src - FreeBSD source tree

diff options


context:
space:
mode:

author	Xin LI <delphij@FreeBSD.org>	2015-04-08 17:52:54 +0000
committer	Xin LI <delphij@FreeBSD.org>	2015-04-08 17:52:54 +0000
commit	7ba7a5de74780dee4ec54bace1ec36427be1d8b8 (patch)
tree	a5a1890b0b884a1d303e90c4130c3b731772abd5 /bin
parent	a2bc50f814b6966b412ba90221460066a8b31951 (diff)

Vendor import of BIND 9.9.7vendor/bind9/9.9.7

Diffstat (limited to 'bin')

-rw-r--r--

bin/check/named-checkconf.c

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

294

-rw-r--r--

bin/dig/host.c

-rw-r--r--

bin/dig/include/dig/dig.h

-rw-r--r--

bin/dig/nslookup.c

-rw-r--r--

bin/dnssec/dnssec-dsfromkey.c

-rw-r--r--

bin/dnssec/dnssec-importkey.c

-rw-r--r--

bin/dnssec/dnssec-keyfromlabel.c

-rw-r--r--

bin/dnssec/dnssec-keygen.8

-rw-r--r--

bin/dnssec/dnssec-keygen.c

-rw-r--r--

bin/dnssec/dnssec-keygen.docbook

-rw-r--r--

bin/dnssec/dnssec-keygen.html

-rw-r--r--

bin/dnssec/dnssec-settime.8

-rw-r--r--

bin/dnssec/dnssec-settime.c

-rw-r--r--

bin/dnssec/dnssec-settime.docbook

-rw-r--r--

bin/dnssec/dnssec-settime.html

-rw-r--r--

bin/dnssec/dnssec-signzone.c

-rw-r--r--

bin/dnssec/dnssec-verify.c

-rw-r--r--

bin/dnssec/dnssectool.c

-rw-r--r--

bin/dnssec/dnssectool.h

-rw-r--r--

bin/named/client.c

-rw-r--r--

bin/named/config.c

-rw-r--r--

bin/named/include/named/globals.h

-rw-r--r--

bin/named/interfacemgr.c

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

200

-rw-r--r--

bin/named/update.c

-rw-r--r--

bin/named/zoneconf.c

-rw-r--r--

bin/nsupdate/nsupdate.c

398

-rw-r--r--

bin/rndc/rndc.c

35 files changed, 898 insertions, 596 deletions

diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index a75df96d1fea..18cfdddc98bd 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c

@@ -488,7 +488,33 @@ main(int argc, char **argv) {

isc_commandline_errprint = ISC_FALSE;

- while ((c = isc_commandline_parse(argc, argv, "dhjt:pvxz")) != EOF) {

+ /*

+ * Process memory debugging argument first.

+ */

+#define CMDLINE_FLAGS "dhjm:t:pvxz"

+ while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {

+ switch (c) {

+ case 'm':

+ if (strcasecmp(isc_commandline_argument, "record") == 0)

+ isc_mem_debugging |= ISC_MEM_DEBUGRECORD;

+ if (strcasecmp(isc_commandline_argument, "trace") == 0)

+ isc_mem_debugging |= ISC_MEM_DEBUGTRACE;

+ if (strcasecmp(isc_commandline_argument, "usage") == 0)

+ isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;

+ if (strcasecmp(isc_commandline_argument, "size") == 0)

+ isc_mem_debugging |= ISC_MEM_DEBUGSIZE;

+ if (strcasecmp(isc_commandline_argument, "mctx") == 0)

+ isc_mem_debugging |= ISC_MEM_DEBUGCTX;

+ break;

+ default:

+ break;

+ }

+ isc_commandline_reset = ISC_TRUE;

+ RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);

+ while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {

switch (c) {

case 'd':

debug++;

@@ -498,6 +524,9 @@ main(int argc, char **argv) {

nomerge = ISC_FALSE;

break;

+ case 'm':

+ break;

case 't':

result = isc_dir_chroot(isc_commandline_argument);

if (result != ISC_R_SUCCESS) {

@@ -557,8 +586,6 @@ main(int argc, char **argv) {

InitSockets();

#endif

- RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);

RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);

RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);

diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index cd79ceaea9bc..b492ee71fd58 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1

@@ -388,7 +388,10 @@ for it to be considered absolute. The default value is that defined using the nd

\fBdomain\fR

directive in

-\fI/etc/resolv.conf\fR.

