
||||
+ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
||||
+else
|
||||
+ echo -n > ns1/md5.key
|
||||
+fi
|
||||
$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
|
||||
$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
||||
$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index b35d797..41c128e 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -797,7 +797,14 @@ fi
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
|
||||
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
|
||||
+else
|
||||
+ ALGS="sha1 sha224 sha256 sha384 sha512"
|
||||
+ echo_i "skipping disabled md5 algorithm"
|
||||
+fi
|
||||
+for alg in $ALGS; do
|
||||
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||
@@ -805,7 +812,7 @@ send
|
||||
END
|
||||
done
|
||||
sleep 2
|
||||
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
+for alg in $ALGS; do
|
||||
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
|
||||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
@@ -816,7 +823,7 @@ fi
|
||||
n=`expr $n + 1`
|
||||
ret=0
|
||||
echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
|
||||
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
+for alg in $ALGS; do
|
||||
secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
|
||||
$NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
|
||||
server 10.53.0.1 ${PORT}
|
||||
@@ -825,7 +832,7 @@ send
|
||||
END
|
||||
done
|
||||
sleep 2
|
||||
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||
+for alg in $ALGS; do
|
||||
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
|
||||
done
|
||||
if [ $ret -ne 0 ]; then
|
||||
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
||||
index b59e7a7..04d5f5a 100644
|
||||
--- a/bin/tests/system/rndc/setup.sh
|
||||
+++ b/bin/tests/system/rndc/setup.sh
|
||||
@@ -33,7 +33,7 @@ make_key () {
|
||||
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||||
}
|
||||
|
||||
-make_key 1 ${EXTRAPORT1} hmac-md5
|
||||
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
|
||||
make_key 2 ${EXTRAPORT2} hmac-sha1
|
||||
make_key 3 ${EXTRAPORT3} hmac-sha224
|
||||
make_key 4 ${EXTRAPORT4} hmac-sha256
|
||||
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
||||
index 9fd84ed..d0b188f 100644
|
||||
--- a/bin/tests/system/rndc/tests.sh
|
||||
+++ b/bin/tests/system/rndc/tests.sh
|
||||
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
-echo_i "testing rndc with hmac-md5 ($n)"
|
||||
-ret=0
|
||||
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||||
-for i in 2 3 4 5 6
|
||||
-do
|
||||
- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||
-done
|
||||
-if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
-status=`expr $status + $ret`
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ echo_i "testing rndc with hmac-md5 ($n)"
|
||||
+ ret=0
|
||||
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||||
+ for i in 2 3 4 5 6
|
||||
+ do
|
||||
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||
+ done
|
||||
+ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
+ status=`expr $status + $ret`
|
||||
+else
|
||||
+ echo_i "skipping rndc with hmac-md5 ($n)"
|
||||
+fi
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "testing rndc with hmac-sha1 ($n)"
|
||||
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
index 3470c4f..cf539cd 100644
|
||||
--- a/bin/tests/system/tsig/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/tsig/ns1/named.conf.in
|
||||
@@ -21,10 +21,7 @@ options {
|
||||
notify no;
|
||||
};
|
||||
|
||||
-key "md5" {
|
||||
- secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
- algorithm hmac-md5;
|
||||
-};
|
||||
+# md5 key appended by setup.sh at the end
|
||||
|
||||
key "sha1" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
@@ -51,10 +48,7 @@ key "sha512" {
|
||||
algorithm hmac-sha512;
|
||||
};
|
||||
|
||||
-key "md5-trunc" {
|
||||
- secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
- algorithm hmac-md5-80;
|
||||
-};
|
||||
+# md5-trunc key appended by setup.sh at the end
|
||||
|
||||
key "sha1-trunc" {
|
||||
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
new file mode 100644
|
||||
index 0000000..0682194
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||
@@ -0,0 +1,10 @@
|
||||
+# Conditionally included when support for MD5 is available
|
||||
+key "md5" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5;
|
||||
+};
|
||||
+
|
||||
+key "md5-trunc" {
|
||||
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||
+ algorithm hmac-md5-80;
|
||||
+};
|
||||
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
||||
index e3b4a45..ae21d04 100644
|
||||
--- a/bin/tests/system/tsig/setup.sh
|
||||
+++ b/bin/tests/system/tsig/setup.sh
|
||||
@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
|
||||
$SHELL clean.sh
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
+
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ cat ns1/rndc5.conf.in >> ns1/named.conf
|
||||
+fi
|
||||
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||
index 38d842a..668aa6f 100644
|
||||
--- a/bin/tests/system/tsig/tests.sh
|
||||
+++ b/bin/tests/system/tsig/tests.sh
|
||||
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
||||
|
||||
status=0
|
||||
|
||||
-echo_i "fetching using hmac-md5 (old form)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
||||
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
-fi
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ echo_i "fetching using hmac-md5 (old form)"
|
||||
+ ret=0
|
||||
+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
||||
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
||||
+ if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+ fi
|
||||
|
||||
-echo_i "fetching using hmac-md5 (new form)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
+ echo_i "fetching using hmac-md5 (new form)"
|
||||
+ ret=0
|
||||
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||
+ if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+ fi
|
||||
+else
|
||||
+ echo_i "skipping using hmac-md5"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1"
|
||||
@@ -87,12 +92,17 @@ fi
|
||||
# Truncated TSIG
|
||||
#
|
||||
#
|
||||
-echo_i "fetching using hmac-md5 (trunc)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
||||
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ echo_i "fetching using hmac-md5 (trunc)"
|
||||
+ ret=0
|
||||
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
||||
+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
||||
+ if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+ fi
|
||||
+else
|
||||
+ echo_i "skipping using hmac-md5 (trunc)"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1 (trunc)"
|
||||
@@ -141,12 +151,17 @@ fi
|
||||
# Check for bad truncation.
|
||||
#
|
||||
#
|
||||
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
||||
-ret=0
|
||||
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
||||
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
||||
-if [ $ret -eq 1 ] ; then
|
||||
- echo_i "failed"; status=1
|
||||
+if $FEATURETEST --md5
|
||||
+then
|
||||
+ echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
||||
+ ret=0
|
||||
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
||||
+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
||||
+ if [ $ret -eq 1 ] ; then
|
||||
+ echo_i "failed"; status=1
|
||||
+ fi
|
||||
+else
|
||||
+ echo_i "skipping using hmac-md5-80 (BADTRUNC)"
|
||||
fi
|
||||
|
||||
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
||||
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
index 3873c7c..b359a5a 100644
|
||||
--- a/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||
@@ -10,7 +10,7 @@
|
||||
*/
|
||||
|
||||
key "update.example." {
|
||||
- algorithm "hmac-md5";
|
||||
+ algorithm "hmac-sha256";
|
||||
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||
index a50c896..8062d68 100644
|
||||
--- a/bin/tests/system/upforwd/tests.sh
|
||||
+++ b/bin/tests/system/upforwd/tests.sh
|
||||
@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||
|
||||
echo_i "updating zone (signed) ($n)"
|
||||
ret=0
|
||||
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||
+$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||
server 10.53.0.3 ${PORT}
|
||||
update add updated.example. 600 A 10.10.10.1
|
||||
update add updated.example. 600 TXT Foo
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,58 @@
|
||||
From 1241f2005d08673c28a595c5a6cd61350b95a929 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Tue, 2 Jan 2018 18:13:07 +0100
|
||||
Subject: [PATCH] Fix pkcs11 variants atf tests
|
||||
|
||||
Add dns-pkcs11 tests Makefile to configure
|
||||
|
||||
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
|
||||
---
|
||||
configure.ac | 1 +
|
||||
lib/Kyuafile | 2 ++
|
||||
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
|
||||
3 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index d80ae31..0fb9328 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([
|
||||
lib/dns-pkcs11/include/Makefile
|
||||
lib/dns-pkcs11/include/dns/Makefile
|
||||
lib/dns-pkcs11/include/dst/Makefile
|
||||
+ lib/dns-pkcs11/tests/Makefile
|
||||
lib/irs/Makefile
|
||||
lib/irs/include/Makefile
|
||||
lib/irs/include/irs/Makefile
|
||||
diff --git a/lib/Kyuafile b/lib/Kyuafile
|
||||
index 39ce986..037e5ef 100644
|
||||
--- a/lib/Kyuafile
|
||||
+++ b/lib/Kyuafile
|
||||
@@ -2,8 +2,10 @@ syntax(2)
|
||||
test_suite('bind9')
|
||||
|
||||
include('dns/Kyuafile')
|
||||
+include('dns-pkcs11/Kyuafile')
|
||||
include('irs/Kyuafile')
|
||||
include('isc/Kyuafile')
|
||||
include('isccc/Kyuafile')
|
||||
include('isccfg/Kyuafile')
|
||||
include('ns/Kyuafile')
|
||||
+include('ns-pkcs11/Kyuafile')
|
||||
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
|
||||
index 934e8fd..658d1af 100644
|
||||
--- a/lib/dns-pkcs11/tests/dh_test.c
|
||||
+++ b/lib/dns-pkcs11/tests/dh_test.c
|
||||
@@ -87,7 +87,8 @@ dh_computesecret(void **state) {
|
||||
result = dst_key_computesecret(key, key, &buf);
|
||||
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
|
||||
result = key->func->computesecret(key, key, &buf);
|
||||
- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
|
||||
+ /* PKCS11 variant gives different result, accept both */
|
||||
+ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
|
||||
|
||||
dst_key_free(&key);
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
@ -0,0 +1,29 @@
|
||||
From 0f03071080e7fa68433b322359d46abaca2cc5ad Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Wed, 16 Jan 2019 16:27:33 +0100
|
||||
Subject: [PATCH] Fix possible crash when loading corrupted file
|
||||
|
||||
Some values passes internal triggers by coincidence. Fix the check and
|
||||
check also first_node_offset before even passing it further.
|
||||
---
|
||||
lib/dns/rbt.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
|
||||
index 5aee5f6..7f2c2d2 100644
|
||||
--- a/lib/dns/rbt.c
|
||||
+++ b/lib/dns/rbt.c
|
||||
@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
|
||||
rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
|
||||
header->first_node_offset);
|
||||
|
||||
- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
|
||||
+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
|
||||
+ || header->first_node_offset > filesize) {
|
||||
+
|
||||
result = ISC_R_INVALIDFILE;
|
||||
goto cleanup;
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
@ -0,0 +1,65 @@
|
||||
From 607cec78382b016aad0fe041f2e1895b6896c647 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 1 Mar 2019 15:48:20 +0100
|
||||
Subject: [PATCH] Make alternative named builds testable in system tests
|
||||
|
||||
Red Hat has alternative variant builds of named, which are not ever
|
||||
tested by system tests. New variables make it relatively easy to test
|
||||
alternative variants.
|
||||
|
||||
For sdb variant use:
|
||||
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
|
||||
|
||||
For pkcs variant use:
|
||||
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
|
||||
---
|
||||
bin/tests/system/conf.sh.in | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
|
||||
index d859909..9152f07 100644
|
||||
--- a/bin/tests/system/conf.sh.in
|
||||
+++ b/bin/tests/system/conf.sh.in
|
||||
@@ -37,17 +37,17 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
|
||||
DELV=$TOP/bin/delv/delv
|
||||
DIG=$TOP/bin/dig/dig
|
||||
DNSTAPREAD=$TOP/bin/tools/dnstap-read
|
||||
-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
|
||||
-FEATURETEST=$TOP/bin/named/feature-test
|
||||
+DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT}
|
||||
+FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT}
|
||||
FSTRM_CAPTURE=@FSTRM_CAPTURE@
|
||||
HOST=$TOP/bin/dig/host
|
||||
-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
|
||||
+IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT}
|
||||
JOURNALPRINT=$TOP/bin/tools/named-journalprint
|
||||
-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
|
||||
-KEYGEN=$TOP/bin/dnssec/dnssec-keygen
|
||||
+KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT}
|
||||
+KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT}
|
||||
KEYMGR=$TOP/bin/python/dnssec-keymgr
|
||||
MDIG=$TOP/bin/tools/mdig
|
||||
-NAMED=$TOP/bin/named/named
|
||||
+NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT}
|
||||
NSEC3HASH=$TOP/bin/tools/nsec3hash
|
||||
NSLOOKUP=$TOP/bin/dig/nslookup
|
||||
NSUPDATE=$TOP/bin/nsupdate/nsupdate
|
||||
@@ -56,12 +56,12 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
|
||||
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
|
||||
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
|
||||
RESOLVE=$TOP/bin/tests/system/resolve
|
||||
-REVOKE=$TOP/bin/dnssec/dnssec-revoke
|
||||
+REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT}
|
||||
RNDC=$TOP/bin/rndc/rndc
|
||||
RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
|
||||
RRCHECKER=$TOP/bin/tools/named-rrchecker
|
||||
-SETTIME=$TOP/bin/dnssec/dnssec-settime
|
||||
-SIGNER=$TOP/bin/dnssec/dnssec-signzone
|
||||
+SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT}
|
||||
+SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT}
|
||||
TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
|
||||
VERIFY=$TOP/bin/dnssec/dnssec-verify
|
||||
WIRETEST=$TOP/bin/tests/wire_test
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,83 @@
|
||||
From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Fri, 18 Oct 2019 21:30:52 +0200
|
||||
Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
|
||||
|
||||
Building two variants with the same common code requires to unset
|
||||
USE_PKCS11 on part of build. That is not possible with config.h value.
|
||||
Move it as normal define to CDEFINES.
|
||||
---
|
||||
bin/confgen/Makefile.in | 2 +-
|
||||
configure.ac | 8 ++++++--
|
||||
lib/dns/dst_internal.h | 12 +++++++++---
|
||||
3 files changed, 16 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
|
||||
index 1b7512d..c126bf3 100644
|
||||
--- a/bin/confgen/Makefile.in
|
||||
+++ b/bin/confgen/Makefile.in
|
||||
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
|
||||
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
|
||||
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
|
||||
|
||||
-CDEFINES =
|
||||
+CDEFINES = @USE_PKCS11@
|
||||
CWARNINGS =
|
||||
|
||||
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index f5483fe..08a7d8a 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST])
|
||||
AC_SUBST([PKCS11_TOOLS])
|
||||
AC_SUBST([PKCS11_MANS])
|
||||
|
||||
+USE_PKCS11='-DUSE_PKCS11=0'
|
||||
+USE_OPENSSL='-DUSE_OPENSSL=0'
|
||||
AC_SUBST([CRYPTO])
|
||||
AS_CASE([$CRYPTO],
|
||||
- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
|
||||
- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
|
||||
+ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'],
|
||||
+ [USE_OPENSSL='-DUSE_OPENSSL=1'])
|
||||
+AC_SUBST(USE_PKCS11)
|
||||
+AC_SUBST(USE_OPENSSL)
|
||||
|
||||
# preparation for automake
|
||||
# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
|
||||
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
|
||||
index 2c3b4a3..55e9dc4 100644
|
||||
--- a/lib/dns/dst_internal.h
|
||||
+++ b/lib/dns/dst_internal.h
|
||||
@@ -38,6 +38,13 @@
|
||||
#include <isc/stdtime.h>
|
||||
#include <isc/types.h>
|
||||
|
||||
+#ifndef USE_PKCS11
|
||||
+#define USE_PKCS11 0
|
||||
+#endif
|
||||
+#ifndef USE_OPENSSL
|
||||
+#define USE_OPENSSL (! USE_PKCS11)
|
||||
+#endif
|
||||
+
|
||||
#if USE_PKCS11
|
||||
#include <pk11/pk11.h>
|
||||
#include <pk11/site.h>
|
||||
@@ -116,11 +123,10 @@ struct dst_key {
|
||||
void *generic;
|
||||
dns_gss_ctx_id_t gssctx;
|
||||
DH *dh;
|
||||
-#if USE_OPENSSL
|
||||
- EVP_PKEY *pkey;
|
||||
-#endif /* if USE_OPENSSL */
|
||||
#if USE_PKCS11
|
||||
pk11_object_t *pkey;
|
||||
+#else
|
||||
+ EVP_PKEY *pkey;
|
||||
#endif /* if USE_PKCS11 */
|
||||
dst_hmac_key_t *hmac_key;
|
||||
} keydata; /*%< pointer to key in crypto pkg fmt */
|
||||
--
|
||||
2.26.2
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,251 @@
|
||||
From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 19 Jan 2022 17:38:18 +1100
|
||||
Subject: [PATCH] Add additional name checks when using a forwarder
|
||||
|
||||
When using a forwarder, check that the owner name of response
|
||||
records are within the bailiwick of the forwarded name space.
|
||||
|
||||
(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b)
|
||||
|
||||
Check that the forward declaration is unchanged and not overridden
|
||||
|
||||
If we are using a fowarder, in addition to checking that names to
|
||||
be cached are subdomains of the forwarded namespace, we must also
|
||||
check that there are no subsidiary forwarded namespaces which would
|
||||
take precedence. To be safe, we don't cache any responses if the
|
||||
forwarding configuration has changed since the query was sent.
|
||||
|
||||
(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3)
|
||||
|
||||
Check cached names for possible "forward only" clause
|
||||
|
||||
When caching additional and glue data *not* from a forwarder, we must
|
||||
check that there is no "forward only" clause covering the owner name
|
||||
that would take precedence. Such names would normally be allowed by
|
||||
baliwick rules, but a "forward only" zone introduces a new baliwick
|
||||
scope.
|
||||
|
||||
(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78)
|
||||
|
||||
Look for zones deeper than the current domain or forward name
|
||||
|
||||
When caching glue, we need to ensure that there is no closer
|
||||
source of truth for the name. If the owner name for the glue
|
||||
record would be answered by a locally configured zone, do not
|
||||
cache.
|
||||
|
||||
(cherry picked from commit 71b24210542730355149130770deea3e58d8527a)
|
||||
---
|
||||
lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 123 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index a7bc661bb7..7603a07b7b 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -63,6 +63,8 @@
|
||||
#include <dns/stats.h>
|
||||
#include <dns/tsig.h>
|
||||
#include <dns/validator.h>
|
||||
+#include <dns/zone.h>
|
||||
+
|
||||
#ifdef WANT_QUERYTRACE
|
||||
#define RTRACE(m) \
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, \
|
||||
@@ -337,6 +339,8 @@ struct fetchctx {
|
||||
dns_fetch_t *qminfetch;
|
||||
dns_rdataset_t qminrrset;
|
||||
dns_name_t qmindcname;
|
||||
+ dns_fixedname_t fwdfname;
|
||||
+ dns_name_t *fwdname;
|
||||
|
||||
/*%
|
||||
* The number of events we're waiting for.
|
||||
@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
fwd = ISC_LIST_HEAD(forwarders->fwdrs);
|
||||
fctx->fwdpolicy = forwarders->fwdpolicy;
|
||||
+ dns_name_copynf(domain, fctx->fwdname);
|
||||
if (fctx->fwdpolicy == dns_fwdpolicy_only &&
|
||||
isstrictsubdomain(domain, &fctx->domain))
|
||||
{
|
||||
@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
|
||||
fctx->restarts = 0;
|
||||
fctx->querysent = 0;
|
||||
fctx->referrals = 0;
|
||||
+
|
||||
+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
|
||||
+
|
||||
TIME_NOW(&fctx->start);
|
||||
fctx->timeouts = 0;
|
||||
fctx->lamecount = 0;
|
||||
@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
|
||||
fname, &forwarders);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
fctx->fwdpolicy = forwarders->fwdpolicy;
|
||||
+ dns_name_copynf(fname, fctx->fwdname);
|
||||
}
|
||||
|
||||
if (fctx->fwdpolicy != dns_fwdpolicy_only) {
|
||||
@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
|
||||
}
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Returns true if 'name' is external to the namespace for which
|
||||
+ * the server being queried can answer, either because it's not a
|
||||
+ * subdomain or because it's below a forward declaration or a
|
||||
+ * locally served zone.
|
||||
+ */
|
||||
+static inline bool
|
||||
+name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
|
||||
+ isc_result_t result;
|
||||
+ dns_forwarders_t *forwarders = NULL;
|
||||
+ dns_fixedname_t fixed, zfixed;
|
||||
+ dns_name_t *fname = dns_fixedname_initname(&fixed);
|
||||
+ dns_name_t *zfname = dns_fixedname_initname(&zfixed);
|
||||
+ dns_name_t *apex = NULL;
|
||||
+ dns_name_t suffix;
|
||||
+ dns_zone_t *zone = NULL;
|
||||
+ unsigned int labels;
|
||||
+ dns_namereln_t rel;
|
||||
+
|
||||
+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
|
||||
+
|
||||
+ /*
|
||||
+ * The name is outside the queried namespace.
|
||||
+ */
|
||||
+ rel = dns_name_fullcompare(name, apex, &(int){ 0 },
|
||||
+ &(unsigned int){ 0U });
|
||||
+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
|
||||
+ return (true);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If the record lives in the parent zone, adjust the name so we
|
||||
+ * look for the correct zone or forward clause.
|
||||
+ */
|
||||
+ labels = dns_name_countlabels(name);
|
||||
+ if (dns_rdatatype_atparent(type) && labels > 1U) {
|
||||
+ dns_name_init(&suffix, NULL);
|
||||
+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
|
||||
+ name = &suffix;
|
||||
+ } else if (rel == dns_namereln_equal) {
|
||||
+ /* If 'name' is 'apex', no further checking is needed. */
|
||||
+ return (false);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If there is a locally served zone between 'apex' and 'name'
|
||||
+ * then don't cache.
|
||||
+ */
|
||||
+ LOCK(&fctx->res->view->lock);
|
||||
+ if (fctx->res->view->zonetable != NULL) {
|
||||
+ unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR;
|
||||
+ result = dns_zt_find(fctx->res->view->zonetable, name, options,
|
||||
+ zfname, &zone);
|
||||
+ if (zone != NULL) {
|
||||
+ dns_zone_detach(&zone);
|
||||
+ }
|
||||
+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
|
||||
+ if (dns_name_fullcompare(zfname, apex, &(int){ 0 },
|
||||
+ &(unsigned int){ 0U }) ==
|
||||
+ dns_namereln_subdomain)
|
||||
+ {
|
||||
+ UNLOCK(&fctx->res->view->lock);
|
||||
+ return (true);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ UNLOCK(&fctx->res->view->lock);
|
||||
+
|
||||
+ /*
|
||||
+ * Look for a forward declaration below 'name'.
|
||||
+ */
|
||||
+ result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
|
||||
+ &forwarders);
|
||||
+
|
||||
+ if (ISFORWARDER(fctx->addrinfo)) {
|
||||
+ /*
|
||||
+ * See if the forwarder declaration is better.
|
||||
+ */
|
||||
+ if (result == ISC_R_SUCCESS) {
|
||||
+ return (!dns_name_equal(fname, fctx->fwdname));
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * If the lookup failed, the configuration must have
|
||||
+ * changed: play it safe and don't cache.
|
||||
+ */
|
||||
+ return (true);
|
||||
+ } else if (result == ISC_R_SUCCESS &&
|
||||
+ forwarders->fwdpolicy == dns_fwdpolicy_only &&
|
||||
+ !ISC_LIST_EMPTY(forwarders->fwdrs))
|
||||
+ {
|
||||
+ /*
|
||||
+ * If 'name' is covered by a 'forward only' clause then we
|
||||
+ * can't cache this repsonse.
|
||||
+ */
|
||||
+ return (true);
|
||||
+ }
|
||||
+
|
||||
+ return (false);
|
||||
+}
|
||||
+
|
||||
static isc_result_t
|
||||
check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
|
||||
dns_section_t section) {
|
||||
@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
|
||||
result = dns_message_findname(rctx->query->rmessage, section, addname,
|
||||
dns_rdatatype_any, 0, &name, NULL);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
- external = !dns_name_issubdomain(name, &fctx->domain);
|
||||
+ external = name_external(name, type, fctx);
|
||||
if (type == dns_rdatatype_a) {
|
||||
for (rdataset = ISC_LIST_HEAD(name->list);
|
||||
rdataset != NULL;
|
||||
@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) {
|
||||
break;
|
||||
|
||||
case dns_namereln_subdomain:
|
||||
+ /*
|
||||
+ * Don't accept DNAME from parent namespace.
|
||||
+ */
|
||||
+ if (name_external(name, dns_rdatatype_dname, fctx)) {
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* In-scope DNAME records must have at least
|
||||
* as many labels as the domain being queried.
|
||||
@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) {
|
||||
DNS_SECTION_AUTHORITY);
|
||||
while (!done && result == ISC_R_SUCCESS) {
|
||||
dns_name_t *name = NULL;
|
||||
- bool external;
|
||||
|
||||
dns_message_currentname(rctx->query->rmessage,
|
||||
DNS_SECTION_AUTHORITY, &name);
|
||||
- external = !dns_name_issubdomain(name, &fctx->domain);
|
||||
|
||||
- if (!external) {
|
||||
+ if (!name_external(name, dns_rdatatype_ns, fctx)) {
|
||||
dns_rdataset_t *rdataset = NULL;
|
||||
|
||||
/*
|
||||
@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
|
||||
}
|
||||
|
||||
if (!dns_name_issubdomain(name, &fctx->domain)) {
|
||||
- /* Invalid name found; preserve it for logging later */
|
||||
+ /*
|
||||
+ * Invalid name found; preserve it for logging
|
||||
+ * later.
|
||||
+ */
|
||||
rctx->found_name = name;
|
||||
rctx->found_type = ISC_LIST_HEAD(name->list)->type;
|
||||
continue;
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,81 @@
|
||||
From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Tue, 8 Feb 2022 12:42:34 +0100
|
||||
Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb()
|
||||
|
||||
When sock->closehandle_cb is set, we need to run nmhandle_detach_cb()
|
||||
asynchronously to ensure correct order of multiple packets processing in
|
||||
the isc__nm_process_sock_buffer(). When not run asynchronously, it
|
||||
would cause:
|
||||
|
||||
a) out-of-order processing of the return codes from processbuffer();
|
||||
|
||||
b) stack growth because the next TCP DNS message read callback will
|
||||
be called from within the current TCP DNS message read callback.
|
||||
|
||||
The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP
|
||||
sockets which calls isc__nm_process_sock_buffer(). If the read callback
|
||||
(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't
|
||||
attach to the nmhandle (f.e. because it wants to drop the processing or
|
||||
we send the response directly via uv_try_write()), the
|
||||
isc__nm_resume_processing() (via .closehandle_cb) would call
|
||||
isc__nm_process_sock_buffer() recursively.
|
||||
|
||||
The below shortened code path shows how the stack can grow:
|
||||
|
||||
1: ns__client_request(handle, ...);
|
||||
2: isc_nm_tcpdns_sequential(handle);
|
||||
3: ns_query_start(client, handle);
|
||||
4: query_lookup(qctx);
|
||||
5: query_send(qctcx->client);
|
||||
6: isc__nmhandle_detach(&client->reqhandle);
|
||||
7: nmhandle_detach_cb(&handle);
|
||||
8: sock->closehandle_cb(sock); // isc__nm_resume_processing
|
||||
9: isc__nm_process_sock_buffer(sock);
|
||||
10: processbuffer(sock); // isc__nm_tcpdns_processbuffer
|
||||
11: isc_nmhandle_attach(req->handle, &handle);
|
||||
12: isc__nm_readcb(sock, req, ISC_R_SUCCESS);
|
||||
13: isc__nm_async_readcb(NULL, ...);
|
||||
14: uvreq->cb.recv(...); // ns__client_request
|
||||
|
||||
Instead, if 'sock->closehandle_cb' is set, we need to run detach the
|
||||
handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in
|
||||
the code flow above does not start this recursion. This ensures the
|
||||
correct order when processing multiple packets in the function
|
||||
'isc__nm_process_sock_buffer()' and prevents the stack growth.
|
||||
|
||||
When not run asynchronously, the out-of-order processing leaves the
|
||||
first TCP socket open until all requests on the stream have been
|
||||
processed.
|
||||
|
||||
If the pipelining is disabled on the TCP via `keep-response-order`
|
||||
configuration option, named would keep the first socket in lingering
|
||||
CLOSE_WAIT state when the client sends an incomplete packet and then
|
||||
closes the connection from the client side.
|
||||
|
||||
(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17)
|
||||
---
|
||||
lib/isc/netmgr/netmgr.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
|
||||
index 3283eb6e4f..0ed3182fb6 100644
|
||||
--- a/lib/isc/netmgr/netmgr.c
|
||||
+++ b/lib/isc/netmgr/netmgr.c
|
||||
@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) {
|
||||
handle = *handlep;
|
||||
*handlep = NULL;
|
||||
|
||||
+ /*
|
||||
+ * If the closehandle_cb is set, it needs to run asynchronously to
|
||||
+ * ensure correct ordering of the isc__nm_process_sock_buffer().
|
||||
+ */
|
||||
sock = handle->sock;
|
||||
- if (sock->tid == isc_nm_tid()) {
|
||||
+ if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) {
|
||||
nmhandle_detach_cb(&handle FLARG_PASS);
|
||||
} else {
|
||||
isc__netievent_detach_t *event =
|
||||
--
|
||||
2.34.1
|
||||
|
@ -0,0 +1,60 @@
|
||||
From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||
Date: Thu, 8 Sep 2022 11:11:30 +0200
|
||||
Subject: [PATCH] Bound the amount of work performed for delegations
|
||||
|
||||
Limit the amount of database lookups that can be triggered in
|
||||
fctx_getaddresses() (i.e. when determining the name server addresses to
|
||||
query next) by setting a hard limit on the number of NS RRs processed
|
||||
for any delegation encountered. Without any limit in place, named can
|
||||
be forced to perform large amounts of database lookups per each query
|
||||
received, which severely impacts resolver performance.
|
||||
|
||||
The limit used (20) is an arbitrary value that is considered to be big
|
||||
enough for any sane DNS delegation.
|
||||
|
||||
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
|
||||
---
|
||||
lib/dns/resolver.c | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index d2cf14bbc8..73a0ee9f77 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -195,6 +195,12 @@
|
||||
*/
|
||||
#define NS_FAIL_LIMIT 4
|
||||
#define NS_RR_LIMIT 5
|
||||
+/*
|
||||
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
|
||||
+ * any NS RRset encountered, to avoid excessive resource use while processing
|
||||
+ * large delegations.
|
||||
+ */
|
||||
+#define NS_PROCESSING_LIMIT 20
|
||||
|
||||
/* Number of hash buckets for zone counters */
|
||||
#ifndef RES_DOMAIN_BUCKETS
|
||||
@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
bool need_alternate = false;
|
||||
bool all_spilled = true;
|
||||
unsigned int no_addresses = 0;
|
||||
+ unsigned int ns_processed = 0;
|
||||
|
||||
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
||||
|
||||
@@ -3902,6 +3909,11 @@ normal_nses:
|
||||
|
||||
dns_rdata_reset(&rdata);
|
||||
dns_rdata_freestruct(&ns);
|
||||
+
|
||||
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
|
||||
+ result = ISC_R_NOMORE;
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
if (result != ISC_R_NOMORE) {
|
||||
return (result);
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,116 @@
|
||||
From 3bcd32572504ac9b92e3c6ec1e2cee3df3b68309 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 20 Sep 2022 11:34:42 +0200
|
||||
Subject: [PATCH 2/4] Fix CVE-2022-3080
|
||||
|
||||
5960. [security] Fix serve-stale crash that could happen when
|
||||
stale-answer-client-timeout was set to 0 and there was
|
||||
a stale CNAME in the cache for an incoming query.
|
||||
(CVE-2022-3080) [GL #3517]
|
||||
---
|
||||
lib/ns/include/ns/query.h | 1 +
|
||||
lib/ns/query.c | 42 ++++++++++++++++++++++++---------------
|
||||
2 files changed, 27 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h
|
||||
index 4d48cf6..34b3070 100644
|
||||
--- a/lib/ns/include/ns/query.h
|
||||
+++ b/lib/ns/include/ns/query.h
|
||||
@@ -145,6 +145,7 @@ struct query_ctx {
|
||||
bool authoritative; /* authoritative query? */
|
||||
bool want_restart; /* CNAME chain or other
|
||||
* restart needed */
|
||||
+ bool refresh_rrset; /* stale RRset refresh needed */
|
||||
bool need_wildcardproof; /* wildcard proof needed */
|
||||
bool nxrewrite; /* negative answer from RPZ */
|
||||
bool findcoveringnsec; /* lookup covering NSEC */
|
||||
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||
index 249321c..a450cb7 100644
|
||||
--- a/lib/ns/query.c
|
||||
+++ b/lib/ns/query.c
|
||||
@@ -5686,7 +5686,6 @@ query_lookup(query_ctx_t *qctx) {
|
||||
bool dbfind_stale = false;
|
||||
bool stale_timeout = false;
|
||||
bool stale_found = false;
|
||||
- bool refresh_rrset = false;
|
||||
bool stale_refresh_window = false;
|
||||
|
||||
CCTRACE(ISC_LOG_DEBUG(3), "query_lookup");
|
||||
@@ -5868,8 +5867,7 @@ query_lookup(query_ctx_t *qctx) {
|
||||
"%s stale answer used, an attempt to "
|
||||
"refresh the RRset will still be made",
|
||||
namebuf);
|
||||
- refresh_rrset = STALE(qctx->rdataset);
|
||||
- qctx->client->nodetach = refresh_rrset;
|
||||
+ qctx->refresh_rrset = STALE(qctx->rdataset);
|
||||
}
|
||||
} else {
|
||||
/*
|
||||
@@ -5907,17 +5905,6 @@ query_lookup(query_ctx_t *qctx) {
|
||||
|
||||
result = query_gotanswer(qctx, result);
|
||||
|
||||
- if (refresh_rrset) {
|
||||
- /*
|
||||
- * If we reached this point then it means that we have found a
|
||||
- * stale RRset entry in cache and BIND is configured to allow
|
||||
- * queries to be answered with stale data if no active RRset
|
||||
- * is available, i.e. "stale-anwer-client-timeout 0". But, we
|
||||
- * still need to refresh the RRset.
|
||||
- */
|
||||
- query_refresh_rrset(qctx);
|
||||
- }
|
||||
-
|
||||
cleanup:
|
||||
return (result);
|
||||
}
|
||||
@@ -7737,11 +7724,14 @@ query_addanswer(query_ctx_t *qctx) {
|
||||
|
||||
/*
|
||||
* On normal lookups, clear any rdatasets that were added on a
|
||||
- * lookup due to stale-answer-client-timeout.
|
||||
+ * lookup due to stale-answer-client-timeout. Do not clear if we
|
||||
+ * are going to refresh the RRset, because the stale contents are
|
||||
+ * prioritized.
|
||||
*/
|
||||
if (QUERY_STALEOK(&qctx->client->query) &&
|
||||
- !QUERY_STALETIMEOUT(&qctx->client->query))
|
||||
+ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset)
|
||||
{
|
||||
+ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale");
|
||||
query_clear_stale(qctx->client);
|
||||
/*
|
||||
* We can clear the attribute to prevent redundant clearing
|
||||
@@ -11457,9 +11447,29 @@ ns_query_done(query_ctx_t *qctx) {
|
||||
/*
|
||||
* Client may have been detached after query_send(), so
|
||||
* we test and store the flag state here, for safety.
|
||||
+ * If we are refreshing the RRSet, we must not detach from the client
|
||||
+ * in the query_send(), so we need to override the flag.
|
||||
*/
|
||||
+ if (qctx->refresh_rrset) {
|
||||
+ qctx->client->nodetach = true;
|
||||
+ }
|
||||
nodetach = qctx->client->nodetach;
|
||||
query_send(qctx->client);
|
||||
+
|
||||
+ if (qctx->refresh_rrset) {
|
||||
+ /*
|
||||
+ * If we reached this point then it means that we have found a
|
||||
+ * stale RRset entry in cache and BIND is configured to allow
|
||||
+ * queries to be answered with stale data if no active RRset
|
||||
+ * is available, i.e. "stale-anwer-client-timeout 0". But, we
|
||||
+ * still need to refresh the RRset. To prevent adding duplicate
|
||||
+ * RRsets, clear the RRsets from the message before doing the
|
||||
+ * refresh.
|
||||
+ */
|
||||
+ message_clearrdataset(qctx->client->message, 0);
|
||||
+ query_refresh_rrset(qctx);
|
||||
+ }
|
||||
+
|
||||
if (!nodetach) {
|
||||
qctx->detach_client = true;
|
||||
}
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,240 @@
|
||||
From 18036bb3f435eaa20d60093738c61e5da42a6cfe Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Thu, 1 Sep 2022 16:05:04 -0700
|
||||
Subject: [PATCH] add an update quota
|
||||
|
||||
limit the number of simultaneous DNS UPDATE events that can be
|
||||
processed by adding a quota for update and update forwarding.
|
||||
this quota currently, arbitrarily, defaults to 100.
|
||||
|
||||
also add a statistics counter to record when the update quota
|
||||
has been exceeded.
|
||||
|
||||
(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826)
|
||||
---
|
||||
bin/named/bind9.xsl | 4 +++-
|
||||
bin/named/bind9.xsl.h | 6 +++++-
|
||||
bin/named/statschannel.c | 5 +++--
|
||||
doc/arm/reference.rst | 5 +++++
|
||||
lib/ns/include/ns/server.h | 1 +
|
||||
lib/ns/include/ns/stats.h | 4 +++-
|
||||
lib/ns/server.c | 2 ++
|
||||
lib/ns/update.c | 37 ++++++++++++++++++++++++++++++++++++-
|
||||
8 files changed, 58 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
|
||||
index 5078115..194625b 100644
|
||||
--- a/bin/named/bind9.xsl
|
||||
+++ b/bin/named/bind9.xsl
|
||||
@@ -12,7 +12,9 @@
|
||||
|
||||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
|
||||
<xsl:output method="html" indent="yes" version="4.0"/>
|
||||
- <xsl:template match="statistics[@version="3.11"]">
|
||||
+ <!-- the version number **below** must match version in bin/named/statschannel.c -->
|
||||
+ <!-- don't forget to update "/xml/v<STATS_XML_VERSION_MAJOR>" in the HTTP endpoints listed below -->
|
||||
+ <xsl:template match="statistics[@version="3.11.1"]">
|
||||
<html>
|
||||
<head>
|
||||
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
|
||||
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
|
||||
index e30f7f5..b182742 100644
|
||||
--- a/bin/named/bind9.xsl.h
|
||||
+++ b/bin/named/bind9.xsl.h
|
||||
@@ -20,7 +20,11 @@ static char xslmsg[] =
|
||||
"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" "
|
||||
"xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
|
||||
" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
|
||||
- " <xsl:template match=\"statistics[@version="3.11"]\">\n"
|
||||
+ " <!-- the version number **below** must match version in "
|
||||
+ "bin/named/statschannel.c -->\n"
|
||||
+ " <!-- don't forget to update \"/xml/v<STATS_XML_VERSION_MAJOR>\" in "
|
||||
+ "the HTTP endpoints listed below -->\n"
|
||||
+ " <xsl:template match=\"statistics[@version="3.11.1"]\">\n"
|
||||
" <html>\n"
|
||||
" <head>\n"
|
||||
" <script type=\"text/javascript\" "
|
||||
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
|
||||
index 832ce93..7361ead 100644
|
||||
--- a/bin/named/statschannel.c
|
||||
+++ b/bin/named/statschannel.c
|
||||
@@ -335,6 +335,7 @@ init_desc(void) {
|
||||
SET_NSSTATDESC(reclimitdropped,
|
||||
"queries dropped due to recursive client limit",
|
||||
"RecLimitDropped");
|
||||
+ SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota");
|
||||
|
||||
INSIST(i == ns_statscounter_max);
|
||||
|
||||
@@ -2007,7 +2008,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen,
|
||||
"href=\"/bind9.xsl\""));
|
||||
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
|
||||
TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
|
||||
- ISC_XMLCHAR "3.11"));
|
||||
+ ISC_XMLCHAR "3.11.1"));
|
||||
|
||||
/* Set common fields for statistics dump */
|
||||
dumparg.type = isc_statsformat_xml;
|
||||
@@ -2876,7 +2877,7 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg,
|
||||
/*
|
||||
* These statistics are included no matter which URL we use.
|
||||
*/
|
||||
- obj = json_object_new_string("1.5");
|
||||
+ obj = json_object_new_string("1.5.1");
|
||||
CHECKMEM(obj);
|
||||
json_object_object_add(bindstats, "json-stats-version", obj);
|
||||
|
||||
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
|
||||
index 2d05aec..25c20d7 100644
|
||||
--- a/doc/arm/reference.rst
|
||||
+++ b/doc/arm/reference.rst
|
||||
@@ -6705,6 +6705,11 @@ Name Server Statistics Counters
|
||||
``UpdateBadPrereq``
|
||||
This indicates the number of dynamic updates rejected due to a prerequisite failure.
|
||||
|
||||
+``UpdateQuota``
|
||||
+ This indicates the number of times a dynamic update or update
|
||||
+ forwarding request was rejected because the number of pending
|
||||
+ requests exceeded the update quota.
|
||||
+
|
||||
``RateDropped``
|
||||
This indicates the number of responses dropped due to rate limits.
|
||||
|
||||
diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
|
||||
index 6a1f345..0abb579 100644
|
||||
--- a/lib/ns/include/ns/server.h
|
||||
+++ b/lib/ns/include/ns/server.h
|
||||
@@ -84,6 +84,7 @@ struct ns_server {
|
||||
isc_quota_t recursionquota;
|
||||
isc_quota_t tcpquota;
|
||||
isc_quota_t xfroutquota;
|
||||
+ isc_quota_t updquota;
|
||||
|
||||
/*% Test options and other configurables */
|
||||
uint32_t options;
|
||||
diff --git a/lib/ns/include/ns/stats.h b/lib/ns/include/ns/stats.h
|
||||
index 3c08799..95b15d0 100644
|
||||
--- a/lib/ns/include/ns/stats.h
|
||||
+++ b/lib/ns/include/ns/stats.h
|
||||
@@ -106,7 +106,9 @@ enum {
|
||||
|
||||
ns_statscounter_reclimitdropped = 66,
|
||||
|
||||
- ns_statscounter_max = 67,
|
||||
+ ns_statscounter_updatequota = 67,
|
||||
+
|
||||
+ ns_statscounter_max = 68,
|
||||
};
|
||||
|
||||
void
|
||||
diff --git a/lib/ns/server.c b/lib/ns/server.c
|
||||
index a970a28..540bc2e 100644
|
||||
--- a/lib/ns/server.c
|
||||
+++ b/lib/ns/server.c
|
||||
@@ -52,6 +52,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
|
||||
isc_quota_init(&sctx->xfroutquota, 10);
|
||||
isc_quota_init(&sctx->tcpquota, 10);
|
||||
isc_quota_init(&sctx->recursionquota, 100);
|
||||
+ isc_quota_init(&sctx->updquota, 100);
|
||||
|
||||
CHECKFATAL(dns_tkeyctx_create(mctx, &sctx->tkeyctx));
|
||||
|
||||
@@ -131,6 +132,7 @@ ns_server_detach(ns_server_t **sctxp) {
|
||||
isc_mem_put(sctx->mctx, altsecret, sizeof(*altsecret));
|
||||
}
|
||||
|
||||
+ isc_quota_destroy(&sctx->updquota);
|
||||
isc_quota_destroy(&sctx->recursionquota);
|
||||
isc_quota_destroy(&sctx->tcpquota);
|
||||
isc_quota_destroy(&sctx->xfroutquota);
|
||||
diff --git a/lib/ns/update.c b/lib/ns/update.c
|
||||
index 546b70a..1871438 100644
|
||||
--- a/lib/ns/update.c
|
||||
+++ b/lib/ns/update.c
|
||||
@@ -1544,6 +1544,19 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
update_event_t *event = NULL;
|
||||
isc_task_t *zonetask = NULL;
|
||||
|
||||
+ result = isc_quota_attach(&client->manager->sctx->updquota,
|
||||
+ &(isc_quota_t *){ NULL });
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ update_log(client, zone, LOGLEVEL_PROTOCOL,
|
||||
+ "update failed: too many DNS UPDATEs queued (%s)",
|
||||
+ isc_result_totext(result));
|
||||
+ ns_stats_increment(client->manager->sctx->nsstats,
|
||||
+ ns_statscounter_updatequota);
|
||||
+ ns_client_drop(client, result);
|
||||
+ isc_nmhandle_detach(&client->reqhandle);
|
||||
+ return (DNS_R_DROP);
|
||||
+ }
|
||||
+
|
||||
event = (update_event_t *)isc_event_allocate(
|
||||
client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL,
|
||||
sizeof(*event));
|
||||
@@ -1676,12 +1689,18 @@ failure:
|
||||
dns_zone_gettype(zone) == dns_zone_mirror);
|
||||
inc_stats(client, zone, ns_statscounter_updaterej);
|
||||
}
|
||||
+
|
||||
/*
|
||||
* We failed without having sent an update event to the zone.
|
||||
* We are still in the client task context, so we can
|
||||
* simply give an error response without switching tasks.
|
||||
*/
|
||||
- respond(client, result);
|
||||
+ if (result == DNS_R_DROP) {
|
||||
+ ns_client_drop(client, result);
|
||||
+ } else {
|
||||
+ respond(client, result);
|
||||
+ }
|
||||
+
|
||||
if (zone != NULL) {
|
||||
dns_zone_detach(&zone);
|
||||
}
|
||||
@@ -3489,6 +3508,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
|
||||
|
||||
respond(client, uev->result);
|
||||
|
||||
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
|
||||
isc_event_free(&event);
|
||||
isc_nmhandle_detach(&client->updatehandle);
|
||||
}
|
||||
@@ -3505,6 +3525,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
|
||||
INSIST(client->nupdates > 0);
|
||||
client->nupdates--;
|
||||
respond(client, DNS_R_SERVFAIL);
|
||||
+
|
||||
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
|
||||
isc_event_free(&event);
|
||||
isc_nmhandle_detach(&client->updatehandle);
|
||||
}
|
||||
@@ -3542,6 +3564,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
|
||||
client->nupdates--;
|
||||
ns_client_sendraw(client, uev->answer);
|
||||
dns_message_detach(&uev->answer);
|
||||
+
|
||||
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
|
||||
isc_event_free(&event);
|
||||
isc_nmhandle_detach(&client->updatehandle);
|
||||
}
|
||||
@@ -3576,6 +3600,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
update_event_t *event = NULL;
|
||||
isc_task_t *zonetask = NULL;
|
||||
|
||||
+ result = isc_quota_attach(&client->manager->sctx->updquota,
|
||||
+ &(isc_quota_t *){ NULL });
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ update_log(client, zone, LOGLEVEL_PROTOCOL,
|
||||
+ "update failed: too many DNS UPDATEs queued (%s)",
|
||||
+ isc_result_totext(result));
|
||||
+ ns_stats_increment(client->manager->sctx->nsstats,
|
||||
+ ns_statscounter_updatequota);
|
||||
+ return (DNS_R_DROP);
|
||||
+ }
|
||||
+
|
||||
event = (update_event_t *)isc_event_allocate(
|
||||
client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL,
|
||||
sizeof(*event));
|
||||
--
|
||||
2.39.2
|
||||
|
@ -0,0 +1,266 @@
|
||||
From 7fe2204a2e8952bf892e4a70fea2ef5167e1f509 Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Thu, 1 Sep 2022 16:22:46 -0700
|
||||
Subject: [PATCH] add a configuration option for the update quota
|
||||
|
||||
add an "update-quota" option to configure the update quota.
|
||||
|
||||
(cherry picked from commit f57758a7303ad0034ff2ff08eaaf2ef899630f19)
|
||||
---
|
||||
bin/named/config.c | 1 +
|
||||
bin/named/named.conf.rst | 9 +++++----
|
||||
bin/named/server.c | 1 +
|
||||
bin/tests/system/checkconf/good.conf | 1 +
|
||||
doc/arm/reference.rst | 7 ++++++-
|
||||
doc/man/named.conf.5in | 9 +++++----
|
||||
doc/misc/master.zoneopt.rst | 2 +-
|
||||
doc/misc/options | 1 +
|
||||
doc/misc/options.active | 1 +
|
||||
doc/misc/options.grammar.rst | 3 ++-
|
||||
doc/misc/slave.zoneopt.rst | 2 +-
|
||||
lib/isccfg/namedconf.c | 1 +
|
||||
12 files changed, 26 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/bin/named/config.c b/bin/named/config.c
|
||||
index 5fedee84d9..494147015f 100644
|
||||
--- a/bin/named/config.c
|
||||
+++ b/bin/named/config.c
|
||||
@@ -130,6 +130,7 @@ options {\n\
|
||||
transfers-out 10;\n\
|
||||
transfers-per-ns 2;\n\
|
||||
trust-anchor-telemetry yes;\n\
|
||||
+ update-quota 100;\n\
|
||||
\n\
|
||||
/* view */\n\
|
||||
allow-new-zones no;\n\
|
||||
diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
|
||||
index 27eed5ca3e..4c9f9a7370 100644
|
||||
--- a/bin/named/named.conf.rst
|
||||
+++ b/bin/named/named.conf.rst
|
||||
@@ -179,7 +179,7 @@ OPTIONS
|
||||
answer-cookie boolean;
|
||||
attach-cache string;
|
||||
auth-nxdomain boolean; // default changed
|
||||
- auto-dnssec ( allow | maintain | off );
|
||||
+ auto-dnssec ( allow | maintain | off );// deprecated
|
||||
automatic-interface-scan boolean;
|
||||
avoid-v4-udp-ports { portrange; ... };
|
||||
avoid-v6-udp-ports { portrange; ... };
|
||||
@@ -446,6 +446,7 @@ OPTIONS
|
||||
trust-anchor-telemetry boolean; // experimental
|
||||
try-tcp-refresh boolean;
|
||||
update-check-ksk boolean;
|
||||
+ update-quota integer;
|
||||
use-alt-transfer-source boolean;
|
||||
use-v4-udp-ports { portrange; ... };
|
||||
use-v6-udp-ports { portrange; ... };
|
||||
@@ -584,7 +585,7 @@ VIEW
|
||||
* ) ] [ dscp integer ];
|
||||
attach-cache string;
|
||||
auth-nxdomain boolean; // default changed
|
||||
- auto-dnssec ( allow | maintain | off );
|
||||
+ auto-dnssec ( allow | maintain | off );// deprecated
|
||||
cache-file quoted_string;// deprecated
|
||||
catalog-zones { zone string [ default-masters [ port integer ]
|
||||
[ dscp integer ] { ( remote-servers | ipv4_address [ port
|
||||
@@ -859,7 +860,7 @@ VIEW
|
||||
integer | * ) ] [ dscp integer ];
|
||||
alt-transfer-source-v6 ( ipv6_address | * ) [ port (
|
||||
integer | * ) ] [ dscp integer ];
|
||||
- auto-dnssec ( allow | maintain | off );
|
||||
+ auto-dnssec ( allow | maintain | off );// deprecated
|
||||
check-dup-records ( fail | warn | ignore );
|
||||
check-integrity boolean;
|
||||
check-mx ( fail | warn | ignore );
|
||||
@@ -977,7 +978,7 @@ ZONE
|
||||
] [ dscp integer ];
|
||||
alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer |
|
||||
* ) ] [ dscp integer ];
|
||||
- auto-dnssec ( allow | maintain | off );
|
||||
+ auto-dnssec ( allow | maintain | off );// deprecated
|
||||
check-dup-records ( fail | warn | ignore );
|
||||
check-integrity boolean;
|
||||
check-mx ( fail | warn | ignore );
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 20443ff8a9..78a21d62a2 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -8542,6 +8542,7 @@ load_configuration(const char *filename, named_server_t *server,
|
||||
configure_server_quota(maps, "tcp-clients", &server->sctx->tcpquota);
|
||||
configure_server_quota(maps, "recursive-clients",
|
||||
&server->sctx->recursionquota);
|
||||
+ configure_server_quota(maps, "update-quota", &server->sctx->updquota);
|
||||
|
||||
max = isc_quota_getmax(&server->sctx->recursionquota);
|
||||
if (max > 1000) {
|
||||
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
||||
index b1f7059acf..0ecdb68e95 100644
|
||||
--- a/bin/tests/system/checkconf/good.conf
|
||||
+++ b/bin/tests/system/checkconf/good.conf
|
||||
@@ -75,6 +75,7 @@ options {
|
||||
recursive-clients 3000;
|
||||
serial-query-rate 100;
|
||||
server-id none;
|
||||
+ update-quota 200;
|
||||
check-names primary warn;
|
||||
check-names secondary ignore;
|
||||
max-cache-size 20000000000000;
|
||||
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
|
||||
index 2603d60251..703663d0ba 100644
|
||||
--- a/doc/arm/reference.rst
|
||||
+++ b/doc/arm/reference.rst
|
||||
@@ -3151,6 +3151,11 @@ system.
|
||||
value as ``tcp-keepalive-timeout``. This value can be updated at
|
||||
runtime by using ``rndc tcp-timeouts``.
|
||||
|
||||
+``update-quota``
|
||||
+ This is the maximum number of simultaneous DNS UPDATE messages that
|
||||
+ the server will accept for updating local authoritiative zones or
|
||||
+ forwarding to a primary server. The default is ``100``.
|
||||
+
|
||||
.. _intervals:
|
||||
|
||||
Periodic Task Intervals
|
||||
@@ -6840,7 +6845,7 @@ Name Server Statistics Counters
|
||||
``UpdateQuota``
|
||||
This indicates the number of times a dynamic update or update
|
||||
forwarding request was rejected because the number of pending
|
||||
- requests exceeded the update quota.
|
||||
+ requests exceeded ``update-quota``.
|
||||
|
||||
``RateDropped``
|
||||
This indicates the number of responses dropped due to rate limits.
|
||||
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
|
||||
index 4c46f47592..c87afa2881 100644
|
||||
--- a/doc/man/named.conf.5in
|
||||
+++ b/doc/man/named.conf.5in
|
||||
@@ -231,7 +231,7 @@ options {
|
||||
answer\-cookie boolean;
|
||||
attach\-cache string;
|
||||
auth\-nxdomain boolean; // default changed
|
||||
- auto\-dnssec ( allow | maintain | off );
|
||||
+ auto\-dnssec ( allow | maintain | off );// deprecated
|
||||
automatic\-interface\-scan boolean;
|
||||
avoid\-v4\-udp\-ports { portrange; ... };
|
||||
avoid\-v6\-udp\-ports { portrange; ... };
|
||||
@@ -498,6 +498,7 @@ options {
|
||||
trust\-anchor\-telemetry boolean; // experimental
|
||||
try\-tcp\-refresh boolean;
|
||||
update\-check\-ksk boolean;
|
||||
+ update\-quota integer;
|
||||
use\-alt\-transfer\-source boolean;
|
||||
use\-v4\-udp\-ports { portrange; ... };
|
||||
use\-v6\-udp\-ports { portrange; ... };
|
||||
@@ -668,7 +669,7 @@ view string [ class ] {
|
||||
* ) ] [ dscp integer ];
|
||||
attach\-cache string;
|
||||
auth\-nxdomain boolean; // default changed
|
||||
- auto\-dnssec ( allow | maintain | off );
|
||||
+ auto\-dnssec ( allow | maintain | off );// deprecated
|
||||
cache\-file quoted_string;// deprecated
|
||||
catalog\-zones { zone string [ default\-masters [ port integer ]
|
||||
[ dscp integer ] { ( remote\-servers | ipv4_address [ port
|
||||
@@ -943,7 +944,7 @@ view string [ class ] {
|
||||
integer | * ) ] [ dscp integer ];
|
||||
alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port (
|
||||
integer | * ) ] [ dscp integer ];
|
||||
- auto\-dnssec ( allow | maintain | off );
|
||||
+ auto\-dnssec ( allow | maintain | off );// deprecated
|
||||
check\-dup\-records ( fail | warn | ignore );
|
||||
check\-integrity boolean;
|
||||
check\-mx ( fail | warn | ignore );
|
||||
@@ -1065,7 +1066,7 @@ zone string [ class ] {
|
||||
] [ dscp integer ];
|
||||
alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer |
|
||||
* ) ] [ dscp integer ];
|
||||
- auto\-dnssec ( allow | maintain | off );
|
||||
+ auto\-dnssec ( allow | maintain | off );// deprecated
|
||||
check\-dup\-records ( fail | warn | ignore );
|
||||
check\-integrity boolean;
|
||||
check\-mx ( fail | warn | ignore );
|
||||
diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst
|
||||
index 8fc7e1b4f0..346d59813e 100644
|
||||
--- a/doc/misc/master.zoneopt.rst
|
||||
+++ b/doc/misc/master.zoneopt.rst
|
||||
@@ -20,7 +20,7 @@
|
||||
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
|
||||
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||
- auto-dnssec ( allow | maintain | off );
|
||||
+ auto-dnssec ( allow | maintain | off ); // deprecated
|
||||
check-dup-records ( fail | warn | ignore );
|
||||
check-integrity <boolean>;
|
||||
check-mx ( fail | warn | ignore );
|
||||
diff --git a/doc/misc/options b/doc/misc/options
|
||||
index f57399499a..0dbcf101e1 100644
|
||||
--- a/doc/misc/options
|
||||
+++ b/doc/misc/options
|
||||
@@ -404,6 +404,7 @@ options {
|
||||
trust-anchor-telemetry <boolean>; // experimental
|
||||
try-tcp-refresh <boolean>;
|
||||
update-check-ksk <boolean>;
|
||||
+ update-quota <integer>;
|
||||
use-alt-transfer-source <boolean>;
|
||||
use-id-pool <boolean>; // ancient
|
||||
use-ixfr <boolean>; // obsolete
|
||||
diff --git a/doc/misc/options.active b/doc/misc/options.active
|
||||
index 5fc1ab29f4..eb75a86eae 100644
|
||||
--- a/doc/misc/options.active
|
||||
+++ b/doc/misc/options.active
|
||||
@@ -363,6 +363,7 @@ options {
|
||||
trust-anchor-telemetry <boolean>; // experimental
|
||||
try-tcp-refresh <boolean>;
|
||||
update-check-ksk <boolean>;
|
||||
+ update-quota <integer>;
|
||||
use-alt-transfer-source <boolean>;
|
||||
use-v4-udp-ports { <portrange>; ... };
|
||||
use-v6-udp-ports { <portrange>; ... };
|
||||
diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst
|
||||
index 438072c95c..beef35341a 100644
|
||||
--- a/doc/misc/options.grammar.rst
|
||||
+++ b/doc/misc/options.grammar.rst
|
||||
@@ -33,7 +33,7 @@
|
||||
answer-cookie <boolean>;
|
||||
attach-cache <string>;
|
||||
auth-nxdomain <boolean>; // default changed
|
||||
- auto-dnssec ( allow | maintain | off );
|
||||
+ auto-dnssec ( allow | maintain | off ); // deprecated
|
||||
automatic-interface-scan <boolean>;
|
||||
avoid-v4-udp-ports { <portrange>; ... };
|
||||
avoid-v6-udp-ports { <portrange>; ... };
|
||||
@@ -300,6 +300,7 @@
|
||||
trust-anchor-telemetry <boolean>; // experimental
|
||||
try-tcp-refresh <boolean>;
|
||||
update-check-ksk <boolean>;
|
||||
+ update-quota <integer>;
|
||||
use-alt-transfer-source <boolean>;
|
||||
use-v4-udp-ports { <portrange>; ... };
|
||||
use-v6-udp-ports { <portrange>; ... };
|
||||
diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst
|
||||
index cc72dcbf67..468a7f4d9a 100644
|
||||
--- a/doc/misc/slave.zoneopt.rst
|
||||
+++ b/doc/misc/slave.zoneopt.rst
|
||||
@@ -21,7 +21,7 @@
|
||||
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
|
||||
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||
- auto-dnssec ( allow | maintain | off );
|
||||
+ auto-dnssec ( allow | maintain | off ); // deprecated
|
||||
check-names ( fail | warn | ignore );
|
||||
database <string>;
|
||||
dialup ( notify | notify-passive | passive | refresh | <boolean> );
|
||||
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
|
||||
index 45de0196bf..6e63d86816 100644
|
||||
--- a/lib/isccfg/namedconf.c
|
||||
+++ b/lib/isccfg/namedconf.c
|
||||
@@ -1267,6 +1267,7 @@ static cfg_clausedef_t options_clauses[] = {
|
||||
{ "transfers-out", &cfg_type_uint32, 0 },
|
||||
{ "transfers-per-ns", &cfg_type_uint32, 0 },
|
||||
{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
|
||||
+ { "update-quota", &cfg_type_uint32, 0 },
|
||||
{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
|
||||
{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
||||
{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,470 @@
|
||||
From 93b8bd39145566053ad8b22cef597146e9175ea4 Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Tue, 8 Nov 2022 17:32:41 -0800
|
||||
Subject: [PATCH] move update ACL and update-policy checks before quota
|
||||
|
||||
check allow-update, update-policy, and allow-update-forwarding before
|
||||
consuming quota slots, so that unauthorized clients can't fill the
|
||||
quota.