+\fI/etc/resolv.conf\fR

+if

+\fB+search\fR

+is set.

.RE

.PP

\fB+[no]nsid\fR

@@ -447,6 +450,12 @@ Toggle the display of per\-record comments in the output (for example, human\-re

Use [do not use] the search list defined by the searchlist or domain directive in

\fIresolv.conf\fR

(if any). The search list is not used by default.

+.sp

+\'ndots' from

+\fIresolv.conf\fR

+(default 1) which may be overridden by

+\fI+ndots\fR

+determines if the name will be treated as relative or not and hence whether a search is eventually performed or not.

.RE

.PP

\fB+[no]short\fR

diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 89d766b541cb..53ab0c6e9f3c 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook

@@ -624,7 +624,8 @@

are interpreted as relative names and will be searched

for in the domains listed in the <option>search</option>

or <option>domain</option> directive in

- <filename>/etc/resolv.conf</filename>.

+ <filename>/etc/resolv.conf</filename> if

+ <option>+search</option> is set.

</para>

</listitem>

</varlistentry>

@@ -731,6 +732,13 @@

<filename>resolv.conf</filename> (if any). The search

list is not used by default.

</para>

+ <para>

+ 'ndots' from <filename>resolv.conf</filename> (default 1)

+ which may be overridden by <parameter>+ndots</parameter>

+ determines if the name will be treated as relative

+ or not and hence whether a search is eventually

+ performed or not.

+ </para>

</listitem>

</varlistentry>

diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index 829aa2c9ae89..e624e151c434 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html

@@ -412,7 +412,8 @@

are interpreted as relative names and will be searched

for in the domains listed in the <code class="option">search</code>

or <code class="option">domain</code> directive in

- <code class="filename">/etc/resolv.conf</code>.

+ <code class="filename">/etc/resolv.conf</code> if

+ <code class="option">+search</code> is set.

</p></dd>

<dd><p>

@@ -468,12 +469,21 @@

record comments unless multiline mode is active.

</p></dd>

<dt><span class="term"><code class="option">+[no]search</code></span></dt>

-<dd><p>

+<dd>

+<p>

Use [do not use] the search list defined by the

searchlist or domain directive in

<code class="filename">resolv.conf</code> (if any). The search

list is not used by default.

- </p></dd>

+ </p>

+<p>

+ 'ndots' from <code class="filename">resolv.conf</code> (default 1)

+ which may be overridden by <em class="parameter"><code>+ndots</code></em>

+ determines if the name will be treated as relative

+ or not and hence whether a search is eventually

+ performed or not.

+ </p>

+</dd>

<dt><span class="term"><code class="option">+[no]short</code></span></dt>

<dd><p>

Provide a terse answer. The default is to print the

@@ -590,7 +600,7 @@

</p>

</div>

-<a name="id2545168"></a><h2>MULTIPLE QUERIES</h2>

+<a name="id2545181"></a><h2>MULTIPLE QUERIES</h2>

<p>

The BIND 9 implementation of <span><strong class="command">dig </strong></span>

supports

@@ -636,7 +646,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

</p>

</div>

-<a name="id2545229"></a><h2>IDN SUPPORT</h2>

+<a name="id2545243"></a><h2>IDN SUPPORT</h2>

<p>

If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized

domain name) support, it can accept and display non-ASCII domain names.

@@ -650,14 +660,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

</p>

</div>

-<a name="id2545252"></a><h2>FILES</h2>

+<a name="id2545266"></a><h2>FILES</h2>

<p><code class="filename">/etc/resolv.conf</code>

</p>

<p><code class="filename">${HOME}/.digrc</code>

</p>

</div>

-<a name="id2545269"></a><h2>SEE ALSO</h2>

+<a name="id2545283"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,

<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

@@ -665,7 +675,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

</p>

</div>

-<a name="id2545306"></a><h2>BUGS</h2>

+<a name="id2545320"></a><h2>BUGS</h2>

<p>

There are probably too many query options.