|
||||
|
||||
(this moves the access check before the prerequisite check, which
|
||||
violates the precise wording of RFC 2136. however, RFC co-author Paul
|
||||
Vixie has stated that the RFC is mistaken on this point; it should have
|
||||
said that access checking must happen *no later than* the completion of
|
||||
prerequisite checks, not that it must happen exactly then.)
|
||||
|
||||
(cherry picked from commit 964f559edb5036880b8e463b8f190b9007ee055d)
|
||||
---
|
||||
lib/ns/update.c | 335 ++++++++++++++++++++++++++----------------------
|
||||
1 file changed, 181 insertions(+), 154 deletions(-)
|
||||
|
||||
diff --git a/lib/ns/update.c b/lib/ns/update.c
|
||||
index 9a8c309..036184b 100644
|
||||
--- a/lib/ns/update.c
|
||||
+++ b/lib/ns/update.c
|
||||
@@ -261,6 +261,9 @@ static void
|
||||
forward_done(isc_task_t *task, isc_event_t *event);
|
||||
static isc_result_t
|
||||
add_rr_prepare_action(void *data, rr_t *rr);
|
||||
+static isc_result_t
|
||||
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
|
||||
+ const dns_rdata_t *rdata, bool *flag);
|
||||
|
||||
/**************************************************************************/
|
||||
|
||||
@@ -333,25 +336,26 @@ inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) {
|
||||
static isc_result_t
|
||||
checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
|
||||
dns_acl_t *updateacl, dns_ssutable_t *ssutable) {
|
||||
+ isc_result_t result;
|
||||
char namebuf[DNS_NAME_FORMATSIZE];
|
||||
char classbuf[DNS_RDATACLASS_FORMATSIZE];
|
||||
- int level;
|
||||
- isc_result_t result;
|
||||
+ bool update_possible =
|
||||
+ ((updateacl != NULL && !dns_acl_isnone(updateacl)) ||
|
||||
+ ssutable != NULL);
|
||||
|
||||
result = ns_client_checkaclsilent(client, NULL, queryacl, true);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
+ int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
|
||||
+
|
||||
dns_name_format(zonename, namebuf, sizeof(namebuf));
|
||||
dns_rdataclass_format(client->view->rdclass, classbuf,
|
||||
sizeof(classbuf));
|
||||
|
||||
- level = (updateacl == NULL && ssutable == NULL) ? ISC_LOG_INFO
|
||||
- : ISC_LOG_ERROR;
|
||||
-
|
||||
ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
|
||||
NS_LOGMODULE_UPDATE, level,
|
||||
"update '%s/%s' denied due to allow-query",
|
||||
namebuf, classbuf);
|
||||
- } else if (updateacl == NULL && ssutable == NULL) {
|
||||
+ } else if (!update_possible) {
|
||||
dns_name_format(zonename, namebuf, sizeof(namebuf));
|
||||
dns_rdataclass_format(client->view->rdclass, classbuf,
|
||||
sizeof(classbuf));
|
||||
@@ -1543,6 +1547,156 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
isc_result_t result = ISC_R_SUCCESS;
|
||||
update_event_t *event = NULL;
|
||||
isc_task_t *zonetask = NULL;
|
||||
+ dns_ssutable_t *ssutable = NULL;
|
||||
+ dns_message_t *request = client->message;
|
||||
+ dns_aclenv_t *env =
|
||||
+ ns_interfacemgr_getaclenv(client->manager->interface->mgr);
|
||||
+ dns_rdataclass_t zoneclass;
|
||||
+ dns_rdatatype_t covers;
|
||||
+ dns_name_t *zonename = NULL;
|
||||
+ dns_db_t *db = NULL;
|
||||
+ dns_dbversion_t *ver = NULL;
|
||||
+
|
||||
+ CHECK(dns_zone_getdb(zone, &db));
|
||||
+ zonename = dns_db_origin(db);
|
||||
+ zoneclass = dns_db_class(db);
|
||||
+ dns_zone_getssutable(zone, &ssutable);
|
||||
+ dns_db_currentversion(db, &ver);
|
||||
+
|
||||
+ /*
|
||||
+ * Update message processing can leak record existence information
|
||||
+ * so check that we are allowed to query this zone. Additionally,
|
||||
+ * if we would refuse all updates for this zone, we bail out here.
|
||||
+ */
|
||||
+ CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone),
|
||||
+ dns_zone_getorigin(zone),
|
||||
+ dns_zone_getupdateacl(zone), ssutable));
|
||||
+
|
||||
+ /*
|
||||
+ * Check requestor's permissions.
|
||||
+ */
|
||||
+ if (ssutable == NULL) {
|
||||
+ CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
|
||||
+ "update", dns_zone_getorigin(zone), false,
|
||||
+ false));
|
||||
+ } else if (client->signer == NULL && !TCPCLIENT(client)) {
|
||||
+ CHECK(checkupdateacl(client, NULL, "update",
|
||||
+ dns_zone_getorigin(zone), false, true));
|
||||
+ }
|
||||
+
|
||||
+ if (dns_zone_getupdatedisabled(zone)) {
|
||||
+ FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
|
||||
+ "because the zone is frozen. Use "
|
||||
+ "'rndc thaw' to re-enable updates.");
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Prescan the update section, checking for updates that
|
||||
+ * are illegal or violate policy.
|
||||
+ */
|
||||
+ for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||
+ result == ISC_R_SUCCESS;
|
||||
+ result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||
+ {
|
||||
+ dns_name_t *name = NULL;
|
||||
+ dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
+ dns_ttl_t ttl;
|
||||
+ dns_rdataclass_t update_class;
|
||||
+
|
||||
+ get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
|
||||
+ &rdata, &covers, &ttl, &update_class);
|
||||
+
|
||||
+ if (!dns_name_issubdomain(name, zonename)) {
|
||||
+ FAILC(DNS_R_NOTZONE, "update RR is outside zone");
|
||||
+ }
|
||||
+ if (update_class == zoneclass) {
|
||||
+ /*
|
||||
+ * Check for meta-RRs. The RFC2136 pseudocode says
|
||||
+ * check for ANY|AXFR|MAILA|MAILB, but the text adds
|
||||
+ * "or any other QUERY metatype"
|
||||
+ */
|
||||
+ if (dns_rdatatype_ismeta(rdata.type)) {
|
||||
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||
+ }
|
||||
+ result = dns_zone_checknames(zone, name, &rdata);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ FAIL(DNS_R_REFUSED);
|
||||
+ }
|
||||
+ } else if (update_class == dns_rdataclass_any) {
|
||||
+ if (ttl != 0 || rdata.length != 0 ||
|
||||
+ (dns_rdatatype_ismeta(rdata.type) &&
|
||||
+ rdata.type != dns_rdatatype_any))
|
||||
+ {
|
||||
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||
+ }
|
||||
+ } else if (update_class == dns_rdataclass_none) {
|
||||
+ if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
|
||||
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||
+ }
|
||||
+ } else {
|
||||
+ update_log(client, zone, ISC_LOG_WARNING,
|
||||
+ "update RR has incorrect class %d",
|
||||
+ update_class);
|
||||
+ FAIL(DNS_R_FORMERR);
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * draft-ietf-dnsind-simple-secure-update-01 says
|
||||
+ * "Unlike traditional dynamic update, the client
|
||||
+ * is forbidden from updating NSEC records."
|
||||
+ */
|
||||
+ if (rdata.type == dns_rdatatype_nsec3) {
|
||||
+ FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
|
||||
+ "allowed "
|
||||
+ "in secure zones");
|
||||
+ } else if (rdata.type == dns_rdatatype_nsec) {
|
||||
+ FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
|
||||
+ "allowed "
|
||||
+ "in secure zones");
|
||||
+ } else if (rdata.type == dns_rdatatype_rrsig &&
|
||||
+ !dns_name_equal(name, zonename))
|
||||
+ {
|
||||
+ FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
|
||||
+ "currently "
|
||||
+ "not supported in secure zones "
|
||||
+ "except "
|
||||
+ "at the apex");
|
||||
+ }
|
||||
+
|
||||
+ if (ssutable != NULL) {
|
||||
+ isc_netaddr_t netaddr;
|
||||
+ dst_key_t *tsigkey = NULL;
|
||||
+ isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||
+
|
||||
+ if (client->message->tsigkey != NULL) {
|
||||
+ tsigkey = client->message->tsigkey->key;
|
||||
+ }
|
||||
+
|
||||
+ if (rdata.type != dns_rdatatype_any) {
|
||||
+ if (!dns_ssutable_checkrules(
|
||||
+ ssutable, client->signer, name,
|
||||
+ &netaddr, TCPCLIENT(client), env,
|
||||
+ rdata.type, tsigkey))
|
||||
+ {
|
||||
+ FAILC(DNS_R_REFUSED, "rejected by "
|
||||
+ "secure update");
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (!ssu_checkall(db, ver, name, ssutable,
|
||||
+ client->signer, &netaddr, env,
|
||||
+ TCPCLIENT(client), tsigkey))
|
||||
+ {
|
||||
+ FAILC(DNS_R_REFUSED, "rejected by "
|
||||
+ "secure update");
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ if (result != ISC_R_NOMORE) {
|
||||
+ FAIL(result);
|
||||
+ }
|
||||
+
|
||||
+ update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
|
||||
|
||||
result = isc_quota_attach(&client->manager->sctx->updquota,
|
||||
&(isc_quota_t *){ NULL });
|
||||
@@ -1552,9 +1706,7 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
isc_result_totext(result));
|
||||
ns_stats_increment(client->manager->sctx->nsstats,
|
||||
ns_statscounter_updatequota);
|
||||
- ns_client_drop(client, result);
|
||||
- isc_nmhandle_detach(&client->reqhandle);
|
||||
- return (DNS_R_DROP);
|
||||
+ CHECK(DNS_R_DROP);
|
||||
}
|
||||
|
||||
event = (update_event_t *)isc_event_allocate(
|
||||
@@ -1571,6 +1723,16 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
dns_zone_gettask(zone, &zonetask);
|
||||
isc_task_send(zonetask, ISC_EVENT_PTR(&event));
|
||||
|
||||
+failure:
|
||||
+ if (db != NULL) {
|
||||
+ dns_db_closeversion(db, &ver, false);
|
||||
+ dns_db_detach(&db);
|
||||
+ }
|
||||
+
|
||||
+ if (ssutable != NULL) {
|
||||
+ dns_ssutable_detach(&ssutable);
|
||||
+ }
|
||||
+
|
||||
return (result);
|
||||
}
|
||||
|
||||
@@ -1671,9 +1833,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
|
||||
break;
|
||||
case dns_zone_secondary:
|
||||
case dns_zone_mirror:
|
||||
- CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
|
||||
- "update forwarding", zonename, true,
|
||||
- false));
|
||||
CHECK(send_forward_event(client, zone));
|
||||
break;
|
||||
default:
|
||||
@@ -1685,8 +1844,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
|
||||
|
||||
failure:
|
||||
if (result == DNS_R_REFUSED) {
|
||||
- INSIST(dns_zone_gettype(zone) == dns_zone_secondary ||
|
||||
- dns_zone_gettype(zone) == dns_zone_mirror);
|
||||
inc_stats(client, zone, ns_statscounter_updaterej);
|
||||
}
|
||||
|
||||
@@ -2578,7 +2735,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||
dns_rdatatype_t covers;
|
||||
dns_message_t *request = client->message;
|
||||
dns_rdataclass_t zoneclass;
|
||||
- dns_name_t *zonename;
|
||||
+ dns_name_t *zonename = NULL;
|
||||
dns_ssutable_t *ssutable = NULL;
|
||||
dns_fixedname_t tmpnamefixed;
|
||||
dns_name_t *tmpname = NULL;
|
||||
@@ -2590,8 +2747,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||
dns_ttl_t maxttl = 0;
|
||||
uint32_t maxrecords;
|
||||
uint64_t records;
|
||||
- dns_aclenv_t *env =
|
||||
- ns_interfacemgr_getaclenv(client->manager->interface->mgr);
|
||||
|
||||
INSIST(event->ev_type == DNS_EVENT_UPDATE);
|
||||
|
||||
@@ -2602,14 +2757,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||
zonename = dns_db_origin(db);
|
||||
zoneclass = dns_db_class(db);
|
||||
dns_zone_getssutable(zone, &ssutable);
|
||||
-
|
||||
- /*
|
||||
- * Update message processing can leak record existence information
|
||||
- * so check that we are allowed to query this zone. Additionally
|
||||
- * if we would refuse all updates for this zone we bail out here.
|
||||
- */
|
||||
- CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
|
||||
- dns_zone_getupdateacl(zone), ssutable));
|
||||
+ options = dns_zone_getoptions(zone);
|
||||
|
||||
/*
|
||||
* Get old and new versions now that queryacl has been checked.
|
||||
@@ -2745,135 +2893,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||
|
||||
update_log(client, zone, LOGLEVEL_DEBUG, "prerequisites are OK");
|
||||
|
||||
- /*
|
||||
- * Check Requestor's Permissions. It seems a bit silly to do this
|
||||
- * only after prerequisite testing, but that is what RFC2136 says.
|
||||
- */
|
||||
- if (ssutable == NULL) {
|
||||
- CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
|
||||
- "update", zonename, false, false));
|
||||
- } else if (client->signer == NULL && !TCPCLIENT(client)) {
|
||||
- CHECK(checkupdateacl(client, NULL, "update", zonename, false,
|
||||
- true));
|
||||
- }
|
||||
-
|
||||
- if (dns_zone_getupdatedisabled(zone)) {
|
||||
- FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
|
||||
- "because the zone is frozen. Use "
|
||||
- "'rndc thaw' to re-enable updates.");
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * Perform the Update Section Prescan.
|
||||
- */
|
||||
-
|
||||
- for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||
- result == ISC_R_SUCCESS;
|
||||
- result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||
- {
|
||||
- dns_name_t *name = NULL;
|
||||
- dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
- dns_ttl_t ttl;
|
||||
- dns_rdataclass_t update_class;
|
||||
- get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
|
||||
- &rdata, &covers, &ttl, &update_class);
|
||||
-
|
||||
- if (!dns_name_issubdomain(name, zonename)) {
|
||||
- FAILC(DNS_R_NOTZONE, "update RR is outside zone");
|
||||
- }
|
||||
- if (update_class == zoneclass) {
|
||||
- /*
|
||||
- * Check for meta-RRs. The RFC2136 pseudocode says
|
||||
- * check for ANY|AXFR|MAILA|MAILB, but the text adds
|
||||
- * "or any other QUERY metatype"
|
||||
- */
|
||||
- if (dns_rdatatype_ismeta(rdata.type)) {
|
||||
- FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||
- }
|
||||
- result = dns_zone_checknames(zone, name, &rdata);
|
||||
- if (result != ISC_R_SUCCESS) {
|
||||
- FAIL(DNS_R_REFUSED);
|
||||
- }
|
||||
- } else if (update_class == dns_rdataclass_any) {
|
||||
- if (ttl != 0 || rdata.length != 0 ||
|
||||
- (dns_rdatatype_ismeta(rdata.type) &&
|
||||
- rdata.type != dns_rdatatype_any))
|
||||
- {
|
||||
- FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||
- }
|
||||
- } else if (update_class == dns_rdataclass_none) {
|
||||
- if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
|
||||
- FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||
- }
|
||||
- } else {
|
||||
- update_log(client, zone, ISC_LOG_WARNING,
|
||||
- "update RR has incorrect class %d",
|
||||
- update_class);
|
||||
- FAIL(DNS_R_FORMERR);
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * draft-ietf-dnsind-simple-secure-update-01 says
|
||||
- * "Unlike traditional dynamic update, the client
|
||||
- * is forbidden from updating NSEC records."
|
||||
- */
|
||||
- if (rdata.type == dns_rdatatype_nsec3) {
|
||||
- FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
|
||||
- "allowed "
|
||||
- "in secure zones");
|
||||
- } else if (rdata.type == dns_rdatatype_nsec) {
|
||||
- FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
|
||||
- "allowed "
|
||||
- "in secure zones");
|
||||
- } else if (rdata.type == dns_rdatatype_rrsig &&
|
||||
- !dns_name_equal(name, zonename)) {
|
||||
- FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
|
||||
- "currently "
|
||||
- "not supported in secure zones "
|
||||
- "except "
|
||||
- "at the apex");
|
||||
- }
|
||||
-
|
||||
- if (ssutable != NULL) {
|
||||
- isc_netaddr_t netaddr;
|
||||
- dst_key_t *tsigkey = NULL;
|
||||
- isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||
-
|
||||
- if (client->message->tsigkey != NULL) {
|
||||
- tsigkey = client->message->tsigkey->key;
|
||||
- }
|
||||
-
|
||||
- if (rdata.type != dns_rdatatype_any) {
|
||||
- if (!dns_ssutable_checkrules(
|
||||
- ssutable, client->signer, name,
|
||||
- &netaddr, TCPCLIENT(client), env,
|
||||
- rdata.type, tsigkey))
|
||||
- {
|
||||
- FAILC(DNS_R_REFUSED, "rejected by "
|
||||
- "secure update");
|
||||
- }
|
||||
- } else {
|
||||
- if (!ssu_checkall(db, ver, name, ssutable,
|
||||
- client->signer, &netaddr, env,
|
||||
- TCPCLIENT(client), tsigkey))
|
||||
- {
|
||||
- FAILC(DNS_R_REFUSED, "rejected by "
|
||||
- "secure update");
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
- if (result != ISC_R_NOMORE) {
|
||||
- FAIL(result);
|
||||
- }
|
||||
-
|
||||
- update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
|
||||
-
|
||||
/*
|
||||
* Process the Update Section.
|
||||
*/
|
||||
|
||||
- options = dns_zone_getoptions(zone);
|
||||
for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||
result == ISC_R_SUCCESS;
|
||||
result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||
@@ -3307,10 +3330,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||
if (result == ISC_R_SUCCESS && records > maxrecords) {
|
||||
update_log(client, zone, ISC_LOG_ERROR,
|
||||
"records in zone (%" PRIu64 ") "
|
||||
- "exceeds"
|
||||
- " max-"
|
||||
- "records"
|
||||
- " (%u)",
|
||||
+ "exceeds max-records (%u)",
|
||||
records, maxrecords);
|
||||
result = DNS_R_TOOMANYRECORDS;
|
||||
goto failure;
|
||||
@@ -3601,6 +3621,13 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
|
||||
update_event_t *event = NULL;
|
||||
isc_task_t *zonetask = NULL;
|
||||
|
||||
+ result = checkupdateacl(client, dns_zone_getforwardacl(zone),
|
||||
+ "update forwarding", dns_zone_getorigin(zone),
|
||||
+ true, false);
|
||||
+ if (result != ISC_R_SUCCESS) {
|
||||
+ return (result);
|
||||
+ }
|
||||
+
|
||||
result = isc_quota_attach(&client->manager->sctx->updquota,
|
||||
&(isc_quota_t *){ NULL });
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,272 @@
|
||||
From 54e281c11ee13eabc3c51d6391a58fc90836000c Mon Sep 17 00:00:00 2001
|
||||
From: Evan Hunt <each@isc.org>
|
||||
Date: Wed, 9 Nov 2022 21:56:16 -0800
|
||||
Subject: [PATCH] test failure conditions
|
||||
|
||||
verify that updates are refused when the client is disallowed by
|
||||
allow-query, and update forwarding is refused when the client is
|
||||
is disallowed by update-forwarding.
|
||||
|
||||
verify that "too many DNS UPDATEs" appears in the log file when too
|
||||
many simultaneous updates are processing.
|
||||
|
||||
(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
|
||||
---
|
||||
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +
|
||||
bin/tests/system/nsupdate/tests.sh | 28 +++++++++++++
|
||||
bin/tests/system/upforwd/clean.sh | 2 +
|
||||
.../ns3/{named.conf.in => named1.conf.in} | 13 ++++--
|
||||
bin/tests/system/upforwd/ns3/named2.conf.in | 41 +++++++++++++++++++
|
||||
bin/tests/system/upforwd/setup.sh | 2 +-
|
||||
bin/tests/system/upforwd/tests.sh | 39 ++++++++++++++++++
|
||||
7 files changed, 123 insertions(+), 4 deletions(-)
|
||||
rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (78%)
|
||||
create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
|
||||
|
||||
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
index 436c97d..83fe884 100644
|
||||
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||
@@ -21,6 +21,7 @@ options {
|
||||
recursion no;
|
||||
notify yes;
|
||||
minimal-responses no;
|
||||
+ update-quota 1;
|
||||
};
|
||||
|
||||
acl named-acl {
|
||||
@@ -81,6 +82,7 @@ zone "other.nil" {
|
||||
check-integrity no;
|
||||
check-mx warn;
|
||||
update-policy local;
|
||||
+ allow-query { !10.53.0.2; any; };
|
||||
allow-query-on { 10.53.0.1; 127.0.0.1; };
|
||||
allow-transfer { any; };
|
||||
};
|
||||
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||
index b5f562f..13ba577 100755
|
||||
--- a/bin/tests/system/nsupdate/tests.sh
|
||||
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||
@@ -1268,6 +1268,34 @@ END
|
||||
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
|
||||
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
|
||||
+n=$((n + 1))
|
||||
+ret=0
|
||||
+echo_i "check that update is rejected if query is not allowed ($n)"
|
||||
+{
|
||||
+ $NSUPDATE -d <<END
|
||||
+ local 10.53.0.2
|
||||
+ server 10.53.0.1 ${PORT}
|
||||
+ update add reject.other.nil 3600 IN TXT Whatever
|
||||
+ send
|
||||
+END
|
||||
+} > nsupdate.out.test$n 2>&1
|
||||
+grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
+n=$((n + 1))
|
||||
+ret=0
|
||||
+echo_i "check that update is rejected if quota is exceeded ($n)"
|
||||
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
||||
+{
|
||||
+ $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
|
||||
+ update add txt-$loop.other.nil 3600 IN TXT Whatever
|
||||
+ send
|
||||
+END
|
||||
+} &
|
||||
+done
|
||||
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
if ! $FEATURETEST --gssapi ; then
|
||||
echo_i "SKIPPED: GSSAPI tests"
|
||||
else
|
||||
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
|
||||
index 2025252..12311df 100644
|
||||
--- a/bin/tests/system/upforwd/clean.sh
|
||||
+++ b/bin/tests/system/upforwd/clean.sh
|
||||
@@ -29,3 +29,5 @@ rm -f keyname keyname.err
|
||||
rm -f ns*/named.lock
|
||||
rm -f ns1/example2.db
|
||||
rm -f ns*/managed-keys.bind*
|
||||
+rm -f nsupdate.out.*
|
||||
+rm -f ns*/named.run.prev
|
||||
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
|
||||
similarity index 78%
|
||||
rename from bin/tests/system/upforwd/ns3/named.conf.in
|
||||
rename to bin/tests/system/upforwd/ns3/named1.conf.in
|
||||
index 7bd13d3..2f690ff 100644
|
||||
--- a/bin/tests/system/upforwd/ns3/named.conf.in
|
||||
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
|
||||
@@ -28,20 +28,27 @@ key rndc_key {
|
||||
};
|
||||
|
||||
controls {
|
||||
- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
zone "example" {
|
||||
type secondary;
|
||||
file "example.bk";
|
||||
- allow-update-forwarding { any; };
|
||||
+ allow-update-forwarding { 10.53.0.1; };
|
||||
primaries { 10.53.0.1; };
|
||||
};
|
||||
|
||||
zone "example2" {
|
||||
type secondary;
|
||||
file "example2.bk";
|
||||
- allow-update-forwarding { any; };
|
||||
+ allow-update-forwarding { 10.53.0.1; };
|
||||
+ primaries { 10.53.0.1; };
|
||||
+};
|
||||
+
|
||||
+zone "example3" {
|
||||
+ type secondary;
|
||||
+ file "example3.bk";
|
||||
+ allow-update-forwarding { 10.53.0.1; };
|
||||
primaries { 10.53.0.1; };
|
||||
};
|
||||
|
||||
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
|
||||
new file mode 100644
|
||||
index 0000000..e15459a
|
||||
--- /dev/null
|
||||
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
|
||||
@@ -0,0 +1,41 @@
|
||||
+/*
|
||||
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
+ *
|
||||
+ * SPDX-License-Identifier: MPL-2.0
|
||||
+ *
|
||||
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
+ *
|
||||
+ * See the COPYRIGHT file distributed with this work for additional
|
||||
+ * information regarding copyright ownership.
|
||||
+ */
|
||||
+
|
||||
+options {
|
||||
+ query-source address 10.53.0.3;
|
||||
+ notify-source 10.53.0.3;
|
||||
+ transfer-source 10.53.0.3;
|
||||
+ port @PORT@;
|
||||
+ pid-file "named.pid";
|
||||
+ listen-on { 10.53.0.3; };
|
||||
+ listen-on-v6 { none; };
|
||||
+ recursion no;
|
||||
+ notify yes;
|
||||
+ update-quota 1;
|
||||
+};
|
||||
+
|
||||
+key rndc_key {
|
||||
+ secret "1234abcd8765";
|
||||
+ algorithm hmac-sha256;
|
||||
+};
|
||||
+
|
||||
+controls {
|
||||
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
+};
|
||||
+
|
||||
+zone "example" {
|
||||
+ type secondary;
|
||||
+ file "example.bk";
|
||||
+ allow-update-forwarding { any; };
|
||||
+ primaries { 10.53.0.1; };
|
||||
+};
|
||||
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
|
||||
index e748078..88ab28d 100644
|
||||
--- a/bin/tests/system/upforwd/setup.sh
|
||||
+++ b/bin/tests/system/upforwd/setup.sh
|
||||
@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
|
||||
|
||||
copy_setports ns1/named.conf.in ns1/named.conf
|
||||
copy_setports ns2/named.conf.in ns2/named.conf
|
||||
-copy_setports ns3/named.conf.in ns3/named.conf
|
||||
+copy_setports ns3/named1.conf.in ns3/named.conf
|
||||
|
||||
if $FEATURETEST --enable-dnstap
|
||||
then
|
||||
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||
index 8062d68..20fc46f 100644
|
||||
--- a/bin/tests/system/upforwd/tests.sh
|
||||
+++ b/bin/tests/system/upforwd/tests.sh
|
||||
@@ -80,6 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||
echo_i "updating zone (signed) ($n)"
|
||||
ret=0
|
||||
$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||
+local 10.53.0.1
|
||||
server 10.53.0.3 ${PORT}
|
||||
update add updated.example. 600 A 10.10.10.1
|
||||
update add updated.example. 600 TXT Foo
|
||||
@@ -138,6 +139,7 @@ fi
|
||||
echo_i "updating zone (unsigned) ($n)"
|
||||
ret=0
|
||||
$NSUPDATE -- - <<EOF || ret=1
|
||||
+local 10.53.0.1
|
||||
server 10.53.0.3 ${PORT}
|
||||
update add unsigned.example. 600 A 10.10.10.1
|
||||
update add unsigned.example. 600 TXT Foo
|
||||
@@ -194,6 +196,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
|
||||
do
|
||||
(
|
||||
$NSUPDATE -- - <<EOF
|
||||
+local 10.53.0.1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone nomaster
|
||||
update add unsigned.nomaster. 600 A 10.10.10.1
|
||||
@@ -225,6 +228,7 @@ then
|
||||
ret=0
|
||||
keyname=`cat keyname`
|
||||
$NSUPDATE -k $keyname.private -- - <<EOF
|
||||
+ local 10.53.0.1
|
||||
server 10.53.0.3 ${PORT}
|
||||
zone example2
|
||||
update add unsigned.example2. 600 A 10.10.10.1
|
||||
@@ -249,5 +253,40 @@ EOF
|
||||
fi
|
||||
fi
|
||||
|
||||
+echo_i "attempting an update that should be rejected by ACL ($n)"
|
||||
+ret=0
|
||||
+{
|
||||
+ $NSUPDATE -- - << EOF
|
||||
+ local 10.53.0.2
|
||||
+ server 10.53.0.3 ${PORT}
|
||||
+ update add another.unsigned.example. 600 A 10.10.10.2
|
||||
+ update add another.unsigned.example. 600 TXT Bar
|
||||
+ send
|
||||
+EOF
|
||||
+} > nsupdate.out.$n 2>&1
|
||||
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
|
||||
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||
+n=`expr $n + 1`
|
||||
+
|
||||
+n=$((n + 1))
|
||||
+ret=0
|
||||
+echo_i "attempting updates that should exceed quota ($n)"
|
||||
+# lower the update quota to 1.
|
||||
+copy_setports ns3/named2.conf.in ns3/named.conf
|
||||
+rndc_reconfig ns3 10.53.0.3
|
||||
+nextpart ns3/named.run > /dev/null
|
||||
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
||||
+{
|
||||
+ $NSUPDATE -- - > /dev/null 2>&1 <<END
|
||||
+ local 10.53.0.1
|
||||
+ server 10.53.0.3 ${PORT}
|
||||
+ update add txt-$loop.unsigned.example 300 IN TXT Whatever
|
||||
+ send
|
||||
+END
|
||||
+} &
|
||||
+done
|
||||
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
|
||||
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||
+
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
--
|
||||
2.39.2
|
||||
|
@ -0,0 +1,53 @@
|
||||
From 1b6590eafce064cbf70f5afc2fe4d6f1bfdc3804 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Thu, 27 Oct 2022 13:22:11 +1100
|
||||
Subject: [PATCH] Move the mapping of SIG and RRSIG to ANY
|
||||
|
||||
dns_db_findext() asserts if RRSIG is passed to it and
|
||||
query_lookup_stale() failed to map RRSIG to ANY to prevent this. To
|
||||
avoid cases like this in the future, move the mapping of SIG and RRSIG
|
||||
to ANY for qctx->type to qctx_init().
|
||||
|
||||
(cherry picked from commit 56eae064183488bcf7ff08c3edf59f2e1742c1b6)
|
||||
---
|
||||
lib/ns/query.c | 17 +++++++++--------
|
||||
1 file changed, 9 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||
index a450cb7..f66bab4 100644
|
||||
--- a/lib/ns/query.c
|
||||
+++ b/lib/ns/query.c
|
||||
@@ -5103,6 +5103,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype,
|
||||
qctx->result = ISC_R_SUCCESS;
|
||||
qctx->findcoveringnsec = qctx->view->synthfromdnssec;
|
||||
|
||||
+ /*
|
||||
+ * If it's an RRSIG or SIG query, we'll iterate the node.
|
||||
+ */
|
||||
+ if (qctx->qtype == dns_rdatatype_rrsig ||
|
||||
+ qctx->qtype == dns_rdatatype_sig)
|
||||
+ {
|
||||
+ qctx->type = dns_rdatatype_any;
|
||||
+ }
|
||||
+
|
||||
CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx);
|
||||
}
|
||||
|
||||
@@ -5243,14 +5252,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) {
|
||||
|
||||
CALL_HOOK(NS_QUERY_SETUP, &qctx);
|
||||
|
||||
- /*
|
||||
- * If it's a SIG query, we'll iterate the node.
|
||||
- */
|
||||
- if (qctx.qtype == dns_rdatatype_rrsig ||
|
||||
- qctx.qtype == dns_rdatatype_sig) {
|
||||
- qctx.type = dns_rdatatype_any;
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* Check SERVFAIL cache
|
||||
*/
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,27 @@
|
||||
From df8222fb189708199a185f73543b6e0602c1c72f Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 20 Sep 2022 11:21:45 +0200
|
||||
Subject: [PATCH 3/4] Fix CVE-2022-38177
|
||||
|
||||
5961. [security] Fix memory leak in ECDSA verify processing.
|
||||
(CVE-2022-38177) [GL #3487]
|
||||
---
|
||||
lib/dns/opensslecdsa_link.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
|
||||
index ce4c8c4..3847896 100644
|
||||
--- a/lib/dns/opensslecdsa_link.c
|
||||
+++ b/lib/dns/opensslecdsa_link.c
|
||||
@@ -228,7 +228,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
}
|
||||
|
||||
if (sig->length != siglen) {
|
||||
- return (DST_R_VERIFYFAILURE);
|
||||
+ DST_RET(DST_R_VERIFYFAILURE);
|
||||
}
|
||||
|
||||
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) {
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,32 @@
|
||||
From 132ef295b8407f91e6922f4dfc4f30f1790b61c5 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Tue, 20 Sep 2022 11:22:47 +0200
|
||||
Subject: [PATCH 4/4] Fix CVE-2022-38178
|
||||
|
||||
5962. [security] Fix memory leak in EdDSA verify processing.
|
||||
(CVE-2022-38178) [GL #3487]
|
||||
---
|
||||
lib/dns/openssleddsa_link.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
|
||||
index 6a6a74d..3157011 100644
|
||||
--- a/lib/dns/openssleddsa_link.c
|
||||
+++ b/lib/dns/openssleddsa_link.c
|
||||
@@ -234,11 +234,11 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||
}
|
||||
#endif /* if HAVE_OPENSSL_ED448 */
|
||||
if (siglen == 0) {
|
||||
- return (ISC_R_NOTIMPLEMENTED);
|
||||
+ DST_RET(ISC_R_NOTIMPLEMENTED);
|
||||
}
|
||||
|
||||
if (sig->length != siglen) {
|
||||
- return (DST_R_VERIFYFAILURE);
|
||||
+ DST_RET(DST_R_VERIFYFAILURE);
|
||||
}
|
||||
|
||||
isc_buffer_usedregion(buf, &tbsreg);
|
||||
--
|
||||
2.37.3
|
||||
|
@ -0,0 +1,128 @@
|
||||
From 20424b3bfe8d3fae92c11a30e79aeffd26dc2891 Mon Sep 17 00:00:00 2001
|
||||
From: Aram Sargsyan <aram@isc.org>
|
||||
Date: Mon, 14 Nov 2022 12:18:06 +0000
|
||||
Subject: [PATCH] Cancel all fetch events in dns_resolver_cancelfetch()
|
||||
|
||||
Although 'dns_fetch_t' fetch can have two associated events, one for
|
||||
each of 'DNS_EVENT_FETCHDONE' and 'DNS_EVENT_TRYSTALE' types, the
|
||||
dns_resolver_cancelfetch() function is designed in a way that it
|
||||
expects only one existing event, which it must cancel, and when it
|
||||
happens so that 'stale-answer-client-timeout' is enabled and there
|
||||
are two events, only one of them is canceled, and it results in an
|
||||
assertion in dns_resolver_destroyfetch(), when it finds a dangling
|
||||
event.
|
||||
|
||||
Change the logic of dns_resolver_cancelfetch() function so that it
|
||||
cancels both the events (if they exist), and in the right order.
|
||||
|
||||
(cherry picked from commit ec2098ca35039e4f81fd0aa7c525eb960b8f47bf)
|
||||
---
|
||||
lib/dns/resolver.c | 53 +++++++++++++++++++++++++++++++++++-----------
|
||||
lib/ns/query.c | 4 +++-
|
||||
2 files changed, 44 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index 18585b5..7cbfbb2 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -11254,8 +11254,9 @@ void
|
||||
dns_resolver_cancelfetch(dns_fetch_t *fetch) {
|
||||
fetchctx_t *fctx;
|
||||
dns_resolver_t *res;
|
||||
- dns_fetchevent_t *event, *next_event;
|
||||
- isc_task_t *etask;
|
||||
+ dns_fetchevent_t *event = NULL;
|
||||
+ dns_fetchevent_t *event_trystale = NULL;
|
||||
+ dns_fetchevent_t *event_fetchdone = NULL;
|
||||
|
||||
REQUIRE(DNS_FETCH_VALID(fetch));
|
||||
fctx = fetch->private;
|
||||
@@ -11267,32 +11268,60 @@ dns_resolver_cancelfetch(dns_fetch_t *fetch) {
|
||||
LOCK(&res->buckets[fctx->bucketnum].lock);
|
||||
|
||||
/*
|
||||
- * Find the completion event for this fetch (as opposed
|
||||
+ * Find the events for this fetch (as opposed
|
||||
* to those for other fetches that have joined the same
|
||||
- * fctx) and send it with result = ISC_R_CANCELED.
|
||||
+ * fctx) and send them with result = ISC_R_CANCELED.
|
||||
*/
|
||||
- event = NULL;
|
||||
if (fctx->state != fetchstate_done) {
|
||||
+ dns_fetchevent_t *next_event = NULL;
|
||||
for (event = ISC_LIST_HEAD(fctx->events); event != NULL;
|
||||
event = next_event) {
|
||||
next_event = ISC_LIST_NEXT(event, ev_link);
|
||||
if (event->fetch == fetch) {
|
||||
ISC_LIST_UNLINK(fctx->events, event, ev_link);
|
||||
- break;
|
||||
+ switch (event->ev_type) {
|
||||
+ case DNS_EVENT_TRYSTALE:
|
||||
+ INSIST(event_trystale == NULL);
|
||||
+ event_trystale = event;
|
||||
+ break;
|
||||
+ case DNS_EVENT_FETCHDONE:
|
||||
+ INSIST(event_fetchdone == NULL);
|
||||
+ event_fetchdone = event;
|
||||
+ break;
|
||||
+ default:
|
||||
+ ISC_UNREACHABLE();
|
||||
+ }
|
||||
+ if (event_trystale != NULL &&
|
||||
+ event_fetchdone != NULL)
|
||||
+ {
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
}
|
||||
- if (event != NULL) {
|
||||
- etask = event->ev_sender;
|
||||
- event->ev_sender = fctx;
|
||||
- event->result = ISC_R_CANCELED;
|
||||
- isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
|
||||
+
|
||||
+ /*
|
||||
+ * The "trystale" event must be sent before the "fetchdone" event,
|
||||
+ * because the latter clears the "recursing" query attribute, which is
|
||||
+ * required by both events (handled by the same callback function).
|
||||
+ */
|
||||
+ if (event_trystale != NULL) {
|
||||
+ isc_task_t *etask = event_trystale->ev_sender;
|
||||
+ event_trystale->ev_sender = fctx;
|
||||
+ event_trystale->result = ISC_R_CANCELED;
|
||||
+ isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_trystale));
|
||||
}
|
||||
+ if (event_fetchdone != NULL) {
|
||||
+ isc_task_t *etask = event_fetchdone->ev_sender;
|
||||
+ event_fetchdone->ev_sender = fctx;
|
||||
+ event_fetchdone->result = ISC_R_CANCELED;
|
||||
+ isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_fetchdone));
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* The fctx continues running even if no fetches remain;
|
||||
* the answer is still cached.
|
||||
*/
|
||||
-
|
||||
UNLOCK(&res->buckets[fctx->bucketnum].lock);
|
||||
}
|
||||
|
||||
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||
index f66bab4..4f61374 100644
|
||||
--- a/lib/ns/query.c
|
||||
+++ b/lib/ns/query.c
|
||||
@@ -6021,7 +6021,9 @@ fetch_callback(isc_task_t *task, isc_event_t *event) {
|
||||
CTRACE(ISC_LOG_DEBUG(3), "fetch_callback");
|
||||
|
||||
if (event->ev_type == DNS_EVENT_TRYSTALE) {
|
||||
- query_lookup_stale(client);
|
||||
+ if (devent->result != ISC_R_CANCELED) {
|
||||
+ query_lookup_stale(client);
|
||||
+ }
|
||||
isc_event_free(ISC_EVENT_PTR(&event));
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.39.1
|
||||
|
@ -0,0 +1,60 @@
|
||||
From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Wed, 17 Jun 2020 23:17:13 +0200
|
||||
Subject: [PATCH] Update man named with Red Hat specifics
|
||||
|
||||
This is almost unmodified text and requires revalidation. Some of those
|
||||
statements are no longer correct.
|
||||
---
|
||||
bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 35 insertions(+)
|
||||
|
||||
diff --git a/bin/named/named.rst b/bin/named/named.rst
|
||||
index 6fd8f87..3cd6350 100644
|
||||
--- a/bin/named/named.rst
|
||||
+++ b/bin/named/named.rst
|
||||
@@ -228,6 +228,41 @@ Files
|
||||
``/var/run/named/named.pid``
|
||||
The default process-id file.
|
||||
|
||||
+Notes
|
||||
+~~~~~
|
||||
+
|
||||
+**Red Hat SELinux BIND Security Profile:**
|
||||
+
|
||||
+By default, Red Hat ships BIND with the most secure SELinux policy
|
||||
+that will not prevent normal BIND operation and will prevent exploitation
|
||||
+of all known BIND security vulnerabilities. See the selinux(8) man page
|
||||
+for information about SElinux.
|
||||
+
|
||||
+It is not necessary to run named in a chroot environment if the Red Hat
|
||||
+SELinux policy for named is enabled. When enabled, this policy is far
|
||||
+more secure than a chroot environment. Users are recommended to enable
|
||||
+SELinux and remove the bind-chroot package.
|
||||
+
|
||||
+*With this extra security comes some restrictions:*
|
||||
+
|
||||
+By default, the SELinux policy does not allow named to write outside directory
|
||||
+/var/named. That directory used to be read-only for named, but write access is
|
||||
+enabled by default now.
|
||||
+
|
||||
+The "named" group must be granted read privelege to
|
||||
+these files in order for named to be enabled to read them.
|
||||
+Any file updated by named must be writeable by named user or named group.
|
||||
+
|
||||
+Any file created in the zone database file directory is automatically assigned
|
||||
+the SELinux file context *named_zone_t* .
|
||||
+
|
||||
+The Red Hat BIND distribution and SELinux policy creates three directories where
|
||||
+named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
|
||||
+*/var/named/data*. The service is able to write and file under */var/named* with appropriate
|
||||
+permissions. They are used for better organisation of zones and backward compatibility.
|
||||
+Files in these directories are automatically assigned the '*named_cache_t*'
|
||||
+file context, which SELinux always allows named to write.
|
||||
+
|
||||
See Also
|
||||
~~~~~~~~
|
||||
|
||||
--
|
||||
2.26.2
|
||||
|
@ -0,0 +1,216 @@
|
||||
From b1871274cd2c97b63f3b90d608b7f8936d4ff3c5 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Andrews <marka@isc.org>
|
||||
Date: Wed, 24 Aug 2022 12:21:50 +1000
|
||||
Subject: [PATCH] Have dns_zt_apply lock the zone table
|
||||
|
||||
There where a number of places where the zone table should have
|
||||
been locked, but wasn't, when dns_zt_apply was called.
|
||||
|
||||
Added a isc_rwlocktype_t type parameter to dns_zt_apply and adjusted
|
||||
all calls to using it. Removed locks in callers.
|
||||
|
||||
Modified upstream commit for v9_16
|
||||
---
|
||||
bin/named/server.c | 12 +++++++-----
|
||||
bin/named/statschannel.c | 12 +++++++-----
|
||||
lib/dns/include/dns/zt.h | 3 ++-
|
||||
lib/dns/tests/zt_test.c | 4 ++--
|
||||
lib/dns/view.c | 3 ++-
|
||||
lib/dns/zt.c | 29 ++++++++++++++++++-----------
|
||||
6 files changed, 38 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||
index 860ccae..c2a5887 100644
|
||||
--- a/bin/named/server.c
|
||||
+++ b/bin/named/server.c
|
||||
@@ -9458,7 +9458,8 @@ cleanup:
|
||||
if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0)
|
||||
{
|
||||
dns_view_setviewrevert(view);
|
||||
- (void)dns_zt_apply(view->zonetable, false, NULL,
|
||||
+ (void)dns_zt_apply(view->zonetable,
|
||||
+ isc_rwlocktype_read, false, NULL,
|
||||
removed, view);
|
||||
}
|
||||
dns_view_detach(&view);
|
||||
@@ -10901,8 +10902,8 @@ add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
|
||||
ISC_LIST_INIT(vle->zonelist);
|
||||
ISC_LIST_APPEND(dctx->viewlist, vle, link);
|
||||
if (dctx->dumpzones) {
|
||||
- result = dns_zt_apply(view->zonetable, true, NULL,
|
||||
- add_zone_tolist, dctx);
|
||||
+ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read,
|
||||
+ true, NULL, add_zone_tolist, dctx);
|
||||
}
|
||||
return (result);
|
||||
}
|
||||
@@ -12248,8 +12249,9 @@ named_server_sync(named_server_t *server, isc_lex_t *lex, isc_buffer_t **text) {
|
||||
for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
|
||||
view = ISC_LIST_NEXT(view, link))
|
||||
{
|
||||
- result = dns_zt_apply(view->zonetable, false, NULL,
|
||||
- synczone, &cleanup);
|
||||
+ result = dns_zt_apply(view->zonetable,
|
||||
+ isc_rwlocktype_none, false,
|
||||
+ NULL, synczone, &cleanup);
|
||||
if (result != ISC_R_SUCCESS && tresult == ISC_R_SUCCESS)
|
||||
{
|
||||
tresult = result;
|
||||
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
|
||||
index 8ff2567..832ce93 100644
|
||||
--- a/bin/named/statschannel.c
|
||||
+++ b/bin/named/statschannel.c
|
||||
@@ -2296,8 +2296,9 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen,
|
||||
if ((flags & STATS_XML_ZONES) != 0) {
|
||||
TRY0(xmlTextWriterStartElement(writer,
|
||||
ISC_XMLCHAR "zones"));
|
||||
- result = dns_zt_apply(view->zonetable, true, NULL,
|
||||
- zone_xmlrender, writer);
|
||||
+ result = dns_zt_apply(view->zonetable,
|
||||
+ isc_rwlocktype_read, true,
|
||||
+ NULL, zone_xmlrender, writer);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto error;
|
||||
}
|
||||
@@ -3069,9 +3070,10 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg,
|
||||
CHECKMEM(za);
|
||||
|
||||
if ((flags & STATS_JSON_ZONES) != 0) {
|
||||
- result = dns_zt_apply(view->zonetable, true,
|
||||
- NULL, zone_jsonrender,
|
||||
- za);
|
||||
+ result = dns_zt_apply(view->zonetable,
|
||||
+ isc_rwlocktype_read,
|
||||
+ true, NULL,
|
||||
+ zone_jsonrender, za);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
goto error;
|
||||
}
|
||||
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
|
||||
index 4a1b263..1c6c789 100644
|
||||
--- a/lib/dns/include/dns/zt.h
|
||||
+++ b/lib/dns/include/dns/zt.h
|
||||
@@ -168,7 +168,8 @@ dns_zt_freezezones(dns_zt_t *zt, dns_view_t *view, bool freeze);
|
||||
*/
|
||||
|
||||
isc_result_t
|
||||
-dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
|
||||
+ isc_result_t *sub,
|
||||
isc_result_t (*action)(dns_zone_t *, void *), void *uap);
|
||||
/*%<
|
||||
* Apply a given 'action' to all zone zones in the table.
|
||||
diff --git a/lib/dns/tests/zt_test.c b/lib/dns/tests/zt_test.c
|
||||
index 7945a0b..bfacb94 100644
|
||||
--- a/lib/dns/tests/zt_test.c
|
||||
+++ b/lib/dns/tests/zt_test.c
|
||||
@@ -136,8 +136,8 @@ apply(void **state) {
|
||||
assert_non_null(view->zonetable);
|
||||
|
||||
assert_int_equal(nzones, 0);
|
||||
- result = dns_zt_apply(view->zonetable, false, NULL, count_zone,
|
||||
- &nzones);
|
||||
+ result = dns_zt_apply(view->zonetable, isc_rwlocktype_read, false,
|
||||
+ NULL, count_zone, &nzones);
|
||||
assert_int_equal(result, ISC_R_SUCCESS);
|
||||
assert_int_equal(nzones, 1);
|
||||
|
||||
diff --git a/lib/dns/view.c b/lib/dns/view.c
|
||||
index 8c7e40a..dcb0f18 100644
|
||||
--- a/lib/dns/view.c
|
||||
+++ b/lib/dns/view.c
|
||||
@@ -704,7 +704,8 @@ dns_view_dialup(dns_view_t *view) {
|
||||
REQUIRE(DNS_VIEW_VALID(view));
|
||||
REQUIRE(view->zonetable != NULL);
|
||||
|
||||
- (void)dns_zt_apply(view->zonetable, false, NULL, dialup, NULL);
|
||||
+ (void)dns_zt_apply(view->zonetable, isc_rwlocktype_read, false,
|
||||
+ NULL, dialup, NULL);
|
||||
}
|
||||
|
||||
void
|
||||
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
|
||||
index 8ca9cd6..1bfc308 100644
|
||||
--- a/lib/dns/zt.c
|
||||
+++ b/lib/dns/zt.c
|
||||
@@ -223,7 +223,8 @@ flush(dns_zone_t *zone, void *uap) {
|
||||
static void
|
||||
zt_destroy(dns_zt_t *zt) {
|
||||
if (atomic_load_acquire(&zt->flush)) {
|
||||
- (void)dns_zt_apply(zt, false, NULL, flush, NULL);
|
||||
+ (void)dns_zt_apply(zt, isc_rwlocktype_none, false, NULL,
|
||||
+ flush, NULL);
|
||||
}
|
||||
dns_rbt_destroy(&zt->table);
|
||||
isc_rwlock_destroy(&zt->rwlock);
|
||||
@@ -265,9 +266,8 @@ dns_zt_load(dns_zt_t *zt, bool stop, bool newonly) {
|
||||
struct zt_load_params params;
|
||||
REQUIRE(VALID_ZT(zt));
|
||||
params.newonly = newonly;
|
||||
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
- result = dns_zt_apply(zt, stop, NULL, load, ¶ms);
|
||||
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
+ result = dns_zt_apply(zt, isc_rwlocktype_read, stop, NULL, load,
|
||||
+ ¶ms);
|
||||
return (result);
|
||||
}
|
||||
|
||||
@@ -338,9 +338,8 @@ dns_zt_asyncload(dns_zt_t *zt, bool newonly, dns_zt_allloaded_t alldone,
|
||||
zt->loaddone = alldone;
|
||||
zt->loaddone_arg = arg;
|
||||
|
||||
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
- result = dns_zt_apply(zt, false, NULL, asyncload, zt);
|
||||
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
+ result = dns_zt_apply(zt, isc_rwlocktype_read, false, NULL,
|
||||
+ asyncload, zt);
|
||||
|
||||
/*
|
||||
* Have all the loads completed?
|
||||
@@ -386,9 +385,8 @@ dns_zt_freezezones(dns_zt_t *zt, dns_view_t *view, bool freeze) {
|
||||
|
||||
REQUIRE(VALID_ZT(zt));
|
||||
|
||||
- RWLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
- result = dns_zt_apply(zt, false, &tresult, freezezones, ¶ms);
|
||||
- RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
|
||||
+ result = dns_zt_apply(zt, isc_rwlocktype_read, false, &tresult,
|
||||
+ freezezones, ¶ms);
|
||||
if (tresult == ISC_R_NOTFOUND) {
|
||||
tresult = ISC_R_SUCCESS;
|
||||
}
|
||||
@@ -522,7 +520,8 @@ dns_zt_setviewrevert(dns_zt_t *zt) {
|
||||
}
|
||||
|
||||
isc_result_t
|
||||
-dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||
+dns_zt_apply(dns_zt_t *zt, isc_rwlocktype_t lock, bool stop,
|
||||
+ isc_result_t *sub,
|
||||
isc_result_t (*action)(dns_zone_t *, void *), void *uap) {
|
||||
dns_rbtnode_t *node;
|
||||
dns_rbtnodechain_t chain;
|
||||
@@ -532,6 +531,10 @@ dns_zt_apply(dns_zt_t *zt, bool stop, isc_result_t *sub,
|
||||
REQUIRE(VALID_ZT(zt));
|
||||
REQUIRE(action != NULL);
|
||||
|
||||
+ if (lock != isc_rwlocktype_none) {
|
||||
+ RWLOCK(&zt->rwlock, lock);
|
||||
+ }
|
||||
+
|
||||
dns_rbtnodechain_init(&chain);
|
||||
result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
|
||||
if (result == ISC_R_NOTFOUND) {
|
||||
@@ -568,6 +571,10 @@ cleanup:
|
||||
*sub = tresult;
|
||||
}
|
||||
|
||||
+ if (lock != isc_rwlocktype_none) {
|
||||
+ RWUNLOCK(&zt->rwlock, lock);
|
||||
+ }
|
||||
+
|
||||
return (result);
|
||||
}
|
||||
|
||||
--
|
||||
2.39.2
|
||||
|
@ -0,0 +1,31 @@
|
||||
From 606fc6d4aa8e8884f53f53e72dc1bd7babf37a47 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||
Date: Mon, 16 Jan 2023 11:06:48 +0000
|
||||
Subject: [PATCH] Merge branch 'feature/main/zt-rwlock.h' into 'main'
|
||||
|
||||
Include isc_rwlocktype_t type definition in zt.h
|
||||
|
||||
See merge request isc-projects/bind9!7376
|
||||
|
||||
(cherry picked from commit d7bcdf8bd6c5395726f708535120ce9a97eaa935)
|
||||
|
||||
395d6fca Include isc_rwlocktype_t type definition in zt.h
|
||||
---
|
||||
lib/dns/include/dns/zt.h | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
|
||||
index 189092bc3b..2964fc971f 100644
|
||||
--- a/lib/dns/include/dns/zt.h
|
||||
+++ b/lib/dns/include/dns/zt.h
|
||||
@@ -19,6 +19,7 @@
|
||||
#include <stdbool.h>
|
||||
|
||||
#include <isc/lang.h>
|
||||
+#include <isc/rwlock.h>
|
||||
|
||||
#include <dns/types.h>
|
||||
|
||||
--
|
||||
2.39.0
|
||||
|
@ -0,0 +1,17 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Comment: GPGTools - https://gpgtools.org
|
||||
|
||||
iQIzBAABAgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmGKhMcACgkQxbTukxqf
|
||||
nf1EbQ//YXsBbMtyI3c0MoleSi5zwzcpCTZTWTFHqH5WUiruLMDF453j/Fn2zaSC
|
||||
WuaUnhN61dR+BVtX+D2Y8GiVQFICo5X1nJj0jb/TcflXFq7YLWUAO0NPwPkBL1J4
|
||||
/PA0YCp1zYcvBXIxTKaU7AcBxlKmcGLdZcgCyGU6NSKaOJSxHOWXM460uD/crskB
|
||||
iSPEbMevN9TTJs9webztJNKH/3BuNkOD9SFb6JlUIQqwKx1v8rosgdI7BvgGMZqy
|
||||
s+10+GlIRFFvsX2XkX8BnjDlQ1QdzDOAoyCU+Se9rXDqu+zZf1VN4ReUCSDuPYf9
|
||||
z+GW1EbMxuZzEKrEIJvhnVNNiHqtKVaK6IIUX5bHqgPLEx87HxJMOPmbyBc1kDAe
|
||||
0WCmsITaq62WvKOG8Ho8wLrlG4AAO5+A7xit4bJ4XUtLiqyt+9FUIeEFY9nZb/6O
|
||||
OXK9eBMZHZ++r52RtA+GYZllkNRpzwnULOdR/9svVQuc10/MjnRoFqInzLlqwfwm
|
||||
2q6r372oWn8+MUvjQVBgzprn5BvY+HDo2gNEYEi5QyR3ql2dX/Qz7iUdUfhRvMNL
|
||||
FdPt3B3kktfOV98p/imrIwLwVVWwKBlphntkRxLtSZBs3nbo27F/ND54fixC2eCa
|
||||
epB6FF5IquzQ/MOiz4uql3YexNDQQ+7N2IGPJVMwO2ILAyZDNOQ=
|
||||
=pVtf
|
||||
-----END PGP SIGNATURE-----
|
@ -0,0 +1,30 @@
|
||||
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
|
||||
index eb622d1..37053a7 100644
|
||||
--- a/bin/named/Makefile.in
|
||||
+++ b/bin/named/Makefile.in
|
||||
@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \
|
||||
tkeyconf.c tsigconf.c zoneconf.c \
|
||||
${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
|
||||
|
||||
+EXT_CFLAGS = -fpie
|
||||
+
|
||||
@BIND9_MAKE_RULES@
|
||||
|
||||
+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
|
||||
+
|
||||
main.@O@: main.c
|
||||
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||
-DVERSION=\"${VERSION}\" \
|
||||
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
|
||||
index fd9ca8d..f1c102c 100644
|
||||
--- a/bin/named/unix/Makefile.in
|
||||
+++ b/bin/named/unix/Makefile.in
|
||||
@@ -11,6 +11,8 @@ srcdir = @srcdir@
|
||||
VPATH = @srcdir@
|
||||
top_srcdir = @top_srcdir@
|
||||
|
||||
+EXT_CFLAGS = -fpie
|
||||
+
|
||||
@BIND9_MAKE_INCLUDES@
|
||||
|
||||
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
|
@ -0,0 +1,53 @@
|
||||
diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
|
||||
index 47525af..eefe3c3 100644
|
||||
--- a/contrib/dlz/config.dlz.in
|
||||
+++ b/contrib/dlz/config.dlz.in
|
||||
@@ -17,6 +17,13 @@
|
||||
#
|
||||
dlzdir='${DLZ_DRIVER_DIR}'
|
||||
|
||||
+AC_MSG_CHECKING([for target libdir])
|
||||
+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}],
|
||||
+ [target_lib=lib64],
|
||||
+ [target_lib=lib],
|
||||
+)
|
||||
+AC_MSG_RESULT(["$target_lib"])
|
||||
+
|
||||
#
|
||||
# Private autoconf macro to simplify configuring drivers:
|
||||
#
|
||||
@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in
|
||||
then
|
||||
break
|
||||
fi
|
||||
- elif test -f "$dd/lib/lib${d}.so"
|
||||
+ elif test -f "$dd/${target_lib}/lib${d}.so"
|
||||
then
|
||||
- dlz_bdb_libs="-L${dd}/lib -l${d}"
|
||||
+ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
|
||||
break
|
||||
fi
|
||||
done
|
||||
@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in
|
||||
*)
|
||||
DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
|
||||
[-I$use_dlz_ldap/include],
|
||||
- [-L$use_dlz_ldap/lib -lldap -llber])
|
||||
+ [-L$use_dlz_ldap/${target_lib} -lldap -llber])
|
||||
|
||||
AC_MSG_RESULT(
|
||||
[using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
|
||||
@@ -432,11 +439,11 @@ then
|
||||
odbcdirs="/usr /usr/local /usr/pkg"
|
||||
for d in $odbcdirs
|
||||
do
|
||||
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
|
||||
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
|
||||
then
|
||||
use_dlz_odbc=$d
|
||||
dlz_odbc_include="-I$use_dlz_odbc/include"