</p>

diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index a2aabdf34130..d6fea27bef5c 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -58,6 +58,7 @@

#include <dns/log.h>

#include <dns/message.h>

#include <dns/name.h>

+#include <dns/rcode.h>

#include <dns/rdata.h>

#include <dns/rdataclass.h>

#include <dns/rdatalist.h>

@@ -1070,10 +1071,9 @@ parse_hmac(const char *hmac) {

static isc_result_t

read_confkey(void) {

- isc_log_t *lctx = NULL;

cfg_parser_t *pctx = NULL;

cfg_obj_t *file = NULL;

- const cfg_obj_t *key = NULL;

+ const cfg_obj_t *keyobj = NULL;

const cfg_obj_t *secretobj = NULL;

const cfg_obj_t *algorithmobj = NULL;

const char *keyname;

@@ -1084,7 +1084,7 @@ read_confkey(void) {

if (! isc_file_exists(keyfile))

return (ISC_R_FILENOTFOUND);

- result = cfg_parser_create(mctx, lctx, &pctx);

+ result = cfg_parser_create(mctx, NULL, &pctx);

if (result != ISC_R_SUCCESS)

goto cleanup;

@@ -1093,16 +1093,16 @@ read_confkey(void) {

if (result != ISC_R_SUCCESS)

goto cleanup;

- result = cfg_map_get(file, "key", &key);

+ result = cfg_map_get(file, "key", &keyobj);

if (result != ISC_R_SUCCESS)

goto cleanup;

- (void) cfg_map_get(key, "secret", &secretobj);

- (void) cfg_map_get(key, "algorithm", &algorithmobj);

+ (void) cfg_map_get(keyobj, "secret", &secretobj);

+ (void) cfg_map_get(keyobj, "algorithm", &algorithmobj);

if (secretobj == NULL || algorithmobj == NULL)

fatal("key must have algorithm and secret");

- keyname = cfg_obj_asstring(cfg_map_getname(key));

+ keyname = cfg_obj_asstring(cfg_map_getname(keyobj));

secretstr = cfg_obj_asstring(secretobj);

algorithm = cfg_obj_asstring(algorithmobj);

@@ -2216,7 +2216,6 @@ setup_lookup(dig_lookup_t *lookup) {

if (result != ISC_R_SUCCESS) {

dns_message_puttempname(lookup->sendmsg,

&lookup->name);

- isc_buffer_init(&b, store, MXNAME);

fatal("'%s' is not a legal name "

"(%s)", lookup->textname,

isc_result_totext(result));

@@ -2976,7 +2975,8 @@ connect_done(isc_task_t *task, isc_event_t *event) {

query->waiting_connect = ISC_FALSE;

isc_event_free(&event);

l = query->lookup;

- if (l->current_query != NULL)

+ if ((l->current_query != NULL) &&

+ (ISC_LINK_LINKED(l->current_query, link)))

next = ISC_LIST_NEXT(l->current_query, link);

else

next = NULL;

@@ -3518,7 +3518,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {

#endif

printmessage(query, msg, ISC_TRUE);

} else if (l->trace) {

- int n = 0;

+ int nl = 0;

int count = msg->counts[DNS_SECTION_ANSWER];

debug("in TRACE code");

@@ -3529,13 +3529,13 @@ recv_done(isc_task_t *task, isc_event_t *event) {

if (l->trace_root || (l->ns_search_only && count > 0)) {

if (!l->trace_root)

l->rdtype = dns_rdatatype_soa;

- n = followup_lookup(msg, query,

- DNS_SECTION_ANSWER);

+ nl = followup_lookup(msg, query,

+ DNS_SECTION_ANSWER);

l->trace_root = ISC_FALSE;

} else if (count == 0)

- n = followup_lookup(msg, query,

- DNS_SECTION_AUTHORITY);

- if (n == 0)

+ nl = followup_lookup(msg, query,

+ DNS_SECTION_AUTHORITY);

+ if (nl == 0)

docancel = ISC_TRUE;

} else {

debug("in NSSEARCH code");

@@ -3544,12 +3544,12 @@ recv_done(isc_task_t *task, isc_event_t *event) {

* This is the initial NS query.