|
||||
- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
|
||||
+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
|
||||
break
|
||||
fi
|
||||
done
|
@ -0,0 +1,31 @@
|
||||
diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in
|
||||
--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200
|
||||
+++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200
|
||||
@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in
|
||||
# Check other locations for includes.
|
||||
# Order is important (sigh).
|
||||
|
||||
- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
|
||||
+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
|
||||
# include a blank element first
|
||||
for d in "" $bdb_incdirs
|
||||
do
|
||||
@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in
|
||||
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
|
||||
for d in $bdb_libnames
|
||||
do
|
||||
- if test "$dd" = "/usr"
|
||||
+ if test -f "$dd/${target_lib}/lib${d}.so"
|
||||
then
|
||||
- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}")
|
||||
- if test $dlz_bdb_libs != "yes"
|
||||
- then
|
||||
- break
|
||||
- fi
|
||||
- elif test -f "$dd/${target_lib}/lib${d}.so"
|
||||
- then
|
||||
- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
|
||||
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
|
||||
break
|
||||
fi
|
||||
done
|
@ -0,0 +1 @@
|
||||
d /run/named 0755 named named -
|
@ -0,0 +1,34 @@
|
||||
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
|
||||
index cd44fe3..5b7c539 100644
|
||||
--- a/lib/isc/lex.c
|
||||
+++ b/lib/isc/lex.c
|
||||
@@ -27,6 +27,8 @@
|
||||
#include <isc/string.h>
|
||||
#include <isc/util.h>
|
||||
|
||||
+#include "../errno2result.h"
|
||||
+
|
||||
typedef struct inputsource {
|
||||
isc_result_t result;
|
||||
bool is_file;
|
||||
@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
|
||||
#endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
|
||||
if (c == EOF) {
|
||||
if (ferror(stream)) {
|
||||
- source->result = ISC_R_IOERROR;
|
||||
+ source->result = isc__errno2result(errno);
|
||||
result = source->result;
|
||||
goto done;
|
||||
}
|
||||
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
|
||||
index e3e2644..5e58600 100644
|
||||
--- a/lib/isc/unix/errno2result.c
|
||||
+++ b/lib/isc/unix/errno2result.c
|
||||
@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file,
|
||||
case EINVAL: /* XXX sometimes this is not for files */
|
||||
case ENAMETOOLONG:
|
||||
case EBADF:
|
||||
+ case EISDIR:
|
||||
return (ISC_R_INVALIDFILE);
|
||||
case ENOENT:
|
||||
return (ISC_R_FILENOTFOUND);
|
@ -0,0 +1,31 @@
|
||||
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||
index 31549c6..65a14b6 100644
|
||||
--- a/lib/dns/resolver.c
|
||||
+++ b/lib/dns/resolver.c
|
||||
@@ -1762,7 +1762,7 @@ log_edns(fetchctx_t *fctx) {
|
||||
*/
|
||||
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||
"success resolving '%s' (in '%s'?) after %s", fctx->info,
|
||||
domainbuf, fctx->reason);
|
||||
}
|
||||
@@ -5298,7 +5298,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
|
||||
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
|
||||
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||
"lame server resolving '%s' (in '%s'?): %s", namebuf,
|
||||
domainbuf, addrbuf);
|
||||
}
|
||||
@@ -5316,7 +5316,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
|
||||
isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
|
||||
|
||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
|
||||
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||
"DNS format error from %s resolving %s for %s: %s", nsbuf,
|
||||
fctx->info, fctx->clientstr, msgbuf);
|
||||
}
|
@ -0,0 +1,534 @@
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
|
||||
r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
|
||||
pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
|
||||
yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
|
||||
ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
|
||||
/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
|
||||
qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
|
||||
UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
|
||||
SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
|
||||
o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
|
||||
LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
|
||||
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
|
||||
LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
|
||||
EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
|
||||
Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
|
||||
1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
|
||||
tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
|
||||
5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
|
||||
Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
|
||||
JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
|
||||
hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
|
||||
xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
|
||||
gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
|
||||
pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
|
||||
vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
|
||||
6f2op3tMuQINBFwq9BQBEAC59lflbMmvSVkCHFoakdjokwGviNU4I/hOsNmHALYr
|
||||
gJc0z88ss2KxbOq6JZoW9QOEHz2QLGsSGKnBUViEGvXoINDGuvzKFqHdEjGsExiF
|
||||
FPGAgCQA2CSEZZ8MlITNdq4DuSti1LetjCF9d7hw2xOQs9ucxSXIslyqPbCdlxki
|
||||
33tov40VE/J8jDUp9Rv27e0H2x4Nhu9MRQt4vTtpOcelYzl/dtPAmsnY4U/Nex4I
|
||||
LM+JU2HcG/5i0nWkxOtz9Qc7kOgm4cuwXTCJw9KukPS3CykV1H/StPp43JyxoK1X
|
||||
gZDMFww+9jupqLletmYKqCW6jVbqXr4Xlisq9Ey3LIWRQ0Zw/LB2NKU/jgnJGtLa
|
||||
7O8VRWJKwkCtyYUbZMksKiGex7zCqPDR0hRVuYNsTjONobnrOS+7ST7ThbCndc+A
|
||||
5mtuXpxuFffIuG78a3R3N30RF6g18peTfaEHMpqz+914HkNl6Ns445Zh+2rJkLUu
|
||||
8O++tgWEUrpUajN9nosWaXWHOf7E9qGnm1G/3f9P3Nd5U+b3OKUYyqb+CNGCHyiN
|
||||
bE1Cg3MnKpM9Yi9aZu4Qg/dPdxMWrqUmkmyDf6x/Oh8ZZkIacFlAaqbysQ6hRaJo
|
||||
p7UG9AJfXHynj/Hz+1dNpUOlAIairFe3T2mWQO4Yy6IMgLEGVodZRHaMugdzZwus
|
||||
HwARAQABiQI8BBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlwq9BQCGwwF
|
||||
CQPslwAACgkQdLtrmky7PTikHw/8CZ+DnggV4AuI86spuMLdtUBDOux/T0gvyxSW
|
||||
f8sJkjH0eAYAmP9/flJDfmwra5yNaINfqoLFWtaYLpxpBcWBc4VIoiWqVp2aaCPi
|
||||
wh0sznCPiduiYcKGkHmupX8aCQXBYFDeQ8Jq1e9zwGD7Mon7BeBO48Vd5/IT1H5I
|
||||
u5qzaCtD2ECO9MYdhuqJjFKU0MVzVocsBDdtLvrfnUwe4wc6kvOgHQ6RkMJU1bgY
|
||||
0Sqstsg12vnREAr4uihnZQEihsRmNdiiv0DYVaRK92PLPpfVAox1Axq2HpH3WT87
|
||||
RpsFruXLj/zTl4AZczfDVd/Z4yWmJSzr0F5igkGSUrxo0ye2kNES6cmOGI9TgmgP
|
||||
NLGXlC/su5fKXKjRgkD1ibJ0qFNNxF3Cwpz/+cav9ySDgFGX5Vu0kFi93fEYHshD
|
||||
6lP9M5qS/2oKiykCGvcRCNU/9emdYlF37H52rxRerBaZN6dYMTjZw2vsEMUl06pL
|
||||
llbLiwjPix2OlLFcwH3yKJG0pKkpEImBdJwHtJh5uHzfkSAbZjJAZ2Ekw7sLqiT0
|
||||
85hAGovywGpHMiYkqhNUO84fjZYCsrAlZMdriY92IMcQhmWQ416t5zcle2Xgx+/x
|
||||
zBnktvx9KIH/HwBa+qym5z/uFC2S6zhNyC61LV/CEDCmcUi2lUXr7vcIxCsmxuUF
|
||||
1ONbRP65Ag0EXFtUfAEQAN5tk4luE92Ed4E92VlgTetGMHyxwOlZ2OsK6l+Z5ML0
|
||||
wzomAITgMQwG0FeT6HX7vB+luVhg0XAZUW/K0bme8ZEO0dbHB3Vn07wXHhmq7QXH
|
||||
/ACftkvevIT610dHskrtIvE5rZfj1P/wtjRTxDrkjhlGj9vhUxxcCkKadzDdBJGo
|
||||
dP+Zh02d/4cc++LePNqZ3eJWm0JLghqKxzTv0MV1r6G1ZeykFzXeWY+La8ZCRaON
|
||||
LcHjI7wlpyTJA9WGmyAphtEHM4fQqKLxtebIDo7m4glgR12nlV6B53gUT96PcKuA
|
||||
Y/UPRiTV6nHyUtuL1EGTAVLsMDmtDbdSdtLLVbJXVmA+tapABa4amMxNVNY3QSUj
|
||||
cAbECcTyVmVJfIT5fJW4eOMhWtrIGMspWoO5It0pl4K8jhCzIcfoXQ0olCSeC9fE
|
||||
tljE7qzRzYQUUvN1VZPVX0Yw/xSwOutv4mxmNRWY9HW1M/jGoRAboqN8WhCbldak
|
||||
a0XCH3U4rWXB/8HHb8KP4+q4ssVyPuEQ/v1UNNRk9AB25NPEh5PMdcf7HU8IcUHX
|
||||
THEfd7zZVJ0l4FSsnGeuJfMrnRIpNOYX65ikeoTwmDU3ZjWfmSy7F5hTLw8WOEB4
|
||||
EKpnplyV1QN/j3317/M9PxvB8IOvyNF2okeurtHFMmI/lGwy51akp6iHMkbBDm5n
|
||||
ABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9OAUCXFtUfAIbAgUJ
|
||||
A70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBJXO2iVrHKChXzAvtZUhp+1drOkY
|
||||
BQJcW1R8AAoJEJUhp+1drOkY94wQAKb2fED9Up/xHEOjZm5ODK5LCVHy0KMATiTf
|
||||
5SiJhRtqaRbimPH1WB3XMLls3FJZnm+UngIfwCsoWo0rksFUNmqFi6t4Cj/UB/Zv
|
||||
29EnDT9BAeG5fP+Op5PDCsu4qnLv3oam35oV9yZLRkLhBd/EkRGEA/q27WnpiYCx
|
||||
Jv5uPOJBWQqu32aE6st23PpY/QWDWOhGPfcWCecu1rIe+2BCs0UjfO0KOT8HYWNh
|
||||
nGpsEZ+TmDKjRxMTYWKguEb9evEihl6kUwmQZgROdhBes63Yq4ku9rBXvRhCYbwS
|
||||
odhjx2soDRcNmzxNV1Ply8a+2bwRHPnOeyyxEHFAwjkyXo7ZqGtenwSriG0LOW87
|
||||
y3Yw63O+oAlGLIB3psBSj4wZVGme9485HVICAFcJ3jXqsXSIJdzW61nGerB2r2Qk
|
||||
Bn7yYIvHg3iOToB0alfNw2QuDtCZTNefvlHFnoashRhkk0yWzBerleFJbijx4+Vr
|
||||
FaOH35BO1T3rgBmGkDW6gewoZMHEcmzTDoxxmbXiRvY+5o7b+ul/yzwhnJz3f5jk
|
||||
7+Adnr9qAGMD2o3rCRBHV3lSEkLhBL+bfmsEYEor1fd+pDFoEKKjpDP6bgDcZyGv
|
||||
O0mmr7Y/6ZrnKWxOrmNXieOTLbpY22tXv43QLgyiPcjhCfphT95IxqdNfMfOiI9k
|
||||
IQf8g7GBciIP/1mbdnMj6Hg0J9IbI/XX/DWATOVMdDhq38VcggOHRjZk2lY99+4V
|
||||
Au1wRHa/Io/CENikYzI00deSzhrN+tdUK/TCZI0Ft5Lykmti2ilmkIQGsBuD9gu/
|
||||
2bmWkNJEdpHeC/+oxntDFj43CpyKpPAarrw+4XiYNK+1+4WZsQRL0jJuKJ754v/o
|
||||
NTaSd8GOCyFR7q8SVH4tig9DjkZjYjFFMnWkxdpnDX56/AfdS+x5EaRHKCJoGChT
|
||||
+pHimvKe+MxBxpwJr4JpGddklin+6xUF5jTG6322hz385wsagGvmH2XliOu47a+7
|
||||
xUei7w3S1qtVCfdhtBEWL5i021yVYlrw+rUCwpFMIXAPA/p44O/qY06sQXJ01Fym
|
||||
JCbOnjtVYX9gdF8fMKoDXAcvEtSulBNpXDongWp50BDfVoA7h9oDsxL5kw0GpkJn
|
||||
uVMYLpO+iOqoEA3bJfsCedilkcz6UamLb+6RXMupKQaZ006Bu75Rm+h6PdicdiKD
|
||||
jJY/7PbGuUmXxuSFT92v0hATlpEIQ8H8laEcnb8apiX2qOyGUHnb7pfYoNqvCm06
|
||||
3NP2igCtiGkzAohiHfhztfy2UApiTtXmPu3EhEUMooB+0Lt0zzY+e1cnFKRbJHvQ
|
||||
ZidiOJfKuqp6upPvEgKYMRCAU4+nLT3MVbralo726JnDqrDJvCqAamhfuQINBFxb
|
||||
VNsBEADcRGjaY+/ZVWBlQWvgy08ObhQbTRglb8thrcPeTR7211JJwAJemuTWwCjF
|
||||
SVDH8JJ0Ss8rBcbitrGI3i3mcgJRQ1hILR2HT0bbmMLufCxZzQBjJm76H8XN++k6
|
||||
bd8HCYGXMguUaHRRHAcV+P18e3qGizgL7c8Vln9fbhowkX9yi/WhiL2uoXC3+XSa
|
||||
C08TzwjKPb9Wnct6uCBAzMp8S7KW6P18vZyBTRBrugA9eZrGEe25rhy9szlJcajc
|
||||
VeMiDMf058z7ait5t43AfUzd5zrD6c+ZGYIku88oY55LsZVcvn9o7I+UNbNJdiek
|
||||
IpLae3Dgrie3QgDyfzPV1vXT2X8LaegOsNIkSo6jzjdKE0ZNg4xVSuPdr5jujYBN
|
||||
z2k1lqV/Q/Ccpqzs0NsgnXnY8RDDrrmJhdy/ZrCMsXpbTK5KryR+JoDEiuyJ7YO2
|
||||
jTOCo6zQ631jvi7XUeHAFIdQ7eYRklJwABwj/IMXY++O8JBLO7iZ1dvvu3pfY7pg
|
||||
dQvPgDttVAIxrNxMMj39LRbb6LE+eclWcTfGCMr3O6LOOLwkMnDWEkJAz7JMtWqr
|
||||
2l+9xF9Dq7CkxHPP87dLTMNGIDr38bJ83CSmDPlBoaljTYgrlatBTV2hGMjPgEcB
|
||||
jOgg6QyRGpO2N0SVBnD8PfBI7a7CwQw3BHOJtH8vPUkXZoafoQARAQABiQRyBBgB
|
||||
CAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVNsCGwIFCQO9IQACQAkQdLtr
|
||||
mky7PTjBdCAEGQEIAB0WIQTXDITmS1WOW8zsByEy4hdfHXV6KgUCXFtU2wAKCRAy
|
||||
4hdfHXV6KoJ9D/9IUN+s4gSiyWnqfq+UK5q86DTbC+OyQpAY/U/VDi/jQXDUaXzu
|
||||
f25cCgyl4Xgf6nNTE6IEdgJCL4R6bChxJOHNpZ8/N3ckb/Q5xHKZ/5k5wFv7nxUk
|
||||
vunzxB0wUgCLkn4oy4B8QbTMuRz1qcSdehUyZAlfkr7o/J5UO8FtgaMuNACxZNlO
|
||||
JW5AjTDdbEW0MZapAgjx7+oTQMDtz9q4afuPaGJ3fTz4Vx1+mYt59b1h6xaMTXJi
|
||||
8egJF0U4n/tJ+3gxAIhF7tQRPdNEwG+2Kw/YNyrLMY+nbazhlgUIIkk2IH3Ztd0S
|
||||
XnNd7gV/slN80T9CtHtaDlH2FkeAd1unynxsDd/TLb1gLHem5iDsFuZBaIyHetdY
|
||||
TlvT3SlKnDQr0FBTe86Kuv7n/ZNoU4lceXhUXTcataxKdxKEJt2x1Ei/hMHSVjaY
|
||||
3ir57tuOUDMkl6hpL3sYiq7cMGUAnLH9nBZbbcNdfChDiM24mGmXaNoITutVAHS4
|
||||
uNunSL1l13hJ1hnGY79j4l+CgnPx7LHzBmLh4PPWKM3RYqwgaPEkflVQr1JOOKMM
|
||||
x4bpllEtzpvVAIaF73tlsOQRRN1Aah67gvkWKqiZrXc0Sx/yh8EO/6bImb87rtVr
|
||||
0kjeDGEiuGYXsszNBCmVjHal5kLUKaESefzd223zeaFe9foO2HrnsFb9B34ZD/9J
|
||||
W5M+42QFd+tOLh1ue/5xToiyggGh1MX9axDqHiRu2w+E7kNuuws2426aupUQ3yPD
|
||||
4dSwR428U14ytM90bZXztKFDgFAaQJ/4YVEGPSbLHFc4VlhDHpGljl8J7vI5xPOm
|
||||
Ruc9aabtXwd065nQ2csk1DliiA4jpS9dUq/flH2oGj4b2OSGFvR5oC7oERHMpUA0
|
||||
p+wY3vnjkSVnWqV98yEBCFcZvpOy8J5KDZxYZvZydUvZ3ny5W6QPg8OKriqrCAKW
|
||||
QXds47vRIiAasK14duLgex6il7HmboaqqOhRhevtBAHBJpB1z6Aq0SMwcKwdtTId
|
||||
GTSoQd0R77ZGYvR3StpAwl8rJhCNwJHu2euA3hYPWHg0pF0L8pFbfUwOYf1dU+uQ
|
||||
4xAJQKcCteQ7B0pawp+Hxp/0erB5c5PUUck38ze1ZoGm/oqh24XZ/amPVWE9nYSo
|
||||
VTJwnbqWsfI6mzKdBHr5MP5zW5ei0PAo3lFb5gvVzJ2TqaGJvrh907I9R5Nwd6GM
|
||||
wAWAzZ/nCLflSNyPyJ3ftxY6pGyCBJsycY7gBQD9i1xU0bxONltqSyifwQ0rt7yr
|
||||
iwSI0VRnv8K3M2iTAdDm44bX6oHzljgiYachlV6IGmO3vdVVrCDhm+b+ia1bnQ/1
|
||||
H7itWEwllkUCCtaDwEcf8o3OdbS9S5KEbwH7YUD967kCDQRcW1UMARAAvl+0jUaB
|
||||
UkQWBflWy4Wd8Gcf3lzOqbARdpM/iztebc7RbLnv0TNFQPV4TD9RoP+rY4dJzC8w
|
||||
/rlxlhD3DiGcI3of3o/3pN6jss4wKyy9Jcg7uCo/fcspOoPOwigAUfBYTd2rWNvI
|
||||
/pPUl7zmavQR2+TyQ4IHWG52zAABGej/tf3Ma6WGHC4QeTkh7LtHn3JFRCoFy101
|
||||
x60bJqIWONfR6+5UAOL/P+zTteEMsO3v7dWCWHX/tcYLrhCEH1CNnyPS7v7TF+Ys
|
||||
uOGL7sSmQOUAcgldfUfTACw84YqViu5BSYiww18Eg1l66UcQFnhwB3fTGwzb3oPM
|
||||
npAv2wAZ9gyFGzRgcH8QnXRm/SLDWlTaMIJS//0p/gXifCAdBZA/skBt+E4hQ5Sr
|
||||
9iXGNMueR3bn7u8Pcoc1DpSJENE5H0nB62l3/OiSl/k7mJMGlUv6wKr42xNnIM6M
|
||||
hO97axjRXy/XQz5n6ktyn9xRngkQNL9Ynj+i8E0k/xv5jA39EGAKOXxQFf8357sA
|
||||
DnZ5g/Yf0Yr1c+TNIIRXER/k/KMavB52mguTNqCsewO5aje4Gq4vKd5P+jOKGopA
|
||||
C4idTLkHutZTiakod7lW2jmjpm6P7oyAeAhDNEroNrbOIw0SaujHBmJtxgK1Q929
|
||||
y/EaH5vJyWfMFyUqM7CQBqUU/HRLERsebM8AEQEAAYkEcgQYAQgAJhYhBK4/rHln
|
||||
EexZ/AB6pHS7a5pMuz04BQJcW1UMAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkB
|
||||
CAAdFiEErtYi/gIHfrS1wUbBQqJ50kjNwxAFAlxbVQwACgkQQqJ50kjNwxAf5xAA
|
||||
hBhcOeqLgeXbUu0CCTKlnG6D7H8sQJWXCSsh9pAXffv58b4f0ntJ1TztKfVd79hS
|
||||
BCcXRc/9+MhUUzR79NvFWWZMWqJ6MucjAkkOBRoc7c85PawYTI7e1zSapLPJEHG0
|
||||
xDzK8ClxwGEvlA4O/eGGVFaCTkxdTQg95fDXfghab6j89GI8Ghc9rC9V8RUgGVQV
|
||||
qJJkBJ/gECJJp3holB4/w/I/sU+9AHXGKJvSJJ62fpmY143Y5JQk+I8DxoT0kIq4
|
||||
W2iZVAQMzQGpAOXkDuHk7a7J/QuL78CuoG98GOsfTd7nNsgPTZ07cPYGOxXeNR5U
|
||||
9DlYOBWDwsf6d+D+tHLB8KzH3MWnWa3crjE3a/sgrDEad0CmAJzHXuCyPMy8vPQn
|
||||
uxIai/gw2POq8YQMoKW5S80perLuN73FxAumjK9a2hYVdZNtABwrlW/6ELruv1se
|
||||
mMjUq6oDyFio0rGy/uzCItl13hIr1Ii7B/SPz9dNnCagV8aiUmKXRk3HKoEXf34I
|
||||
xWlod0szWopnP31NXNKHihs46ORSMrjnzFKjRcJsnipdins+DHJYroYhtOjNtsb/
|
||||
WV3D4tSerG3xKF/v3ssn2VsjcgK5HY/k9iUol/dvoP0bJ+rKs/fzt8oAqEexiRnV
|
||||
cPnj/zAiBOt1940+0vTWaNYOPDkq872S48GNybOC342u2xAAnAp5myKostxjyQn3
|
||||
E/7/G1OWHaJW5kx/HCqHCWjgwwLOmhssNn8kpTf3ybvt5uhMolIF95RjFB3gBOfU
|
||||
vw0sqMvEoBoGSMSTSc3zD05RBsWWFD9qwvPMXtn0gYaH39ISAFnxXrtrQ7dDD1d2
|
||||
LcBErdttnxEhUnT4/0YIat+r2PhmYYDYviKsuOy8MC/sJIxvhYEpbyPQnPksUzA4
|
||||
wmAbVNPlzqU2oWPrLT2tlxUue3z6VS/YHDcsLSgjVOMWSusLMh1+D76Y+Lcr9kVz
|
||||
nRu+dYXh4I6OBnlT1VuzEVmrf69NFwh8j3PaVn0I0NEDU7mMa+5W0QYuJIsXZonq
|
||||