- int n;

+ int nl;

l->rdtype = dns_rdatatype_soa;

- n = followup_lookup(msg, query,

- DNS_SECTION_ANSWER);

- if (n == 0)

+ nl = followup_lookup(msg, query,

+ DNS_SECTION_ANSWER);

+ if (nl == 0)

docancel = ISC_TRUE;

l->trace_root = ISC_FALSE;

usesearch = ISC_FALSE;

@@ -3679,12 +3679,12 @@ recv_done(isc_task_t *task, isc_event_t *event) {

* routines, since they may be using a non-DNS system for these lookups.

isc_result_t

-get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {

+get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr) {

int count;

isc_result_t result;

isc_app_block();

- result = bind9_getaddresses(host, port, sockaddr, 1, &count);

+ result = bind9_getaddresses(host, myport, sockaddr, 1, &count);

isc_app_unblock();

if (result != ISC_R_SUCCESS)

return (result);

@@ -4151,6 +4151,9 @@ chase_scanname_section(dns_message_t *msg, dns_name_t *name,

dns_rdataset_t *rdataset;

dns_name_t *msg_name = NULL;

+ if (msg->counts[section] == 0)

+ return (NULL);

do {

dns_message_currentname(msg, section, &msg_name);

if (dns_name_compare(msg_name, name) == 0) {

@@ -4357,8 +4360,8 @@ get_trusted_key(isc_mem_t *mctx)

dns_rdatacallbacks_init_stdio(&callbacks);

callbacks.add = insert_trustedkey;

return (dns_master_loadfile(filename, dns_rootname, dns_rootname,

- current_lookup->rdclass, 0, &callbacks,

- mctx));

+ current_lookup->rdclass, DNS_MASTER_NOTTL,

+ &callbacks, mctx));

}

@@ -4558,36 +4561,36 @@ child_of_zone(dns_name_t * name, dns_name_t * zone_name,

}

isc_result_t

-grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset)

- isc_result_t result;

- dns_rdata_t sigrdata = DNS_RDATA_INIT;

+grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t *sigrdataset) {

dns_rdata_sig_t siginfo;

+ dns_rdataset_t mysigrdataset;

+ isc_result_t result;

- result = dns_rdataset_first(sigrdataset);

+ dns_rdataset_init(&mysigrdataset);

+ dns_rdataset_clone(sigrdataset, &mysigrdataset);

+ result = dns_rdataset_first(&mysigrdataset);

check_result(result, "empty RRSIG dataset");

- dns_rdata_init(&sigrdata);

do {

- dns_rdataset_current(sigrdataset, &sigrdata);

+ dns_rdata_t sigrdata = DNS_RDATA_INIT;

+ dns_rdataset_current(&mysigrdataset, &sigrdata);

result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);

check_result(result, "sigrdata tostruct siginfo");

if (dns_name_compare(&siginfo.signer, zone_name) == 0) {

- dns_rdata_freestruct(&siginfo);

- dns_rdata_reset(&sigrdata);

- return (ISC_R_SUCCESS);

+ result = ISC_R_SUCCESS;

+ goto cleanup;

}

+ } while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS);

- dns_rdata_freestruct(&siginfo);

- dns_rdata_reset(&sigrdata);

+ result = ISC_R_FAILURE;

+cleanup:

+ dns_rdataset_disassociate(&mysigrdataset);

- } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);

- dns_rdata_reset(&sigrdata);

- return (ISC_R_FAILURE);

+ return (result);

}

@@ -4667,26 +4670,30 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,

dns_rdataset_t *sigrdataset,

isc_mem_t *mctx)

{

- isc_result_t result;

- dns_rdata_t rdata = DNS_RDATA_INIT;

+ dns_rdataset_t myrdataset;

dst_key_t *dnsseckey = NULL;

int i;

+ isc_result_t result;

if (name == NULL || rdataset == NULL)

return (ISC_R_FAILURE);

- result = dns_rdataset_first(rdataset);

+ dns_rdataset_init(&myrdataset);

+ dns_rdataset_clone(rdataset, &myrdataset);

+ result = dns_rdataset_first(&myrdataset);

check_result(result, "empty rdataset");

do {

- dns_rdataset_current(rdataset, &rdata);

+ dns_rdata_t rdata = DNS_RDATA_INIT;

+ dns_rdataset_current(&myrdataset, &rdata);

INSIST(rdata.type == dns_rdatatype_dnskey);

result = dns_dnssec_keyfromrdata(name, &rdata,

mctx, &dnsseckey);

check_result(result, "dns_dnssec_keyfromrdata");

for (i = 0; i < tk_list.nb_tk; i++) {

if (dst_key_compare(tk_list.key[i], dnsseckey)

== ISC_TRUE) {

@@ -4695,22 +4702,21 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,

printf(";; Ok, find a Trusted Key in the "

"DNSKEY RRset: %d\n",

dst_key_id(dnsseckey));

- if (sigchase_verify_sig_key(name, rdataset,

- dnsseckey,

- sigrdataset,

- mctx)

- == ISC_R_SUCCESS) {

- dst_key_free(&dnsseckey);

- dnsseckey = NULL;

- return (ISC_R_SUCCESS);

- }

+ result = sigchase_verify_sig_key(name, rdataset,

+ dnsseckey,

+ sigrdataset,

+ mctx);

+ if (result == ISC_R_SUCCESS)

+ goto cleanup;

}

+ dst_key_free(&dnsseckey);

+ } while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS);

- dns_rdata_reset(&rdata);

- if (dnsseckey != NULL)

- dst_key_free(&dnsseckey);

- } while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);

+cleanup:

+ if (dnsseckey != NULL)

+ dst_key_free(&dnsseckey);

+ dns_rdataset_disassociate(&myrdataset);

return (ISC_R_NOTFOUND);

}

@@ -4721,16 +4727,20 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,

dns_rdataset_t *sigrdataset,

isc_mem_t *mctx)

{

- isc_result_t result;

- dns_rdata_t keyrdata = DNS_RDATA_INIT;

+ dns_rdataset_t mykeyrdataset;

dst_key_t *dnsseckey = NULL;

+ isc_result_t result;

+ dns_rdataset_init(&mykeyrdataset);

+ dns_rdataset_clone(keyrdataset, &mykeyrdataset);

- result = dns_rdataset_first(keyrdataset);

+ result = dns_rdataset_first(&mykeyrdataset);

check_result(result, "empty DNSKEY dataset");

- dns_rdata_init(&keyrdata);

do {

- dns_rdataset_current(keyrdataset, &keyrdata);

+ dns_rdata_t keyrdata = DNS_RDATA_INIT;

+ dns_rdataset_current(&mykeyrdataset, &keyrdata);

INSIST(keyrdata.type == dns_rdatatype_dnskey);

result = dns_dnssec_keyfromrdata(name, &keyrdata,

@@ -4739,18 +4749,19 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,

result = sigchase_verify_sig_key(name, rdataset, dnsseckey,

sigrdataset, mctx);

- if (result == ISC_R_SUCCESS) {

- dns_rdata_reset(&keyrdata);

- dst_key_free(&dnsseckey);

- return (ISC_R_SUCCESS);

- }

+ if (result == ISC_R_SUCCESS)

+ goto cleanup;

dst_key_free(&dnsseckey);

- dns_rdata_reset(&keyrdata);

- } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);

+ } while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS);

- dns_rdata_reset(&keyrdata);

+ result = ISC_R_NOTFOUND;

- return (ISC_R_NOTFOUND);

+ cleanup:

+ if (dnsseckey != NULL)

+ dst_key_free(&dnsseckey);

+ dns_rdataset_disassociate(&mykeyrdataset);

+ return (result);

}

isc_result_t

@@ -4758,16 +4769,23 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,

dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset,

isc_mem_t *mctx)

{

- isc_result_t result;

- dns_rdata_t sigrdata = DNS_RDATA_INIT;

dns_rdata_sig_t siginfo;

+ dns_rdataset_t myrdataset;

+ dns_rdataset_t mysigrdataset;

+ isc_result_t result;

+ dns_rdataset_init(&myrdataset);

+ dns_rdataset_clone(rdataset, &myrdataset);

+ dns_rdataset_init(&mysigrdataset);

+ dns_rdataset_clone(sigrdataset, &mysigrdataset);

- result = dns_rdataset_first(sigrdataset);

+ result = dns_rdataset_first(&mysigrdataset);

check_result(result, "empty RRSIG dataset");

- dns_rdata_init(&sigrdata);

do {

- dns_rdataset_current(sigrdataset, &sigrdata);

+ dns_rdata_t sigrdata = DNS_RDATA_INIT;

+ dns_rdataset_current(&mysigrdataset, &sigrdata);

result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);

check_result(result, "sigrdata tostruct siginfo");

@@ -4778,10 +4796,10 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,

if (siginfo.keyid == dst_key_id(dnsseckey)) {

- result = dns_rdataset_first(rdataset);

+ result = dns_rdataset_first(&myrdataset);

check_result(result, "empty DS dataset");