SI2uIu64ZOVd+D8WmCEZO/Kmk5PMXs+0fMcFD9mOeFaiOdz+PIlHAsrxwKXr4Q5z
|
||||
zzu/wEOaqAVa2bJywTbl8MntQUY/XeD94MvdlSAwO3Ll1BpQ5NfXjm3YpP6Uyqlj
|
||||
pkrYQL56iqucgYn61jLSXhFHGLXSZs2G48ggN2mHtf6ZQeAJ4D2DIXRj4uqIHoJf
|
||||
7MWDui8u+cJsw/F0ZerPsCN/CpkEoj4FW4F4O3JbiieYSUK7lxc0qyDdbQiVCVl/
|
||||
08wNToe3RctSzsQ99tCwfVWqLVcTVb+0aeSaNykb+qW30bHW7AUYs/qKiapQFzZz
|
||||
QZnpHXGmVe93fDfILx3yUCA8Yia5Ag0EXFtVOgEQAOS7GFDH2DGXPMJzSdS7a/zZ
|
||||
ewP4bM42n2Ku3XiCyXG173p4ppNdOLS3l7JrRflMhjfBtETCOV8B4z0B9wCZZywz
|
||||
iLOt8+0A0zpY7EHZNvMRjZyq/s0FCKLtnlqo/KNwiJPRvQazZ6+UOSffEQEGpNKs
|
||||
1ycZIDb1tk8iRpRvtCin8CeLRLf+2BxHbWBewnCSCl80rC89PTcvPf+jmtcDJqDQ
|
||||
z/blp2CT1JUo1xdzyHYdIa/kQ2PBQo02ejBVs0vDjbzuYVQzZV3q6cYnYwGPtpTB
|
||||
Ot8GXuA1X3qYx0MlZwGEYpiTFS+Ju4cJrYofuBOudXpfux2uAPkJskw+ro5k1I/q
|
||||
fptRWDbZ4fGgROmUXBPg29XdyVExYgAbVeBdHWX30sCHs8+c8wzWkdAY/BgdCySg
|
||||
EVLiDmSfMekH2H1N9ncwzhwNlHk2BaYTR9hWdZ7lrH7BbT8g6SVSge/eqgvjKI33
|
||||
AUmragvNQ1B3362yqLK/FJOHyJiYd6DKfkq4E+ysw+C+qIo51qVNkqRqT0M7HhwZ
|
||||
AvaoeykrGIE5vq6jHa9+MxDlsN5Sf7gNgx2dk0d7LAJR6AmYNqRS2V+837XfogMc
|
||||
bB90ZyK2rOzDN3f48jaqXA8TX2CSun01RoPdCPZm0M/uxTZxOFzoatrkpEVbx/3x
|
||||
sjvuPVa7qkKdgUuo/PhBABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2ua
|
||||
TLs9OAUCXFtVOgIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBHkdfriO
|
||||
vI0BOENKrDPfNZrnpgp5BQJcW1U6AAoJEDPfNZrnpgp5JY4QAMry7TcsRIZJCVlC
|
||||
qecIAjyJizWz5dEwScba0BDU4rv/h42CvXJlySZpbgUEyB4SBggEnu/dKVbsd/t0
|
||||
TXRNg80Zs/pTFVbwcg+sDgIg1wZldZbClLfvgk0xLoDl5vq+K4SAQwSLTSPHQyYu
|
||||
8IxkrKmbBdBSXlgnmcHK2lDXrzWYJDEYEyFPV4pC3cHicCygSc/4eepUz+crEF6Z
|
||||
IE1df4LRv9h5CgsLewMv5nQ1EjxTo9mX1GiSh3e7KcfS98FgIQl3oy+yO2cmVVVq
|
||||
x5ggDcRI2sUbXa3D3kjAo2tUIA1nUMFLIrii+aZawOsf64VMdIs2OXEi5XFR+Zdw
|
||||
t+Bx6lUKZ3/tntStZitJdK8/RUbhmYQ8Tu01vxt/IAN+07VxWyZwcFB5KuC+lKtO
|
||||
/0vwyhyiOlHm8lzV/5qwFPusB4bNk/2uLPUaavJdrBpmB0t9pol/NFCRzW5MKFvu
|
||||
Qw35QyFVR0IBeaGjRc5J9yxbzi78umN1iHZbDjXFA7oRa9tkM2AP8V2anxSHUyon
|
||||
UN6OuLqSM2frA8iZcl0S7qcepYNF1ix9PhdQHXy0H7hoikXMLIiCl/unW5pVTs6q
|
||||
KnmxmRz9ZcqvvuVXbeY9C+kZE0LOBTZMljuS1Hcs69RU3rA18swfN5CTXw12ZwQZ
|
||||
SsnRhi2X28Tn8SD0vrEsEf08q3XshDwP/0MvBBfymXd+5MzxlvMg8vGJeFuDMEFN
|
||||
cpETa7Xzzz5Eir3ETtxpUWPCriqmCpnlIWidNwbg+LlyTeYUDPIDnMtEX5ySmYGn
|
||||
BI8ykvAKm/XTfr0PWOEAXcmxTC3oMhvYEhIyGHZOFJQxIo7vmrwZKi2wqMnKMPq+
|
||||
XXHgvtZe5tNbESI27APeQCMVZLVnVVa0D1JRFYBuwNoJXhWbAIKlIjBGv05NvK71
|
||||
e4x0zEY2mXxLBbsxVBvHhpg29HseX/AhHvUAcBehJ+sqnenXZqdeNhgBIeZubXq6
|
||||
A/gfscswF/Ocp63Z/vqAjEmvUKwAxNKrKlwLVShVvobPx2N4hH4ZT7p58cjhMhQz
|
||||
Lm4whTHy1hvBIR6j/Lo2eOkkVhiMlrrvWJIAEic3Gzj5f7XOsVr7CXjkSdoXHOIR
|
||||
63ZDO/9Wy6ygu8vCdiIFlyRyUBLnGhUYVbRYnTU58tQMfEYy30ZKF4vxz4Ysxoy1
|
||||
oJa6emaa33Nn1Z2kE64AaW4wbUJ57nROuFdoYTwJ02vyc51J4s0C94EA+a5VrQkN
|
||||
J7bT8P9G5gksp4b1WyoFm+O4aU5Sx+XpSO2IZFuBL05anF57Pm6Bz3LJX6sEYima
|
||||
chv72q7PYeYbETrl4DZxE2xlEiMUvN4DH/RExpPWeUsVMFtS5n60n5+AW1EYyGJ9
|
||||
mfWlvZ0xCjQ3uQINBFxbVW4BEAC/gtho2rZl6/+/szkOfEumAdFwyQbtM5CnJyuU
|
||||
rnrneWWlnNPLeaHml5a9yrcgOZ15QgnFD5YOHZ/S9L40goML8cB118etk9uE7vMv
|
||||
EtwxbkqZXTlqdxpFI/SzT4jJCa9XFQ2uA+KdmKmGW9EagtdLql2B9ziMhH0Ha6Y9
|
||||
5x+9+7/oRYU+ddmAbwrJjdn6bCuYQ7QVpccFC67qdpy2I97v03hst7yGT1FbrIjE
|
||||
sF4nMig6Uhwma5Edqm2dLaVXeZ+Fl0WeQCnWjprZMvkHCAxjTBlQpmvvwcQwqHot
|
||||
s832s96l/Sd5R6r+TWU0lTtXpcxL6t7MXfW+BInkqg0ZiHG1Znni6SwfatzDv6W2
|
||||
lJW2pj3Ub++JulEIkbct1f+TEeeLU0RbJmWlL/qe24fodKg1ixH0gyxsRKzdBUIf
|
||||
vgCkrzwLFgJEHRISjQzIASVtDdt8QoIqX8XALgjMBgAnZqtYrAEdFImWys0K1zOu
|
||||
MbuPcTImufz5ObnKM7rRMdCO9z+cHGs0TT2vUvPPuOsNYL1GX4EfrCp2eLKahjJQ
|
||||
BCxfatn4mFqHVmR/4a7vqq1j4Qfj3h08z7QVrNwGWAF3r8nmaHdaT0m55xctMRQa
|
||||
3N3UaYj0IQ08CSUJq5e005Z5Oinbt2O4paxnG4/UbJXpRiLEVU5Ja17IBsDfZydx
|
||||
W//ZlQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVW4C
|
||||
GwIFCQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQQVaJBoXqDfahNx7yAXzF2x
|
||||
8AiEBwUCXFtVbgAKCRAXzF2x8AiEB3iPEACI735VFBDd4E6wlGAA12Av+XnWSruo
|
||||
Te7zGdKo2SuZ1gN1PYdNgflbifYCYajnQENp92N3q263Sq3MDf+EZYKijJ3EoU6y
|
||||
chjOJR6ge+UgKPdGQc7Lu61wWECBFaL6TMXCedcZ/Xd0xT2IbvK8qsKsITDjiDOh
|
||||
DUqdjVeyPXyfkmSrF5P3hvNxJvPbQ6k5Igx9JA+unLXxatljAeh1whnchRQAIKkx
|
||||
l19Nr1z+odFD+tzCX4HQmUfHRXgBiJICyIxWB+U7USqLtqk+7DE893meceSt0Mz0
|
||||
JgLct0E5EFfCdwbehnl5NJeay8XEdcfjUkeyb/VAVxWYUBiG72okUIaIP7xR5MW1
|
||||
P6ecdTr0GzOC1SySpfyT0+ot0rtXGSnXrBzpY6nU14hDoV3g/FMas+qz1smTtOVi
|
||||
1MVakDRf4QyP9Jqf4q4/GosRrgBvXZHi+zWkKuf+DXPcL/q6MfgHvQc6tFMh5ONQ
|
||||
snrF3Bca3BQDT2GKjSukeG3JmECHmKtQk22jhk6T9DJ3518yw29El9tUgraaZ5Fo
|
||||
Gen3TYCxA2BhV2LYCSLSHiTPdtUsbDuIP/FXaFXr34nAtKKOSSY6nP8SMzCPSEMN
|
||||
iscfdjejR1Xd012T/mLqVCBzFJWyX2RaUdygSWUpt/QdvWa4pXCgYZjEVidraOws
|
||||
VWMbb0zuI9KCseOaD/4jd+awtnRUj2SbGeJSVnqDPk0Hk8ndFebAo70uQGATkLXC
|
||||
m5ls0RDU2xHZumuUk+b74Y1KjwdqF65NEmfjaSQ6B8gnCO69eKHcUT821ED9bwfa
|
||||
4XpgsOMEoZklvFByax0JMS4JEJU/xfsLmfeuXVirN9Z82vxAXG8fuK8bso6VLG/J
|
||||
Mpxhq1Zv24NQ+uevvh9loyWMcaw3IqPvQzNlyuuya3rXJYZHSH7TauYgqWySXiGS
|
||||
H6oXl6Ej4GR3t5uWwHKvEREQer+KPZV3uXRnrTpgITy+PxZ9ywmPwmPBHcD6c0P+
|
||||
g0lNNtDdvw69qy+oh7JaqqYaDvedseN39UgBSx++ewRhq0OTikAD/BCv1zhPizlD
|
||||
9BHAOsCxrgnz0WsONYKFAE8vtNo/wB//djf/zqMsI3iWdbWqM9e/muEEV4jQRWLW
|
||||
TWp1XTqqvkc6TsLBBNO5zisJ0VwSfDyRUplr/IWeUl9FrRngjBJqF2nl90US5p3o
|
||||
uk5wUWdjFa0haFyDgZNFwyFr85mex+o6qIC3oif7UjC4kHPe4wzvHDYAxrHMB6MY
|
||||
QvrcXzULmInot3qRAr5duUNbQbrjdtVvOQFvjowBP5Scu5ZBSzc0O2TUUSKgnJZS
|
||||
Bs7+yswfgyhYzusbxlOdA+iE2Y8GuovamGYTbsdCxDStOMfZnaiXuLL04Uy1PQ==
|
||||
=fX+D
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||
|
||||
mQINBF/u5KMBEAC0hPiTonjYEe5FqNzFn73KmcN8KGD2wzujmWWLnFXGEVDEpFcS
|
||||
ULQDshhCclwNeXUArUey4nficwpqUe+Xl2h4dP4z7yh3WiL5nA5JRjJjw8KJQGVW
|
||||
AkgiZTnJHH8DrzNt9LnDL516qMDJarTHemDUUUZLNxnuv0RDEhDxsXWiVCQZZcw/
|
||||
41yIY97uCf30dsDwnckVl3iEmYaGTYavWbKP60S8WaxO0YG57RI1etmlIQ0nMmka
|
||||
4bvFnwwb9Jdnwle4LIiRMCGymsheaKCKrEZgIJY+idyBuExLLykiL8iNBj2Pzi7z
|
||||
XSCniH9qcEwfqgZlP/KZwujLhGOc4c4peNwpuDGcmYZoAsUD8CZ8H/LU1FIR2A1u
|
||||
/UrRREtC8nNTDGxCckSMEquHNURfMk1QmDbJ9gaa9aOk0AArxuTxyj6Cn+KQd5l5
|
||||
0mN0R1sDVQq9xWdvnB7N0d3MDhnV7f19iUhi3KYvjVTkCMXjhNXjDH/KXFKoFhKa
|
||||
9SkxYGfW25inwSQoqbP1TE5+rESf57bo+XFxfVQuYfVJ5BlZobz+sRl2iDQyBJDM
|
||||
uDFyXE/t+E76BmwyHeOI1weqUMYebqHgu0x76dTYj9yWgWdQAC1pXi15/MTIaOtQ
|
||||
hWezb5rkI2yZqaZLaRBOIRBIPM5C5AOjL2XbfwUuSr2W4+TvxLocxi48DwARAQAB
|
||||
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
|
||||
LCAyMDIxLTIwMjIpIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBH4ckayA
|
||||
MKWlnR76uXUPPIdyPkASBQJf7uSjAhsPBQkD60WABQsJCAcCBhUKCQgLAgQWAgMB
|
||||
Ah4BAheAAAoJEHUPPIdyPkAS0lMP/2IgMErScBUaXrZXqYXoluR8xU0p9DyZEBx+
|
||||
ZGNAcJ2CTPAbn3FrkNGNpK4SOCLXEZPKOQ09umaIxl8H6uEGaTut1JLj1qGaZ8ID
|
||||
4gAeQcTIN9OQA5ElQo+ci20XE9JSvzqY1zb04EkMuVL678xPCYJhUSLS0MAQkcDJ
|
||||
JQLN17SwNi4vGqzVhnwKUviQU9/s+LRUkThsTg4qT0fNnmGoVJXqrshxJa2ZWM6J
|
||||
QtOWBgJiC6xZ+zRiZS898L0tekU4o9yxtnnDWry2bI+mJbxAp94ZAXgKahOU7LKV
|
||||
3SPxkx7TAng24nOWi1EaP51pe7usTFH1BR3CUHZdoIQ4xruZGkt/qPumskofzl+1
|
||||
8bw1bEFbq8S6jC+twT3JUcE02HbEIbrd6l2T8pYBXaojFggGjUTSv9d5YUN5N9U/
|
||||
/Qy0o3xZwHNdXLx6xSrUO+NT5JU1Nh/0sutEH7ru/YqFZof9vfCbV86y8fIOPgk8
|
||||
LkJNUSu4QCJ1PHKB+fJp7yAhlPkOXNG1b9+W/hVp96rdkovpCUkLD83s+suQyJGk
|
||||
QB7Qpem7nS4zp7/Naui+g3M3p/uRSzZgELTnXNyY//bw9fOqx5SDLjSUslUMz+TH
|
||||
sFTwfo/Mot70MPHMe6aE6tdTDoJTcv4Iim/8MDhJ6yqKt8sxprataZoWwFi6zAF9
|
||||
BzWkJcrbuQINBF/u5P4BEACso8iLzFJ+M1wqcsCDup+GtRMzte04CAlLmaLgyzfL
|
||||
3xxBo4AUgX6UbUCGycG878JVn52S6Nsl6FlasmyH00MGjZt1CuNz4htfSmLGcBMj
|
||||
IwQv1CYR8bm9EPwR15NaWdgzJHShCduMHv4HdfqSa6UQfzO/P8mwioER19fkDQSE
|
||||
U1KsY0yl//ipWiW3ZJGShGHLnn4YbxogQtsRPESKUsQ9MtzuMt3ehGtkN4RguOXC
|
||||
6pCWP8J4F9lgjSZ+uLOQKV4rmpbSMXntOJi2nu+14Zj36enW8xyAXO/w5z/wci2G
|
||||
LN/aa/v2a3GM3WJQsPNzpDwB+pr1n0Kp+wK6K7siVmDoV+WecD2KNNgOuSyUve7h
|
||||
BjWRM9W13LsgLGhKJA8yUpPvhXk91vLRUhwFJ2GUirxLPLs2TSTjHlHvhcPy6aX2
|
||||
HxbHkcOt53n2h0zx7ntl1N7XHozMWmHphPsSvOZ5StuQRAFvfE63EyfR84KUPIbZ
|
||||
kvftbAJPKCJC8W6GqhfORzYZqldDNNva5iYHF1OItF79ZLGI56diNsBV9SOVKk4d
|
||||
f9Qp6urYOd+9RGQGmCQte/WSFaU9z9QYPEGl1NlmGAWt7KKyB6QXZH1oEMwXtPd8
|
||||
4GQX3XGtyggEp6BGwkFFWRQzF1EZ0maRPrpN4bpQqLXSJiqQxsX+FAcOkhpo6X7b
|
||||
8QARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5P4CGwIF
|
||||
CQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQTpq255IzwEFuiZP0UMA6+pClln
|
||||
xAUCX+7k/gAKCRAMA6+pCllnxDtmD/0YCUccmKudW9PiQw7mI1HSuwL6aS+MlG6/
|
||||
LJ79nmi6TTpe87NDcEv2bBpVWYcQK87smCxIYyuj4SCZuBQivjyuecipRoG14PUh
|
||||
KU8UiqdF+vKDvUAA7huOBlR4dgr7/KvjirnbwO3mGouwZszDOLvaHuO403+TPm1b
|
||||
mJtEA9y6Wbk/+PTtfPymQwnaiJkPhQ6Q7ZbyasRIisO3MRPacUjt2DXFi5VV/Mya
|
||||
8o5Pae3zY+5SjMyE2siPnVE4/nzp424jDzSq4DGEUip/x+QYHFwxhCJmdZlRIFmn
|
||||
vSCAGXBpyPVbckC0Gw8kZ8HsGzNbMbx/VjDG3LFT8TR2Djsh99/6icO1J+jDkPNn
|
||||
IFEsYjAw7Tos5IPhIT1XkSCW84KqBG5pGI5h7fJzf19sR7Ki6XyFe6VYvggeQIS7
|
||||
VN1ISl3tRN/dk0GbrKkUKr0OVfaRD0wXQHTzbec8Fs43G0z/DKoFutGB/J3yjAmw
|
||||
IOcP5R6rqjhVp4APQpsB51XCaaqEXaXZyMWrKILbPIjlE6FHeh1qd+zdIjullnF2
|
||||
YZv89HU9dIXxKr35CM8f3BWm4D4cRjsUOWoGhMNwdHzHYOdys6T72KBK9D2irz8C
|
||||
L0bycjN+SIpde/auo+dQKqKD3/ipr4dyKJyOUsls9cyhxkFp031cZ5rWbXcLJ8/s
|
||||
1BeVPjFCngqPD/9rMKA6kCSnTo+rSqZRxo9RlQwy4K6xfPPdHZvBi3A4UYCsurgl
|
||||
qLtFtGG8SMWigmUZWLT6uhsi0orR5wfG7vzajF0Hcd8yuWa4zGeu0rFJXgG64Pyj
|
||||
nJHtv2Tzi8DNY5Y+8mfXqUewyEUXQLxnLqpGlPjNUAJKvjm4SstNadewgWeb6F8x
|
||||
UQJc8owGmK5+yZQ5LZj6bjt9Dr3SCM3Og/iS5XK5POGUJgtgXLXp3uy7p9SzsJ73
|
||||
qhrDII/YqSwToMu8tUv4xEGxyceVPDm+ywde5SXYmtvMYrq5DBdlalZ9kBlC5fyc
|
||||
IIzKoIOOkKKpa/YAyKdLTk8ZByjDk1RrdcOyP4VNpCvyisf6JPwWfKdM5mxf47hb
|
||||
s7zioUH7miUGA6i5TNi1e+DU2mL92sJwQ0WkHw6KaUez2Y9CaD8hZnQw/h/JcNq6
|
||||
nb8y0GR8h7qWms3K0rtSs8SuDXUsdZrFAeURivccmohXddtt0FDzkheKGXs27SSl
|
||||
8oOCh+jl/hEUzz2mJGFwRBo0FI5ipN51IfjhMJ8zzSmvfrtdwT2Tu6wSY9DLsYR7
|
||||
0tWGOc2HA6o7kdcC1V0p2jvQct281FrC9dTXFgcDuGUBYhzEZeWwjuYQXBzMquF6
|
||||
ersVnPo/Z5l1SnkK+wVBQbf4igHOaobl0AQxnb86W4CXBTZ3CvRq6o8vWbkCDQRf
|
||||
7uUlARAA7oTlVZXhdVlPnSQlnI5JwovG2jEIrRifpbyavlhlosX+rgtQ5EILn0DS
|
||||
PJ35CNfOAeOcLQeRrJAZj6w/x9FHWfKRAHUeiTTsVDzTrDyJBCVuC40ck587KVUc
|
||||
GuB3vee03/y8qAczj5TZNaDdl+4qAzOFQuV4MjwJOx5fsXZw3dUAS7pw1mTkAYTh
|
||||
nz557buc8JJCxrebT6FvN8bugk7LJ8SYmI154Q5wCdXB6Q42sdSMFlKKPYRRmIvX
|
||||
vI4Ytl/J35v43gCLbXccTWQpBX+ra75sndS2hYGQhcC+WdNtt4THgU6Sb7ErpJK7
|
||||
7A1r1Wf0WSioQ2VWjT0QbUE+6IXD1J8duh6ZgzuqppMm13aDdMDZGwdcxlFw+vlo
|
||||
bM+IAX+QgzPjslM3FHVvvfCLka+ctMO+lL0bz1G4njNEXcIAILhmoqRI4ItVH7Nl
|
||||
ZI3pAfLLB4qbhTKTIiS+uIoA82RU86ozr5oJZCsJa5N5EpJnYxnjv2tYhU42eh+j
|
||||
hyM+5ra1dXtveKvL5SkVuRUlPZvgOuwQ14Qnj6sv8CmtBpyVpupHmY2RbNtLVLdH
|
||||
Ix3lyQbgVo9iMJIoXiPXmcRWCgLgOeuETjFXsEcFLxuN+D0My0dtwWcg+271vtPn
|
||||
0orTObxkctFK+V32ByJYxVvytNCW245bICpxCicxmh5kYEmQCnMAEQEAAYkEcgQY
|
||||
AQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uUlAhsCBQkD60WAAkAJEHUP
|
||||
PIdyPkASwXQgBBkBCAAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAl/u5SUACgkQ
|
||||
xbTukxqfnf2aeg//ZspIr4ETVf3ai0dXCm2Pf6gpM7QUfI9fPUHymvBhNrNhfZqN
|
||||
ADpzbJefzLif8as7kUr904zTc5Jse5a0MzCrMyEwTDIoCKDv2ktLq1L20bwflZs+
|
||||
oP27CYC5FkJYgLYPrQZ/7hRC8EWjgn6v3seJtEo8G73kiVEBOnxVEfGZ8zxmX1Cp
|
||||
aOWfhiFYCmkEe6Ck9hG+OaWt7+WW0wWT1UFiluzRRAEMROcCUtyB5IPCqCH/Rz/m
|
||||
/bE6G+lHZo6OY/wY2q/oW2f9JB/4QyJeSI+fkjY/wDjfNQjiPMLfZctv25IeZYVY
|
||||
ZvIKrdnjbzRe+GwYLg5G/SbpSOEb5O55Ps8mNUpYFaMCfefW+DG48a4WyUGzFr52
|
||||
BMKvHKtc6c7P3+muBAqcNZYxRqyLIQiYiV9CCjpIV1WgUeedroHUXvJF/SAvNVvB
|
||||
ZR00I/D2hsD9BFh3B1FEYbw7GuYuG27Z6fgRolOQUeTabjQLI386SV3IxZ1KFwm4
|
||||
GU8BTbUA2zwT3hu/BaaCI5jTSLyBpdo10b1wgMEnqmXG6AbNdxFVEWwE+CE++BHW
|
||||
0YBhKp8fghHwwN1fwTCV+QyA4Qn6EBVDkTrUPKqTeCmHzt3AQh8WVrsmrodyr5Yp
|
||||
69LoRnlkLcGJiOCKMOmkop9Z32ckGieYHrl24Dw6hmUSWDG+pBn0ezbSPit3FhAA
|
||||
qD2y1VzqxsaCOD634Ltq8AbvphP8XZPrrsC3DIA36ITaCQDa5Cn7madLCXy/uP6N
|
||||
+tojtzXf4tUzumwGJGFLtdMXNmuEuXrj++NrU1xcscbvDn5O4NDMadwI1EDlQo7w
|
||||
uWK9jaQAVhF7iDEBEazZe26knQFxC0my4SyO1uQaEg3BKHj6z7dkAjzWJaQZhzql
|
||||
yrRzbCiVUUI8ZkrgM/+/6NJohUG/had6DoefgK6H8/yjgVx1Wtx+XAuBQ2cvclhc
|
||||
TAmHs128dWduNHxI2Yx+uM4kuHYpPKBwdEh91ZNeNqtBJURfSVjBCjKkTYiS7kiv
|
||||
XyvQOBdZVeSVpj/QoAfaUlQoBVm7aF6xf7GtYlVzjMsLYdpjXhy4ZbQQVUuPI+1f
|
||||
yFkw8PpASZ3gvO6KQ4V2w3hOYAxYQ1kSwTtaA7+18nyv65VolTmAotmLun94UKn7
|
||||
zjopByBnC/XEqsU3tibg9A7xQ2KUpWkpmG35f4ZR9aEIxSe2Jmm+Se0JfiAq6Szf
|
||||
dyWvr/TzaS/BZL4WEPk2Vw/mzWEPZOscpIkBFGK+Ul7yuXvbrbwr+zmAikHmTb1V
|
||||
XfPb9eBnwDDuRHhLBym4FMrPjzeziAxxkScTfDjWq6rvMmaEe1CX+dj6ldx9Jp9d
|
||||
iUngol89eSgAQOtptjcit5o0Y0Mu/RF6KIBG89ghFly5Ag0EX+7lVAEQAKFx5asK
|
||||
W7A9BNKPkaXgym0AlW2szQR1nwxi3APLVLS0Al9Y/3mnBbYyO84HDr82AtMSWSMY
|
||||
UZIKtkUj2sVqUb+xHOPkY/MenyoBrCl2qaTVJ89nnWMUjtrX2qk0O09+ByoYXTit
|
||||
BVPAIZ/qZfGNB+Dsp1haNKRdowkf6WXkw7A9dHB5isVmaM/Z0THNJRHwc6mcqbEV
|
||||
M4fDL+OCx6m2KQHTHirk+OE9Nwral82IIqj3d5UBHmjHAbQNXTDzZbWg6tYbLN3I
|
||||
EYxSRQpkJZIVheyBmWFZuivm4hCDZxJlZ1sgxQeIZk6wR2LBR6ccTW6PH11PhIpr
|
||||
6O8aQh8JUMg+/aJK2eQXINozYdjOTUjnWAUeUqML7Pg/vERRAgHXO9Z+NTIEWEOo
|
||||
Ee+8WOFmrmfjb9Uz27DtymhUjOl0ryiG6F1b90t1rZvVKWR2OaCUhICm88o3MCgb
|
||||
HFeOh7v3tnQb2Uot7kY1hgch6j1MNYWGb8LjwoTAmx9okEv9mh119k+SdVJP6wsX
|
||||
ZtL4860vTfTw6RQM7rkZBzTyf4qCvU5uRSd2u6JqtUhw4m/gkKQyW8jLEkqX7JaT
|
||||
+iEBgPzjALvfSWDbDgst0szqU5jltYpgjG3On7/ZGFFJrkB06orUvovxLThWWvm1
|
||||
iugw4/av3n64hl/yfxvKQHLQA3Kfkjjzc3oPABEBAAGJBHIEGAEIACYWIQR+HJGs
|
||||
gDClpZ0e+rl1DzyHcj5AEgUCX+7lVAIbAgUJA+tFgAJACRB1DzyHcj5AEsF0IAQZ
|
||||
AQgAHRYhBGFPhWcuJXtdQn6ZBiGZBzrXgrS4BQJf7uVUAAoJECGZBzrXgrS4jfkP
|
||||
/ApYZIRnBL+LdTPYdbZDYXotkE6RO6ZsPdcV1G6na5jJ7igdVuvoz5nP3rX+oQoH
|
||||
6k9DysQzyh/SkXRPnbOOyvQsI7atmH7SkhNn7ke8zmEJLzApHA0ZMGXtBJHQkZwA
|
||||
5LDWIQb8HbtJTBr2DyJcQdpRmP3hHDgyYgwg0AUG/2JEwYqps+/pqJCrLSP+GLOA
|
||||
ia+wRH9xwv1Vl2gIxWXqEO6U3puqUg+0z1Av4Gj/xzuw1F3eLrOfgklhpASc8QtC
|
||||
89kx1nhFS+OybQfRAH7YN9DKE5L1kJxQ4t+uW8TiXf9r+MdcVMEI3LATZRtgowFc
|
||||
493g7EkTppmqabFns9OamyxXdIzLAKoKvykr7HPCBWUnZn2I2RrcGQltRBQlR0Mb
|
||||
jO+sFi89XnFPwXIw/t/9zoq1bXCGTt7H5RtrfxC1wTYXqLEdV9pptNj7j5mlff9g
|
||||
DMw1v3MfUxbz9gIDzs7ANnw3SkWi+d0v0bLadWdItkq2WKvvgB58NJtKPc8Jwilh
|
||||
nO7W31U/kv8FR9JcFXzS9+Y6ejIClF4FAwr5tK07N/xSFAKEs5kyAYEKxP6vI59m
|
||||
5h+tO8cws+pi4gqfWa3t3b+dVzKl9AIkWAYjq9FvbfiqZgKTlTviSUMpmK5qJVld
|
||||
72+NiolUVniJbw9Z10ps4G4zmXSl1ZxyKnehUzcKyPieEEsP/1/tctQx1LhVu0TJ
|
||||
RLtWrE523hqxpqDdF8/QrNp9dX3YVoEkMQW3YYir2oERtaosWXmRjldq5dNfgtwc