- result = dns_dnssec_verify(name, rdataset, dnsseckey,

+ result = dns_dnssec_verify(name, &myrdataset, dnsseckey,

ISC_FALSE, mctx, &sigrdata);

printf(";; VERIFYING ");

@@ -4791,19 +4809,18 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,

printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey),

isc_result_totext(result));

- if (result == ISC_R_SUCCESS) {

- dns_rdata_reset(&sigrdata);

- return (result);

- }

+ if (result == ISC_R_SUCCESS)

+ goto cleanup;

}

- dns_rdata_freestruct(&siginfo);

- dns_rdata_reset(&sigrdata);

+ } while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS);

- } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);

+ result = ISC_R_NOTFOUND;

- dns_rdata_reset(&sigrdata);

+ cleanup:

+ dns_rdataset_disassociate(&myrdataset);

+ dns_rdataset_disassociate(&mysigrdataset);

- return (ISC_R_NOTFOUND);

+ return (result);

}

@@ -4811,27 +4828,35 @@ isc_result_t

sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,

dns_rdataset_t *dsrdataset, isc_mem_t *mctx)

{

- isc_result_t result;

- dns_rdata_t keyrdata = DNS_RDATA_INIT;

- dns_rdata_t newdsrdata = DNS_RDATA_INIT;

- dns_rdata_t dsrdata = DNS_RDATA_INIT;

dns_rdata_ds_t dsinfo;

+ dns_rdataset_t mydsrdataset;

+ dns_rdataset_t mykeyrdataset;

dst_key_t *dnsseckey = NULL;

+ isc_result_t result;

unsigned char dsbuf[DNS_DS_BUFFERSIZE];

- result = dns_rdataset_first(dsrdataset);

+ dns_rdataset_init(&mydsrdataset);

+ dns_rdataset_clone(dsrdataset, &mydsrdataset);

+ dns_rdataset_init(&mykeyrdataset);

+ dns_rdataset_clone(keyrdataset, &mykeyrdataset);

+ result = dns_rdataset_first(&mydsrdataset);

check_result(result, "empty DSset dataset");

do {

- dns_rdataset_current(dsrdataset, &dsrdata);

+ dns_rdata_t dsrdata = DNS_RDATA_INIT;

+ dns_rdataset_current(&mydsrdataset, &dsrdata);

result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);

check_result(result, "dns_rdata_tostruct for DS");

- result = dns_rdataset_first(keyrdataset);

+ result = dns_rdataset_first(&mykeyrdataset);

check_result(result, "empty KEY dataset");

do {

- dns_rdataset_current(keyrdataset, &keyrdata);

+ dns_rdata_t keyrdata = DNS_RDATA_INIT;

+ dns_rdataset_current(&mykeyrdataset, &keyrdata);

INSIST(keyrdata.type == dns_rdatatype_dnskey);

result = dns_dnssec_keyfromrdata(name, &keyrdata,

@@ -4843,6 +4868,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,

* id of DNSKEY referenced by the DS

if (dsinfo.key_tag == dst_key_id(dnsseckey)) {

+ dns_rdata_t newdsrdata = DNS_RDATA_INIT;

result = dns_ds_buildrdata(name, &keyrdata,

dsinfo.digest_type,

@@ -4850,14 +4876,9 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,

dns_rdata_freestruct(&dsinfo);

if (result != ISC_R_SUCCESS) {

- dns_rdata_reset(&keyrdata);

- dns_rdata_reset(&newdsrdata);

- dns_rdata_reset(&dsrdata);

- dst_key_free(&dnsseckey);

- dns_rdata_freestruct(&dsinfo);

printf("Oops: impossible to build"

" new DS rdata\n");

- return (result);

+ goto cleanup;

}

@@ -4874,34 +4895,26 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,

dnsseckey,

chase_sigkeyrdataset,

mctx);

- if (result == ISC_R_SUCCESS) {

- dns_rdata_reset(&keyrdata);

- dns_rdata_reset(&newdsrdata);

- dns_rdata_reset(&dsrdata);

- dst_key_free(&dnsseckey);

- return (result);

- }

+ if (result == ISC_R_SUCCESS)

+ goto cleanup;

} else {

printf(";; This DS is NOT the DS for"

" the chasing KEY: FAILED\n");

}

- dns_rdata_reset(&newdsrdata);

}

dst_key_free(&dnsseckey);

- dns_rdata_reset(&keyrdata);