|
||||
lhG+/CP5rxNeCJlI+b64pC/yQMCrbz/V74aAipuv7ZZMflgr7ZD5i3jyM/7/AunS
|
||||
qOUPwkKrjetNF85eibeO7c0Y9/HhILkLQ8EoNfJshdc0/scwMZEpLHTMAHSrxCAV
|
||||
FuhLsF9epenA6IbtuMsp43aSxshX05RH7F94uj4VCMUSs/90viB5njItpPdZCqUH
|
||||
eXSvLSjxqsmS4Tz9Dn+uWvxleBLRRcpZykuNLGgwVXafWftWbA+U9KaJnDWFdzjJ
|
||||
+gAsWfHfFBOa1RfXYP++e+VJflcHaEZ4byLG5Zf1HqAvvcaShAVuMXY1hoYJinvh
|
||||
uk1zJRW9dP7apZx7BXWxbWcn8LMR5GFfunl/M2iNASmkqxJ9gvy6TBRWJu2QeNbN
|
||||
5Ks0/GDUawQqvhmM3V6zFQWVsPwaHpufIaGqnKC2gXaIHXPP0ldyXdLXwgZ+6A7D
|
||||
IEqHQB2BDbiJtovk6GaK8PUCEHTiDmRF/mBzlpBJOn+Hc5ELufgr9E2lkrKJzFag
|
||||
CBCucNhVEaUedFrycxfSALing7DJPWb5cobu9K+3T9L3k57XgxSAj+g6vOxHuxHL
|
||||
ve1IPheCWfkKpJH5faFDWKpJYYPauQINBF/u5YABEADgWTS7wFA39XvpWNHSfAAR
|
||||
2/nlGWuTvD7zoirzUwOd2+I2XYwgl910KsznhlqDrHZlqKuGRjQlbpyTbsOH2N5k
|
||||
IE+0uEXidU3iwslSZ33RLL0h9+czDnlgijYXLCg5ScswBEC1E/kXX685AUCTPX2n
|
||||
D1+Ymxxgov3AvItVxKDd3N5ERsy6hYWPK4ACXt47hJFqPfPtnQe2IdFkRm3bOuX/
|
||||
X79Kb5N6cAoao65Tpsix1pm6tTNww0+THzIWzK/yhi1/tUOv/QJMEVAxeBAPr+Pm
|
||||
mvjHvsI9RNQt7VnoHVkqJhPDxyQZR2IOVQXvlYyCtkPA4WQlyxLzWM24TG8xhD1v
|
||||
zZzA8qs//o9QI8OLg2ZYxplC4lW6GEZk3GnrTXs7bW6HUq+RlayIbDw7oMs30jAv
|
||||
YyDdQpZrYuZvsWKbKu+65Yi3M5kW0v96LT3ueMJaL/RanL9JhAWuEqyezffsBZ5a
|
||||
88/i0n9FJ8cQ1fZq2/GLq/mN2JZ3e/HSWynTnlmk+qGk2bq0cRFJNHAs2HNAm0Id
|
||||
pjSFCPmek9j30wp2c2knML+SsSw5h6570mwILuKwFr6i2hyFlPk4H7nP04vPQ8P2
|
||||
Pu5O/Cfg9rPSBjIi9FsNS8/a29sSuOmsSGHZnMrVUpGw+iKmx/jVejOtqe6hYydu
|
||||
MSQtIU59E2fq5TM4tub6qwARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88
|
||||
h3I+QBIFAl/u5YACGwIFCQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQQjoUGa
|
||||
YHzyVyZWN3UsTffOV4ELlAUCX+7lgAAKCRAsTffOV4ELlDerEACBP9kAH17GHloL
|
||||
XJjd1IHttRWU2Qs/VV0H14g14hgRz2/Qa7KRR4mGrXPKS/ctMkDXwlvs4HPUTeO4
|
||||
MMT38hwxv54AjW7CtF8DR3EQFXKR51roICQognvqpPe1auNERdLzAdcn+NoHEQB7
|
||||
eyPqjQM3OGGq0SVRwNnv777o+Kd8Ncv/4fR1xvA20Ds94G5vCYpHB6J+lPPVXBmz
|
||||
rOYSf+QZWsXjAZdnAAYkpEjfJhNrqvqSoRxZ0dweCqieenm8Nzt/vdL9nT3+4AGy
|
||||
5hmaAG2ENj5AhI194gtgACvKwCl5hF0VKMhtm5d9SWS+1quHzgn3UFh3VZrfjPid
|
||||
CR64mIu3RpZe7EcR+lMl7gCJxdFlHVD3z1lbz2V6u+xH4ZsLrTY+v8kDxzY8ojM/
|
||||
zDbnlEK+xzA9akhlaD3D3wKXRVuSlrxfEVv14mwKN5AYHN7bLL3bjOo9WYtLznH6
|
||||
Av4GqXSQ+LOl0+6bLKmD68/N0q2IiZwUSOsxTE1fUdYPF8eiN8L+35Qt0jwybieU
|
||||
a3JYtmO8EW4ZEmjJGwKgyrf+eigJN2/0AeBwcJyUw1YfzaqqS35NNyn5eKANyFQ2
|
||||
ZhIjuXRyBOoUMBAx2TSm7FGeFOIw+aQgap6HuGbZ0EZBz6hr9ogNC9FVXCPENKo+
|
||||
GdTGoIEs0n6gGOPP5ssp7xUK3420AM3HEACSmYaNC1Gfq2d81fI0TBJ9ATCRPo14
|
||||
MjJGiWaFaXoVp/lQeOvlX2JyBG2I6fhMGPGKntCfX+/MERLNAiahQgOjvnOCQdlL
|
||||
hbq+6loQ1eSTX2AXpRlQpvyxLuebbM+HX3N/9mqAksgQdljmqoJQbiE/HqXqjmKe
|
||||
16ylU3Rjabyc2p/31p7hm0IJ/3yqDsM06FUBJ108SALQyVvKqRA6q1t/Odb3xgt2
|
||||
isbCEgvhJ8kYz3LQkvTW75rSa1cM53Udd1rbyo1t0PaOSGeUZw73/nY1+6LtUEg7
|
||||
Q0x4ohL1UE7z7+14mAtn4OvGDuZJil7Lf4cPszf0SFoHPs8iUFpSorBwn3u+5ZXW
|
||||
NYFblPU2WK3O52qZqsjuQI/gK7uQhXjJO5nA5M8Yv7bVrbLMOj64hdOpNbd56Ycc
|
||||
qwYbHZL3WyRAN7TNg5ZlHgIVac22StawjXiHWDGaAXpCaHJn8ryM3LY+LTz16R2M
|
||||
bi+HVaw+0fY9f/mIcOdT6AyDg+V200GkGXL6aw0LZkBZmDin+OMmL7AS8TZ4dvZt
|
||||
zj+sykcT8DsaFj5Au6zHJoCnsuShMquHOA/vcUkhoe8/E2Y2QdiX7zwDM8vFM8tX
|
||||
DujFLNPIZuItcVEpE3ysFV2ZfVgBXoxTlZUQxdgJBQ0zg6Ez7rDYEAhVqo2gY9sk
|
||||
XtN80X/unsjGSbkCDQRf7uWiARAA3i7pu8/QvukeIBoIk1V0GHGPjX+GeV3fR4fu
|
||||
ciYgx+NKTXT/oJ/89KVeetT4CSnGEZcEpAvsBL3hsiblJYyLVmeoCniFlU+rMem4
|
||||
zYP2PnEX70Q56d6SjBArs3K1FZK25S5qqv5ceM10NVRwPufV1RIuui6mQLm2ZwlY
|
||||
JyyANZZXMrHMJdaHpK9mMBSSF42MFQZhcauQCrhMhcpmZKn0D2+PpRveYwSr43Qi
|
||||
qBWR2INTDmj/V3ERMviE7vLajWQcmDdcrBp4u3miAJcJSn3XR5SiuL5W77jFEzgJ
|
||||
zR8yTC4hWE60nWJOk8UrEbpLyr7mBE0Tr7+1IBMgVXh8WHyzLE2ENREFvtp8KlSS
|
||||
y47Ky9n+5aqPI4M7epMNwU/ZGQnC8o3yX0zZL1tKq0fTAw1Ly4NGE1gRbmzrQcCh
|
||||
qUHg/J4KFYBMg8eCAzuPp4CRk8wUzu4fRWrOraoz/7bvhH8ilgPu1teLLKzDdOdx
|
||||
QAaiz/nGy00ICNbYqifR5m73K/rDdjtIqgsMp9Az0mEpgVNq8SPzM5grqAnP/iww
|
||||
QxwFftiXq/pEP2d8rn65e8NikN42Q28PH1D/uBYnOuVdZUvjU9wwywmfyr+NZMaH
|
||||
X9sN8R3Kk990W9VxwdOTITpAjz0qMtpE7i/GwPEtpZPTIfl54+cVKvyUjBuTXkWn
|
||||
vXN+6MkAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uWi
|
||||
AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEEBjEqvVaiYb6sKxATk1aQ
|
||||
aqvQi4MFAl/u5aIACgkQk1aQaqvQi4P2Mg/9FXfsIZAgPN/Dq95y1fHG8jsPXEoY
|
||||
VNY1codxxAaNqvBXZkfJbFwSYpLY3xIbyxHuGuOtC9NpIy9M1+PR7MsxtZAvSjP+
|
||||
flP/12x+6nP2H3NWOICpsY1tNOnQe2SjKJxZXHFnDqDBgKpv3QfKUHmYEdExJe3p
|
||||
NQrjZAgmdbEHeoj+P2VV5vqRrJoqNV/pUbM9czfEHeMVMm/mwWNOi/paCh1y/PxZ
|
||||
Mkj2bqLMRFfML9O/7QOJRxu3wQwl6jJHj4o6CHks6t237FSB+qZhhQP+vR2CZl5w
|
||||
lQ4trw0wpNgbZRIMlU3tUfFQ+KdFsM7UqwzwrVgWFur5r7KrFzJN88EKSplrIY0q
|
||||
se6S5b58H7Tw1jtfjb/xF6jQz5aoZ9xemd8roLReRpKPq70o2eIP1HkjCtqmd5Xc
|
||||
RQaVEUvlv34WZQ5w2eA1bEBESjbrKhX+H0Un0msUS0JpnpegRNZqW3Bedeos0usy
|
||||
MsfqMYmZEcZb3hw51XnSb8B/WhkSmcoEuECRxeCu1tw0pn7o4GemAeqT5ng8LXeE
|
||||
RJhrUTlCIyRab8TIQZvmf6XjneT0stZLKCoZUXO+7FH7F7nPsew1dU+WFIauQX71
|
||||
PkZp2JMT7W57HKPuEillF8v5+H1k9Jq/2k+ZdgmT1Gd27nALBOc7q8rr00Lf6BU3
|
||||
K+XsfWo+p08CXKudfQ/+JFzzpyKeX5nVqiqbxqUakPy/Ot010/7457YVpvcLmcvT
|
||||
Yn4cR0dottl96lp5wT1jN7VXfZu/tsHEtTg1ofeExNuCL8DZVsSN836idRmObhLP
|
||||
dnYmThZcXBJ3RgSniQNwvuuGUtpH7OXb5vnAOe42+n3yucxhPI9Gzo5g6fTqWwb+
|
||||
qwh39ydxtiv3v3jgFixJLj/HH3MsxTm6cNUTWNLzvX+HugBeuOfyDG9++fe3UmZe
|
||||
MczAF9N9tDFP+0b1diXywJWfSdVLBmMARYeh0Swjud60SQLTqaqXVfPSECGo9LVc
|
||||
wot2u4q67QhUC2OTKiTkF6QVE05iKoPEPkCTmMvSpbHF3ERZE3J6YsVg17Uc7LrZ
|
||||
7DRRF+03mu4njS8LvIoeBuqsB96mNQNH/PwLSANWTtclCwj2C9W1HKy3zKjnu3kC
|
||||
PHLzwQFEO28TE5EsblnBdA8ozNIV887V7yw89MxPhpuXRn8BVAU1S9Dj7j3mNHLj
|
||||
rVAgZmr/nx3oDt8VfOZpK8u3u1voZdC+cnTBdcG2gzM8Ya+h8C60Y8dFzykr8hr4
|
||||
b5gDeDI1OkQ2vOQHtnQPdscYKl0v1ntHq2wrFuCIol4WneKh3Jrvdb37cL971u4g
|
||||
dpw0jTO/ykCvLlipxjJ/NrnXFb6TriZRgWZqiIwY2lKEfZDXqc/iOa2L0yBr21a5
|
||||
Ag0EX+7luwEQAM/CQdinTzIHaEJsCe42g6tt4dBC/UC4wD367rJcyJbEd+qaLJwS
|
||||
CQUbg/wrEdRT+aROHVKLwrvXxtgJs0x15vvFTurkn1BnNMh7p8woYwip7PKrNn2+
|
||||
96Yg7Aqc3a3gkDQeF8Q7uipOH/5feJh6l7Iu718pvnDUw4UFZt/RUrdqseFXVwr/
|
||||
ffSalLx7gJhL3mYuU1qpJZxsonNwAS43eViagI0FHSqixB5kPgFcbBf3BIiisOCy
|
||||
a1L9a+zSt1y1aEFC7m+9YlGJA3C0/X8s+dK0VWOrJlP/WmKUp3Epxpu6srsBItcT
|
||||
YMuGA82/03YAJ+jpGMRb+X1Dq9vuOUxvDjG+G10Cgew2EjiAkXpVg/1NsCrQWRbs
|
||||
KtFf5PXGfKCO0i8hEzwmJLd5OlNIIiup450iX4eS77Tey69hGyweLIC4YDPDwFpp
|
||||
bkDdRG6nDvePbEHi5z1L41NaWNa0wEyh28OqrmD0FCcGukk24pBVemVEx0En4siQ
|
||||
la6/1QXQlG/wTi7Yi71V/4oz7iZ4lSPWs0ACFGD9W5InlRykiRXC1cV27f+qMw9u
|
||||
Y6UbgvN70cWflK5C7e2h/eAQfxj+seYFUjMnJTkXiZE85m63p1Yu2A1c9+jqJ0L3
|
||||
Lfn5YIQdtWdY3Qc1RIQYPVRl5NcgXIPV7TwjvnjowuHjWX0IQbhv61lNABEBAAGJ
|
||||
BHIEGAEIACYWIQR+HJGsgDClpZ0e+rl1DzyHcj5AEgUCX+7luwIbAgUJA+tFgAJA
|
||||
CRB1DzyHcj5AEsF0IAQZAQgAHRYhBOJesM8c6ASdR/HZpjPhDkoYOo5GBQJf7uW7
|
||||
AAoJEDPhDkoYOo5GhpcQALowCpZ8UowMWlQFfZ2ySJalnZM6S2RxCFiss4W9pGuu
|
||||
9PKuN2wdXW3HGkBGDAuQgLwanSfhGSt/urT3+DT40OlDMzanRwEK0qiSaSs/xBtK
|
||||
dNL7JmGbcWTXpNP3aHhfYhVOg7NJnsfZ8Ti3dfuv3ZrjcLvgdnZ/s6O9S3gU8DtH
|
||||
fpnOfE3hxjUEHEw9hs9Otc6foCqMDZDvfU3emYduD5AvTiXYdeD/mZBD4OmF99II
|
||||
XWNuQexAJ+xgOPdvXaYt0lBuXmfMcn/1hrU3RJqguwnPZ2cU5zo41/uSbdsFrTHK
|
||||
yEOLTn0XYYk07mZGdscljzmXbpsbAC4Jp8CDBhUfdzfi1n3AOyblk1nywfionLlz
|
||||
HDtfWQYCxp16N8S2MU7tA1w8rFNwVDVwmxIfgjLrjPAgvqSpCmLHTXNBfdLUYRAv
|
||||
SpY9TR+U4YOOuEx2Niwnprdjm1qilN+fmPR3tWvVChlD3kHmSpi1+9ix+xizlBjN
|
||||
eZ08Eq5rDBPsTpqJmoNS8pHE0EL3IVpcB1pZ5rd6UBSa7LoMLeWwWm7Ap5VZALfp
|
||||
jMNws4SA2q5OTRY2or/+m1+cfDWIP+2XQV4YaNFMbO7XKr3vnUOxY9gyADqfRJiv
|
||||
DljHiw5iLzbkaHs7dYJOPNMGMlRzZfkkxg6Patx44TQ2rO7LnyCgVdFZWDHNevgR
|
||||
Z8AP/152xfh3qsOnT+R32Rt8CcwXmKFxLylgpjegcUmbutow9zdlX26qZ67cJ/3p
|
||||
hNLZgAYKPrGecGA0BJ2UzsPEKKz8I/dAp96LpHo/24WqUamh1z2PRAgyJGC43zm0
|
||||
rA/KAlcht8bbI/VuZ5eAYXjH01QfPS7i7fFOryYYFqfH+BTp3ZEr/A7FkcOZXmNV
|
||||
Gg4+oC2t6cJnzDsM0MUJ7dgNAHTLGx6RZZahdE3LJ8oVJ8Vek9KtjJbPr143EZLt
|
||||
ymkiy93pzLUaKWfCZJCCI9nfJnNZnvoQXv0l3wnrQIFE14Fv0jbTALHRgRJlB4cZ
|
||||
i3teEuf7shSDsd13JDdfmxMsxnfeVsIUPa+J0GBSbe14JHXlcd0t03cpbzO547Qb
|
||||
rFpD98XO6Y7OefWD3pwDF2Izjnn4Cny/hpUIEO1A2j4qHhUkqmnFmBO6yIFic637
|
||||
CJnYe3uU7ss/TNIUKLhujqlcNl8WeOMVPbhnCuOhyQh2aioAKn1yiQ1EgNSIGIVD
|
||||
LwqMt0kxI52/aDkZgCcEfBFC1c17IeUH+G0HMGm49/acFHkhX61S4efXhvzH5J0l
|
||||
Dr+0qk4aVKNwqkUNp56GSMLhiiSYivX9Xa4qQGNlmrki1pC2DamlTXDLB67XQcRp
|
||||
dAc+4nNTK4E/czrr0+wlkgz7pC1MAllCLilyTSPGnKIPlOd2uQINBF/u5d0BEADF
|
||||
+6hDuKvzbmKWZNXjJK6Em/5nnzBOa155YQLN91zMs6COI4p+YuIVPPzVWZYR0yHs
|
||||
gTWw45cMV+RYwuL/P+1Z84bgOyPloIVF9VQjOC+wB3Gn4qmTzobr6q+UfQVvUiUQ
|
||||
8fGG11teWvYpWiG91uialjHZmrpAOQxjHRxHPpi0cZtTFEqinCIy6c942xbtZnzf
|
||||
nzPpxkKl0a8s1eKZ0KlDK6Ab59nxAinilohXRg/U6sqypsyLl41L0qMZek5dEt4C
|
||||
r3spdSkZgxqJpLTqQy/5VB4pcfEaIaank3sLxhpil/oQiq+38WA0VkICQyeiCsvf
|
||||
eEKyt1C6COBNH+olegUxudTKDHFthyGMPRz3McI5jHxCyru0mfLJag2hHXzgGoaD
|
||||
VkYIwkvyVsHWDqrZMMXcCIUVlpphxtHo1M32AATnWFe4K1nFdbejR9XC5xWOgwbT
|
||||
zCblqporHzU0c8WBbfJ0Y10IDrHsa/F08PkFvVN48Ydik6rcwowSPxP+59Q9AKLh
|
||||
Isd2hzfWU2zAbG5Ph1wecwlYR3tp/0i3uSTDXfuuaY+vrqpoECN6fnSg8NxiBbjU
|
||||
JR0Ju6KDM2SeBUz5hp9BzL8+OPTogRZoinxBogrRAvdGLOnLG5hMjBezzF8UEvp6
|
||||
IMisGHBZgXoX4Juvf78RE8JOwHa+HUejj5kYiQW6TwARAQABiQRyBBgBCAAmFiEE
|
||||
fhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5d0CGwIFCQPrRYACQAkQdQ88h3I+QBLB
|
||||
dCAEGQEIAB0WIQT2AU9wN9W7TuO6I3E56nu98JFFWwUCX+7l3QAKCRA56nu98JFF
|
||||
W5whD/9Hu5cnJ0hnzqk3MQsdMXbTNLsv+KePV71kcMRat4hjw2Li/TUaC8xtA81d
|
||||
O/1obmsuoDAgv82KlQ7DLDXjFk2q45lJdgZxAkN3dEoYakdTIEi11FvwbhV+qxZK
|
||||
jTq3jFQho4i3GDLgrvBMG4B1TGMH0IPux9fmBGpxYKmp1GjhpgoMXp9bqzsV/mPZ
|
||||
TxPlmIpeJEO2jeCWKhHHw6rzwGjF68G3HiJ0TqvjdCtcNrwd3GTDsdEJtUl49aqF
|
||||
M7VfoqKjVdRO/YDL//+TJNOYz5EBGjIZxbhgZJ9Qz+geSBx9GJtDWdq193ofFi39
|
||||
oleTFnEMj+OeIr1Bc2pc8Z3HJttFknicJDkeze3mM0CZAkhVkLFy6DvAQkXrgvfp
|
||||
AUYFACQW8E2XmRBiKd4huojWYz5QGSEIk2fYRVhse2HAUZ9gTODSX2L13nls+BEi
|
||||
sArsmSFA/RQslDXW+Jl+P0e37BzN51uk2Dg4ylJUBgcpTRUn4Q8c1DgHDhkEVnBI
|
||||
ny2H/MFuhImw9g5xqlBfCEKh5D8D0e4fX28MhSsBlOCeIKJoY85U3GNY0tlIwAt8
|
||||
M7IIHe1n1qncPbAMmq0K48J1lfyTEbXpnSfArzEdbnosjBUaiQX5EwA656eZ6wb3
|
||||
Vq02UDei6KPuOosl4Voy+Ffq5MCkanVMA97/0wV3CeCvQYGbsvsUD/9fLYc3yH7A
|
||||
0xksK7PImztDR8MLsUPoiv/vnfZ+WJJ+YJ0TKAHm1ZO3NqeZmD7XoWHKwh83zsK8
|
||||
x/JUASCBN16isC+Ym6IwF83/HXJfKNvvotkr2WG6Dv8Vg1Hhk2Iv5y3EMbFa9rfv
|
||||
6vjxho+0sYrraJH8qQAM08IIOi7+afrkR/ikgA8V7ymqmdxtMMHZqG+h5R0VGTVw
|
||||
QBxZ5/ZiY56Qn5UH2m0Tc2AHOcAQTvCEwyb19IPyhif+rek3npSvKtDc6WBJioyi
|
||||
gvDhl+jgIfcIo77w6GthgbFc9k68Je56Peu2J30zWj76Z+Di1OJhAj1wFr4/XT5o
|
||||
c1MB/Vfyx3hEPRDNz7dRaDqoVnYVdoI0blyCiSkD9I4/axb4X3xN2SK4XA/zv+Lb
|
||||
1FbCM1XFL2aF+09tk+77EVdWsBmQpOArD0d54E1YulBGaxVm5QKfov23KiqHIFVF
|
||||
8WYqJqNJwbJRZii7klczkVm3wFte3NWK7HW8kfF147lv0z3AiZYnk0O6Mj1ip3R8
|
||||
Qm5yiv57DbbgIMkSPWCpEtFGHIoK2msJ2bQcizh2WGxLos00RTx3IVAeSAS54+kr
|
||||
rMBg50wNczcGHKPDUKLwkYczgHonUtljAkeXnTl69rifChI+KpjHNtF6dFgC1aSt
|
||||
MOud6HhAcd0f3lmuPzCGGp4YOQx9tV139bkCDQRf7uX4ARAAxaybudQK4fMIzLiV
|
||||
grIzthhb3/DK83PNohTNMemM2V2z1Ij5Dlu2XNDypMdR0rKM/QI3zWud1+vd2h/l
|
||||
QZlg58FspvrY6I7hI+cbdRldVaAKDGQHo5Bi0a7BkonZvS/0wnNUPIhy/znzXtXR
|
||||
f4L7ePZMofH/2shz4TZ1yNpU8zaomY6eNjSc51P4vVxtDQ4QofQeJEn8aO9a4whu
|
||||
O0TVEAPKRYBRgjM8faDuUJtLfiC3OrhLg+B7JVSF3di4JITAyafPbZACLjV7Umxb
|
||||
SUL3qTJZVpIuhF0xQOCE+WRx3Xs7lkPdHMqP2OaJ8Y4ymR08cSfIP2XFKsQFtoqT
|
||||
VyMQgGgI6VXF8OfnCnGgx0Do1vJNoL0neFzVXpCPPzh1RbcrtndZWum/1R4egkYg
|
||||
J8TPQH5X391J58Uwd5l9/ZDdoSeeQYdtTR4YQ8//ATFO3hoSRvES4U6ZwO8LM6di
|
||||
ra6pqb6j0liT+DdcBwE4C1bGJMJ6d93S5SfH3llDIMJo7uJDbKILFMES9rg7S6I8
|
||||
+SW75TjKUk4Y7L8R8qwURqEyuOOGfaQXirqvji4PdcGDBiIk2Oq69Ky6lmlJgyIH
|
||||
SZ7SO1JXk0yAJTXb+a6FJTLFxidkIZzu+LhLBn/MhAPjVyv3qCTQ7O0lu8Mfcqg5
|
||||
8hhJ6IE79PBHS3z8ok+mFK0iGrcAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76
|
||||
uXUPPIdyPkASBQJf7uX4AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEE
|
||||
JFV3TUL9/mucOD64/hACvFlwgR8FAl/u5fgACgkQ/hACvFlwgR+LoRAAgtIgaKb4
|
||||
ZY8qoAFZeph+Syg+mMKfPJkBuGUedJl6IxbHBSg2mhnCjJ0bmdqxsAXgtcSUqmtZ
|
||||
Yw9NyoGgiVjs+gu5sQp1Oxc2/keQXaVksTkoXwdnf+2iXyp1WPeeLGySHmzuwy9c
|
||||
eExt+h0mVmBgFls2wNdFGPbVfiT3PvFkwqsnta6HebDTN4pMzvG1IIGV7L5KRo1E
|
||||
dmkrt3lXQWmdgHl3JoNQ9v/Jgf4jo6gDw53YvJFKJcaOOAS3d4CzPWmcLzcy4mf0
|
||||
9YI3DoQCbYL3cRNelUwzUF2L6QyPCwonXemLCmfkBgsSVqvW4fq8qbEHGF2fK7x3
|
||||
d7bZEsUiGCt/tXOkDkNJ31T/mC35nxZfcj8AMPixO+BnAeKeYC37LbQD76jrw526
|
||||
tUXsAF+QON5DPeot+e8bIx9qSbvdqpXDkK4lGcRTuS2OVC8J9XfDTch4wm3Kd4P4
|
||||
lDdRAJWnLfVay0m05LGlekWdEzcjP8KDaICH9rEs6f9e1gy6mTEBnBW//41BxELT
|
||||
KxoTGlcX3yEhCmK36g5C/+d6b7Ji5arGGTCa96v/xG32KYc1zfn3TYkCx06pPUbz
|
||||
iAl2l0MTpGeqz2hJMOGA3JuxwlksJKqnPYy0hHKdVW4Pnn25NeXcBp8wpkt8VZOR
|
||||
bzjw/TJB7qvJHoRo1tat85Uij9rAXqTyO8Ea0hAAi/EfuiDDy3GV7bvjFSA1XEjL
|
||||
d+F40g2X0QG/PHTScYB4rFJwV0GFUxLHr4g7iypAVI+BB4EYikx8gpee6B0g3J+r
|
||||
aCFDDrRPDKdqrpZK53oYcBPkdSBbCr5MAa/M3DerKBEgoBVUbaSHWN7OH2ae+5R6
|
||||
X2ERmYZdW4PCj6lw7a+RhkAsgKo8RjonjV61ehQPZh20noI19Q80BYYSCfHHvzy5
|
||||
vwvByhmTMJNrl3PDpBy9/TwBR5DpnHfOPJX6bnl3pdu65F2TRM6yoFbfoUiEqrXV
|
||||
4wC1I++N9VjrQvXSp0ik/XaMWq87wLIg+1owElJIzwyZWukQkZMAYtesVFz20YwC
|
||||
7Nu8SNr/NTSCH1EqLsS4YhBTsjpc2T8AqUlgxKrilmLbrj64PXgMsQ9WYm5zwlC5
|
||||
UA5eky5YhETFJ25dIaplMm47aIbPSH5f9y5eYPkfOCoMu5oDzDzoXdH9V1YfsHqa
|
||||
8bboSgTdariC23x38E9PaWQNyY2MFKL6cFt2ilIsMSSD6JAm1x8kBtn1bBopG588
|
||||
7mTDtlqHCw/QrTuLreJG9KJ1dQFJ/Q42+csH09l081wlv4BBuVlN1Xmj+c2sWn90
|
||||
l1BPZfYHd9jhggI96yTZhfTfFbSMSuGPQyqHnwDYdA3cNj5BYievBkO5FZaCe9SZ
|
||||
4xcYgqlVpv15O7VrD+I=
|
||||
=Uugw
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
@ -0,0 +1,33 @@
|
||||
#!/bin/bash
|
||||
|
||||
if [ -r /etc/rc.d/init.d/functions ]; then
|
||||
. /etc/rc.d/init.d/functions
|
||||
else
|
||||
success() {
|
||||
echo $" OK "
|
||||
}
|
||||
|
||||
failure() {
|
||||
echo -n " "
|
||||
echo $"FAILED"
|
||||
}
|
||||
fi
|
||||
|
||||
# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
|
||||
|
||||
if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
|
||||
echo -n $"Generating /etc/rndc.key:"
|
||||
if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
|
||||
then
|
||||
chmod 640 /etc/rndc.key
|
||||
chown root:named /etc/rndc.key
|
||||
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
|
||||
success $"/etc/rndc.key generation"
|
||||
echo
|
||||
else
|
||||
rc=$?