- dnsseckey = NULL;

- } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);

- dns_rdata_reset(&dsrdata);

+ } while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS);

+ } while (dns_rdataset_next(&mydsrdataset) == ISC_R_SUCCESS);

- } while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);

+ result = ISC_R_NOTFOUND;

- dns_rdata_reset(&keyrdata);

- dns_rdata_reset(&newdsrdata);

- dns_rdata_reset(&dsrdata);

+ cleanup:

+ if (dnsseckey != NULL)

+ dst_key_free(&dnsseckey);

+ dns_rdataset_disassociate(&mydsrdataset);

+ dns_rdataset_disassociate(&mykeyrdataset);

- return (ISC_R_NOTFOUND);

+ return (result);

}

@@ -4949,6 +4962,20 @@ sigchase_td(dns_message_t *msg)

isc_boolean_t have_answer = ISC_FALSE;

isc_boolean_t true = ISC_TRUE;

+ if (msg->rcode != dns_rcode_noerror &&

+ msg->rcode != dns_rcode_nxdomain) {

+ char buf[20];

+ isc_buffer_t b;

+ isc_buffer_init(&b, buf, sizeof(buf));

+ result = dns_rcode_totext(msg->rcode, &b);

+ check_result(result, "dns_rcode_totext failed");

+ printf("error response code %.*s\n",

+ (int)isc_buffer_usedlength(&b), buf);

+ error_message = msg;

+ return;

+ }

if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))

== ISC_R_SUCCESS) {

dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);

@@ -4961,10 +4988,13 @@ sigchase_td(dns_message_t *msg)

if (!current_lookup->trace_root_sigchase) {

result = dns_message_firstname(msg,

DNS_SECTION_AUTHORITY);

- if (result == ISC_R_SUCCESS)

- dns_message_currentname(msg,

- DNS_SECTION_AUTHORITY,

- &name);

+ if (result != ISC_R_SUCCESS) {

+ printf("no answer or authority section\n");

+ error_message = msg;

+ return;

+ }

+ dns_message_currentname(msg, DNS_SECTION_AUTHORITY,

+ &name);

chase_nsrdataset

= chase_scanname_section(msg, name,

dns_rdatatype_ns,

@@ -4974,7 +5004,7 @@ sigchase_td(dns_message_t *msg)

if (chase_nsrdataset != NULL) {

have_delegation_ns = ISC_TRUE;

printf("no response but there is a delegation"

- " in authority section:");

+ " in authority section: ");

dns_name_print(name, stdout);

printf("\n");

} else {

@@ -5101,7 +5131,7 @@ sigchase_td(dns_message_t *msg)

dns_name_t tmp_name;

printf("\n;; We are in a Grand Father Problem:"

- " See 2.2.1 in RFC 3568\n");

+ " See 2.2.1 in RFC 3658\n");

chase_rdataset = NULL;

chase_sigrdataset = NULL;

have_response = ISC_FALSE;

@@ -5384,7 +5414,7 @@ getneededrr(dns_message_t *msg)

dns_rdatatype_dnskey,

&chase_sigkeylookedup);

if (result == ISC_R_FAILURE) {

- printf("\n;; RRSIG for DNSKEY is missing to continue"

+ printf("\n;; RRSIG for DNSKEY is missing to continue"

" validation : FAILED\n\n");

free_name(&chase_signame, mctx);

if (dns_name_dynamic(&chase_name))

@@ -5404,9 +5434,8 @@ getneededrr(dns_message_t *msg)

if (chase_dsrdataset == NULL) {

result = advanced_rrsearch(&chase_dsrdataset, &chase_signame,

- dns_rdatatype_ds,

- dns_rdatatype_any,

- &chase_dslookedup);

+ dns_rdatatype_ds, dns_rdatatype_any,

+ &chase_dslookedup);

if (result == ISC_R_FAILURE) {

printf("\n;; WARNING There is no DS for the zone: ");

dns_name_print(&chase_signame, stdout);

@@ -5694,7 +5723,6 @@ prove_nx_domain(dns_message_t *msg,

result = dns_rdataset_next(nsecset)) {

dns_rdataset_current(nsecset, &nsec);

signsecset

= chase_scanname_section(msg, nsecname,

dns_rdatatype_rrsig,

diff --git a/bin/dig/host.c b/bin/dig/host.c
index 08f89bf74c