|
||||
failure $"/etc/rndc.key generation"
|
||||
echo
|
||||
exit $rc
|
||||
fi
|
||||
fi
|
@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=Set-up/destroy chroot environment for named (DNS)
|
||||
BindsTo=named-chroot.service
|
||||
Wants=named-setup-rndc.service
|
||||
After=named-setup-rndc.service
|
||||
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
|
||||
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files
|
@ -0,0 +1,27 @@
|
||||
# Configuration of files used in chroot
|
||||
# Following files are made available after named-chroot.service start
|
||||
# if they are missing or empty in target directory.
|
||||
/etc/localtime
|
||||
/etc/named.root.key
|
||||
/etc/named.conf
|
||||
/etc/named.rfc1912.zones
|
||||
/etc/rndc.conf
|
||||
/etc/rndc.key
|
||||
/etc/named.iscdlv.key
|
||||
/etc/crypto-policies/back-ends/bind.config
|
||||
/etc/protocols
|
||||
/etc/services
|
||||
/etc/named.dnssec.keys
|
||||
/etc/pki/dnssec-keys
|
||||
/etc/named
|
||||
/usr/lib64/bind
|
||||
/usr/lib/bind
|
||||
/usr/lib64/named
|
||||
/usr/lib/named
|
||||
/usr/share/GeoIP
|
||||
/run/named
|
||||
/proc/sys/net/ipv4/ip_local_port_range
|
||||
# Warning: the order is important
|
||||
# If a directory containing $ROOTDIR is listed here,
|
||||
# it MUST be listed last. (/var/named contains /var/named/chroot)
|
||||
/var/named
|
@ -0,0 +1,30 @@
|
||||
# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
|
||||
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
|
||||
# broken when rsyslogd daemon is restarted (due update, for example).
|
||||
|
||||
[Unit]
|
||||
Description=Berkeley Internet Name Domain (DNS)
|
||||
Wants=nss-lookup.target
|
||||
Requires=named-chroot-setup.service
|
||||
Before=nss-lookup.target
|
||||
After=named-chroot-setup.service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
Environment=NAMEDCONF=/etc/named.conf
|
||||
EnvironmentFile=-/etc/sysconfig/named
|
||||
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||
PIDFile=/var/named/chroot/run/named/named.pid
|
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
|
||||
|
||||
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
|
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||
|
||||
PrivateTmp=false
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,26 @@
|
||||
[Unit]
|
||||
Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
|
||||
Wants=nss-lookup.target
|
||||
Wants=named-setup-rndc.service
|
||||
Before=nss-lookup.target
|
||||
After=network.target
|
||||
After=named-setup-rndc.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
Environment=NAMEDCONF=/etc/named.conf
|
||||
EnvironmentFile=-/etc/sysconfig/named
|
||||
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||
PIDFile=/run/named/named.pid
|
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
|
||||
|
||||
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
|
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,7 @@
|
||||
[Unit]
|
||||
Description=Generate rndc key for BIND (DNS)
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
||||
ExecStart=/usr/libexec/generate-rndc-key.sh
|
@ -0,0 +1,59 @@
|
||||
//
|
||||
// named.conf
|
||||
//
|
||||
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
|
||||
// server as a caching only nameserver (as a localhost DNS resolver only).
|
||||
//
|
||||
// See /usr/share/doc/bind*/sample/ for example named configuration files.
|
||||
//
|
||||
|
||||
options {
|
||||
listen-on port 53 { 127.0.0.1; };
|
||||
listen-on-v6 port 53 { ::1; };
|
||||
directory "/var/named";
|
||||
dump-file "/var/named/data/cache_dump.db";
|
||||
statistics-file "/var/named/data/named_stats.txt";
|
||||
memstatistics-file "/var/named/data/named_mem_stats.txt";
|
||||
secroots-file "/var/named/data/named.secroots";
|
||||
recursing-file "/var/named/data/named.recursing";
|
||||
allow-query { localhost; };
|
||||
|
||||
/*
|
||||
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
||||
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
||||
recursion.
|
||||
- If your recursive DNS server has a public IP address, you MUST enable access
|
||||
control to limit queries to your legitimate users. Failing to do so will
|
||||
cause your server to become part of large scale DNS amplification
|
||||
attacks. Implementing BCP38 within your network would greatly
|
||||
reduce such attack surface
|
||||
*/
|
||||
recursion yes;
|
||||
|
||||
dnssec-validation yes;
|
||||
|
||||
managed-keys-directory "/var/named/dynamic";
|
||||
geoip-directory "/usr/share/GeoIP";
|
||||
|
||||
pid-file "/run/named/named.pid";
|
||||
session-keyfile "/run/named/session.key";
|
||||
|
||||
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
||||
include "/etc/crypto-policies/back-ends/bind.config";
|
||||
};
|
||||
|
||||
logging {
|
||||
channel default_debug {
|
||||
file "data/named.run";
|
||||
severity dynamic;
|
||||
};
|
||||
};
|
||||
|
||||
zone "." IN {
|
||||
type hint;
|
||||
file "named.ca";
|
||||
};
|
||||
|
||||
include "/etc/named.rfc1912.zones";
|
||||
include "/etc/named.root.key";
|
||||
|
@ -0,0 +1,243 @@
|
||||
/*
|
||||
Sample named.conf BIND DNS server 'named' configuration file
|
||||
for the Red Hat BIND distribution.
|
||||
|
||||
See the BIND Administrator's Reference Manual (ARM) for details, in:
|
||||
file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
|
||||
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
|
||||
its manual.
|
||||
*/
|
||||
|
||||
options
|
||||
{
|
||||
// Put files that named is allowed to write in the data/ directory:
|
||||
directory "/var/named"; // "Working" directory
|
||||
dump-file "data/cache_dump.db";
|
||||
statistics-file "data/named_stats.txt";
|
||||
memstatistics-file "data/named_mem_stats.txt";
|
||||
secroots-file "data/named.secroots";
|
||||
recursing-file "data/named.recursing";
|
||||
|
||||
|
||||
/*
|
||||
Specify listenning interfaces. You can use list of addresses (';' is
|
||||
delimiter) or keywords "any"/"none"
|
||||
*/
|
||||
//listen-on port 53 { any; };
|
||||
listen-on port 53 { 127.0.0.1; };
|
||||
|
||||
//listen-on-v6 port 53 { any; };
|
||||
listen-on-v6 port 53 { ::1; };
|
||||
|
||||
/*
|
||||
Access restrictions
|
||||
|
||||
There are two important options:
|
||||
allow-query { argument; };
|
||||
- allow queries for authoritative data
|
||||
|
||||
allow-query-cache { argument; };
|
||||
- allow queries for non-authoritative data (mostly cached data)
|
||||
|
||||
You can use address, network address or keywords "any"/"localhost"/"none" as argument
|
||||
Examples:
|
||||
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
|
||||
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
|
||||
*/
|
||||
|
||||
allow-query { localhost; };
|
||||
allow-query-cache { localhost; };
|
||||
|
||||
/* Enable/disable recursion - recursion yes/no;
|
||||
|
||||
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
||||
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
||||
recursion.
|
||||
- If your recursive DNS server has a public IP address, you MUST enable access
|
||||
control to limit queries to your legitimate users. Failing to do so will
|
||||
cause your server to become part of large scale DNS amplification
|
||||
attacks. Implementing BCP38 within your network would greatly
|
||||
reduce such attack surface
|
||||
*/
|
||||
recursion yes;
|
||||
|
||||
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
|
||||
|
||||
/* Enable DNSSEC validation on recursive servers */
|
||||
dnssec-validation yes;
|
||||
|
||||
/* In Fedora we use /run/named instead of default /var/run/named
|
||||
so we have to configure paths properly. */
|
||||
pid-file "/run/named/named.pid";
|
||||
session-keyfile "/run/named/session.key";
|
||||
|
||||
managed-keys-directory "/var/named/dynamic";
|
||||
|
||||
/* In Fedora we use system-wide Crypto Policy */
|
||||
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
||||
include "/etc/crypto-policies/back-ends/bind.config";
|
||||
};
|
||||
|
||||
logging
|
||||
{
|
||||
/* If you want to enable debugging, eg. using the 'rndc trace' command,
|
||||
* named will try to write the 'named.run' file in the $directory (/var/named).
|
||||
* By default, SELinux policy does not allow named to modify the /var/named directory,
|
||||
* so put the default debug log file in data/ :
|
||||
*/
|
||||
channel default_debug {
|
||||
file "data/named.run";
|
||||
severity dynamic;
|
||||
};
|
||||
};
|
||||
|
||||
/*
|
||||
Views let a name server answer a DNS query differently depending on who is asking.
|
||||
|
||||
By default, if named.conf contains no "view" clauses, all zones are in the
|
||||
"default" view, which matches all clients.
|
||||
|
||||
Views are processed sequentially. The first match is used so the last view should
|
||||
match "any" - it's fallback and the most restricted view.
|
||||
|
||||
If named.conf contains any "view" clause, then all zones MUST be in a view.
|
||||
*/
|
||||
|
||||
view "localhost_resolver"
|
||||
{
|
||||
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
|
||||
* If all you want is a caching-only nameserver, then you need only define this view:
|
||||
*/
|
||||
match-clients { localhost; };
|
||||
recursion yes;
|
||||
|
||||
# all views must contain the root hints zone:
|
||||
zone "." IN {
|
||||
type hint;
|
||||
file "/var/named/named.ca";
|
||||
};
|
||||
|
||||
/* these are zones that contain definitions for all the localhost
|
||||
* names and addresses, as recommended in RFC1912 - these names should
|
||||
* not leak to the other nameservers:
|
||||
*/
|
||||
include "/etc/named.rfc1912.zones";
|
||||
};
|
||||
view "internal"
|
||||
{
|
||||
/* This view will contain zones you want to serve only to "internal" clients
|
||||
that connect via your directly attached LAN interfaces - "localnets" .
|
||||
*/
|
||||
match-clients { localnets; };
|
||||
recursion yes;
|
||||
|
||||
zone "." IN {
|
||||
type hint;
|
||||
file "/var/named/named.ca";
|
||||
};
|
||||
|
||||
/* these are zones that contain definitions for all the localhost
|
||||
* names and addresses, as recommended in RFC1912 - these names should
|
||||
* not leak to the other nameservers:
|
||||
*/
|
||||
include "/etc/named.rfc1912.zones";
|
||||
|
||||
// These are your "authoritative" internal zones, and would probably
|
||||
// also be included in the "localhost_resolver" view above :
|
||||
|
||||
/*
|
||||
NOTE for dynamic DNS zones and secondary zones:
|
||||
|
||||
DO NOT USE SAME FILES IN MULTIPLE VIEWS!
|
||||
|
||||
If you are using views and DDNS/secondary zones it is strongly
|
||||
recommended to read FAQ on ISC site (www.isc.org), section
|
||||
"Configuration and Setup Questions", questions
|
||||
"How do I share a dynamic zone between multiple views?" and
|
||||
"How can I make a server a slave for both an internal and an external
|
||||
view at the same time?"
|
||||
*/
|
||||
|
||||
zone "my.internal.zone" {
|
||||
type master;
|
||||
file "my.internal.zone.db";
|
||||
};
|
||||
zone "my.slave.internal.zone" {
|
||||
type slave;
|
||||
file "slaves/my.slave.internal.zone.db";
|
||||
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
|
||||
// put slave zones in the slaves/ directory so named can update them
|
||||
};
|
||||
zone "my.ddns.internal.zone" {
|
||||
type master;
|
||||
allow-update { key ddns_key; };
|
||||
file "dynamic/my.ddns.internal.zone.db";
|
||||
// put dynamically updateable zones in the slaves/ directory so named can update them
|
||||
};
|
||||
};
|
||||
|
||||
key ddns_key
|
||||
{
|
||||
algorithm hmac-sha256;
|
||||
secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
|
||||
};
|
||||
|
||||
view "external"
|
||||
{
|
||||
/* This view will contain zones you want to serve only to "external" clients
|
||||
* that have addresses that are not match any above view:
|
||||
*/
|
||||
match-clients { any; };
|
||||
|
||||
zone "." IN {
|
||||
type hint;
|
||||
file "/var/named/named.ca";
|
||||
};
|
||||
|
||||
recursion no;
|
||||
// you'd probably want to deny recursion to external clients, so you don't
|
||||
// end up providing free DNS service to all takers
|
||||
|
||||
// These are your "authoritative" external zones, and would probably
|
||||
// contain entries for just your web and mail servers:
|
||||
|
||||
zone "my.external.zone" {
|
||||
type master;
|
||||
file "my.external.zone.db";
|
||||
};
|
||||
};
|
||||
|
||||
/* Trusted keys
|
||||
|
||||
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
|
||||
should configure at least one trusted key.
|
||||
|
||||
Note that no key written below is valid. Especially root key because root zone
|
||||
is not signed yet.
|
||||
*/
|
||||
/*
|
||||
trust-anchors {
|
||||
// Root Key
|
||||
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
|
||||
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
|
||||
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
|
||||
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
|
||||
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
|
||||
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
|
||||
R1AkUTV74bU=";
|
||||
|
||||
// Key for forward zone
|
||||
example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
|
||||
LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
|
||||
LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
|
||||
UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
|
||||
yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
|
||||
Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
|
||||
Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
|
||||
xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
|
||||
|
||||
|
||||
// Key for reverse zone.
|
||||
2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
|
||||
};
|
||||
*/
|
@ -0,0 +1,10 @@
|
||||
$TTL 3H
|
||||
@ IN SOA @ rname.invalid. (
|
||||
0 ; serial
|
||||
1D ; refresh
|
||||
1H ; retry
|
||||
1W ; expire
|
||||
3H ) ; minimum
|
||||
NS @
|
||||
A 127.0.0.1
|
||||
AAAA ::1
|
@ -0,0 +1,10 @@
|
||||
$TTL 1D
|
||||
@ IN SOA @ rname.invalid. (
|
||||
0 ; serial
|
||||
1D ; refresh
|
||||
1H ; retry
|
||||
1W ; expire
|
||||
3H ) ; minimum
|
||||
NS @
|
||||
A 127.0.0.1
|
||||
AAAA ::1
|
@ -0,0 +1,12 @@
|
||||
/var/named/data/named.run {
|
||||
missingok
|
||||
su named named
|
||||
create 0644 named named
|
||||
postrotate
|
||||
/usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
|
||||
/usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
|
||||
/usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
|
||||
/usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
|
||||
/usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
|
||||
endscript
|
||||
}
|
@ -0,0 +1,11 @@
|
||||
$TTL 1D
|
||||
@ IN SOA @ rname.invalid. (
|
||||
0 ; serial
|
||||
1D ; refresh
|
||||
1H ; retry
|
||||
1W ; expire
|
||||
3H ) ; minimum
|
||||
NS @
|
||||
A 127.0.0.1
|
||||
AAAA ::1
|
||||
PTR localhost.
|
@ -0,0 +1,45 @@
|
||||
// named.rfc1912.zones:
|
||||
//
|
||||
// Provided by Red Hat caching-nameserver package
|
||||
//
|
||||
// ISC BIND named zone configuration for zones recommended by
|
||||
// RFC 1912 section 4.1 : localhost TLDs and address zones
|
||||
// and https://tools.ietf.org/html/rfc6303
|
||||
// (c)2007 R W Franks
|
||||
//
|
||||
// See /usr/share/doc/bind*/sample/ for example named configuration files.
|
||||
//
|
||||
// Note: empty-zones-enable yes; option is default.
|
||||
// If private ranges should be forwarded, add
|
||||
// disable-empty-zone "."; into options
|
||||
//
|
||||
|
||||
zone "localhost.localdomain" IN {
|
||||
type master;
|
||||
file "named.localhost";
|
||||
allow-update { none; };
|
||||
};
|
||||
|
||||
zone "localhost" IN {
|
||||
type master;
|
||||
file "named.localhost";
|
||||
allow-update { none; };
|
||||
};
|
||||
|
||||
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
|
||||
type master;
|
||||
file "named.loopback";
|
||||
allow-update { none; };
|
||||
};
|
||||
|
||||
zone "1.0.0.127.in-addr.arpa" IN {
|
||||
type master;
|
||||
file "named.loopback";
|
||||
allow-update { none; };
|
||||
};
|
||||
|
||||
zone "0.in-addr.arpa" IN {
|
||||
type master;
|
||||
file "named.empty";
|
||||
allow-update { none; };
|
||||
};
|
@ -0,0 +1,61 @@
|
||||
|
||||
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
|
||||
; (2 servers found)
|
||||
;; global options: +cmd
|
||||
;; Got answer:
|
||||
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
|
||||
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
|
||||
|
||||
;; OPT PSEUDOSECTION:
|
||||
; EDNS: version: 0, flags:; udp: 1472
|
||||
;; QUESTION SECTION:
|
||||
;. IN NS
|
||||
|
||||
;; ANSWER SECTION:
|
||||
. 518400 IN NS a.root-servers.net.
|
||||
. 518400 IN NS b.root-servers.net.
|
||||
. 518400 IN NS c.root-servers.net.
|
||||
. 518400 IN NS d.root-servers.net.
|
||||
. 518400 IN NS e.root-servers.net.
|
||||
. 518400 IN NS f.root-servers.net.
|
||||
. 518400 IN NS g.root-servers.net.
|
||||
. 518400 IN NS h.root-servers.net.
|
||||
. 518400 IN NS i.root-servers.net.
|
||||
. 518400 IN NS j.root-servers.net.
|
||||
. 518400 IN NS k.root-servers.net.
|
||||
. 518400 IN NS l.root-servers.net.
|
||||
. 518400 IN NS m.root-servers.net.
|
||||
|
||||
;; ADDITIONAL SECTION:
|
||||
a.root-servers.net. 518400 IN A 198.41.0.4
|
||||
b.root-servers.net. 518400 IN A 199.9.14.201
|
||||
c.root-servers.net. 518400 IN A 192.33.4.12
|
||||
d.root-servers.net. 518400 IN A 199.7.91.13
|
||||
e.root-servers.net. 518400 IN A 192.203.230.10
|
||||
f.root-servers.net. 518400 IN A 192.5.5.241
|
||||
g.root-servers.net. 518400 IN A 192.112.36.4
|
||||
h.root-servers.net. 518400 IN A 198.97.190.53
|
||||
i.root-servers.net. 518400 IN A 192.36.148.17
|
||||
j.root-servers.net. 518400 IN A 192.58.128.30
|
||||
k.root-servers.net. 518400 IN A 193.0.14.129
|
||||
l.root-servers.net. 518400 IN A 199.7.83.42
|
||||
m.root-servers.net. 518400 IN A 202.12.27.33
|
||||
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
|
||||
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
|
||||
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
|
||||
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
|
||||
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
|
||||
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
|
||||
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
|
||||
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
|
||||
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
|
||||
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
|
||||
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
|
||||
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
|
||||
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
|
||||
|
||||
;; Query time: 24 msec
|
||||
;; SERVER: 198.41.0.4#53(198.41.0.4)
|
||||
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
|
||||
;; MSG SIZE rcvd: 811
|
||||
|
@ -0,0 +1,13 @@
|
||||
trust-anchors {
|
||||
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
|
||||
# for current trust anchor information.
|
||||
#
|
||||
# This key (20326) was published in the root zone in 2017.
|
||||
# Servers which were already using the old key (19036) should
|
||||
# roll seamlessly to this new one via RFC 5011 rollover. Servers
|
||||
# being set up for the first time can use the contents of this
|
||||
# file as initializing keys; thereafter, the keys in the
|
||||
# managed key database will be trusted and maintained
|
||||
# automatically.
|
||||
. initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
|
||||
};
|
@ -0,0 +1,6 @@
|
||||
dirs /var/named
|
||||
|
||||
files /var/named/named.ca
|
||||
files /var/named/named.empty
|
||||
files /var/named/named.localhost
|
||||
files /var/named/named.loopback
|
@ -0,0 +1,25 @@
|
||||
[Unit]
|
||||
Description=Berkeley Internet Name Domain (DNS)
|
||||
Wants=nss-lookup.target
|
||||
Wants=named-setup-rndc.service
|
||||
Before=nss-lookup.target
|
||||
After=named-setup-rndc.service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
Environment=NAMEDCONF=/etc/named.conf
|
||||
EnvironmentFile=-/etc/sysconfig/named
|
||||
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||
PIDFile=/run/named/named.pid
|
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
|
||||
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
|
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -0,0 +1,17 @@
|
||||
# BIND named process options
|
||||
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
#
|
||||
# OPTIONS="whatever" -- These additional options will be passed to named
|
||||
# at startup. Don't add -t here, enable proper
|
||||
# -chroot.service unit file.
|
||||
#
|
||||
# NAMEDCONF=/etc/named/alternate.conf
|
||||
# -- Don't use -c to change configuration file.
|
||||
# Extend systemd named.service instead or use this
|
||||
# variable.
|
||||
#
|
||||
# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone
|
||||
# utility for every zone to ensure all zones are
|
||||
# valid before named starts. If you set this option
|
||||
# to 'yes' then service file doesn't perform those
|
||||
# checks.
|
@ -0,0 +1,117 @@
|
||||
#!/bin/bash
|
||||
|
||||
ROOTDIR="$1"
|
||||
CONFIG_FILES="${3:-/etc/named-chroot.files}"
|
||||
|
||||
usage()
|
||||
{
|
||||
echo
|
||||
echo 'This script setups chroot environment for BIND'
|
||||
echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
|
||||
}
|
||||
|
||||
if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
|
||||
echo 'Wrong number of arguments'
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Exit if ROOTDIR doesn't exist
|
||||
if ! [ -d "$ROOTDIR" ]; then
|
||||
echo "Root directory $ROOTDIR doesn't exist"
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! [ -r "$CONFIG_FILES" ]; then
|
||||
echo "Files list $CONFIG_FILES doesn't exist" 2>&1
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
dev_create()
|
||||
{
|
||||
DEVNAME="$ROOTDIR/dev/$1"
|
||||
shift
|
||||
if ! [ -e "$DEVNAME" ]; then
|
||||
/bin/mknod -m 0664 "$DEVNAME" $@
|
||||
/bin/chgrp named "$DEVNAME"
|
||||
if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
|
||||
/usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
dev_chroot_prep()
|
||||
{
|
||||
dev_create random c 1 8
|
||||
dev_create urandom c 1 9
|
||||
dev_create zero c 1 5
|
||||
dev_create null c 1 3
|
||||
}
|
||||
|
||||
files_comment_filter()
|
||||
{
|
||||
if [ -d "$1" ]; then
|
||||
grep -v '^[[:space:]]*#' "$1"/*.files
|
||||
else
|
||||
grep -v '^[[:space:]]*#' "$1"
|
||||
fi
|
||||
}
|
||||
|
||||
mount_chroot_conf()
|
||||
{
|
||||
if [ -n "$ROOTDIR" ]; then
|
||||
# Check devices are prepared
|
||||
dev_chroot_prep
|
||||
files_comment_filter "$CONFIG_FILES" | while read -r all; do
|
||||
# Skip nonexistant files
|
||||
[ -e "$all" ] || continue
|
||||
|
||||
# If mount source is a file
|
||||
if ! [ -d "$all" ]; then
|
||||
# mount it only if it is not present in chroot or it is empty
|
||||
if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
|
||||
touch "$ROOTDIR$all"
|
||||
mount --bind "$all" "$ROOTDIR$all"
|
||||
fi
|
||||
else
|
||||
# Mount source is a directory. Mount it only if directory in chroot is
|
||||
# empty.
|
||||
if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
|
||||
mount --bind --make-private "$all" "$ROOTDIR$all"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
umount_chroot_conf()
|
||||
{
|
||||
if [ -n "$ROOTDIR" ]; then
|
||||
files_comment_filter "$CONFIG_FILES" | while read -r all; do
|
||||
# Check if file is mount target. Do not use /proc/mounts because detecting
|
||||
# of modified mounted files can fail.
|
||||
if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
|
||||
umount "$ROOTDIR$all"
|
||||
# Remove temporary created files
|
||||
[ -f "$all" ] && rm -f "$ROOTDIR$all"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
case "$2" in
|
||||
on)
|
||||
mount_chroot_conf
|
||||
;;
|
||||
off)
|
||||
umount_chroot_conf
|
||||
;;
|
||||
*)
|
||||
echo 'Second argument has to be "on" or "off"'
|
||||
usage
|
||||
exit 1
|
||||
esac
|
||||
|
||||
exit 0
|
@ -0,0 +1,124 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# This script will initialise token storage of softhsm PKCS11 provider
|
||||
# in custom location. Is useful to store tokens in non-standard location.
|
||||
#
|
||||
# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
|
||||
# Quotes around eval are mandatory!
|
||||
# Recommended use:
|
||||
# eval "$(bash setup-named-softhsm.sh -A)"
|
||||
#
|
||||
|
||||
SOFTHSM2_CONF="$1"
|
||||
TOKENPATH="$2"
|
||||
GROUPNAME="$3"
|
||||
# Do not use this script for real keys worth protection
|
||||
# This is intended for crypto accelerators using PKCS11 interface.
|
||||
# Uninitialized token would fail any crypto operation.
|
||||
PIN=1234
|
||||
SO_PIN=1234
|
||||
LABEL=rpm
|
||||
|
||||
set -e
|
||||
|
||||
echo_i()
|
||||
{
|
||||
echo "#" $@
|
||||
}
|
||||
|
||||
random()
|
||||
{
|
||||
if [ -x "$(which openssl 2>/dev/null)" ]; then
|
||||
openssl rand -base64 $1
|
||||
else
|
||||
dd if=/dev/urandom bs=1c count=$1 | base64
|
||||
fi
|
||||
}
|
||||
|
||||
usage()
|
||||
{
|
||||
echo "Usage: $0 -A [token directory] [group]"
|
||||
echo " or: $0 <config file> <token directory> [group]"
|
||||
}
|
||||
|
||||
if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
|
||||
TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
|
||||
fi
|
||||
|
||||
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
|
||||
usage >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$SOFTHSM2_CONF" = "-A" ]; then
|
||||
# Automagic mode instead
|
||||
MODE=secure
|
||||
SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
|
||||
PIN_SOURCE="$TOKENPATH/pin"
|
||||
SOPIN_SOURCE="$TOKENPATH/so-pin"
|
||||
TOKENPATH="$TOKENPATH/tokens"
|
||||
else
|
||||
MODE=legacy
|
||||
fi
|
||||
|
||||
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
|
||||
|
||||
umask 0022
|
||||
|
||||
if ! [ -f "$SOFTHSM2_CONF" ]; then
|
||||
cat << SED > "$SOFTHSM2_CONF"
|
||||
# SoftHSM v2 configuration file
|
||||
|
||||
directories.tokendir = ${TOKENPATH}
|
||||
objectstore.backend = file
|
||||
|
||||
# ERROR, WARNING, INFO, DEBUG
|
||||
log.level = ERROR
|
||||
|
||||
# If CKF_REMOVABLE_DEVICE flag should be set
|
||||
slots.removable = false
|
||||
SED
|
||||
else
|
||||
echo_i "Config file $SOFTHSM2_CONF already exists" >&2
|
||||
fi
|
||||
|
||||
if [ -n "$PIN_SOURCE" ]; then
|
||||
touch "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||
chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||
if [ -n "$GROUPNAME" ]; then
|
||||
chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||
chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||
fi
|
||||
fi
|
||||
|
||||
export SOFTHSM2_CONF
|
||||
|
||||
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
|
||||
then
|
||||
echo_i "Token in ${TOKENPATH} is already initialized" >&2
|
||||
|
||||
[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
|
||||
[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
|
||||
else
|
||||
PIN=$(random 6)
|
||||
SO_PIN=$(random 18)
|
||||
if [ -n "$PIN_SOURCE" ]; then
|
||||
echo -n "$PIN" > "$PIN_SOURCE"
|
||||
echo -n "$SO_PIN" > "$SOPIN_SOURCE"
|
||||
fi
|
||||
|
||||
echo_i "Initializing tokens to ${TOKENPATH}..."
|
||||
softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
|
||||
|
||||
if [ -n "$GROUPNAME" ]; then
|
||||
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
|
||||
chmod -R -- g=rX,o= "$TOKENPATH"
|
||||
fi
|
||||
fi
|
||||
|
||||
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
|
||||
echo "export PIN_SOURCE=\"$PIN_SOURCE\""
|
||||
echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
|
||||
# These are intentionaly not exported
|
||||
echo "PIN=\"$PIN\""
|
||||
echo "SO_PIN=\"$SO_PIN\""
|
@ -0,0 +1 @@
|
||||
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue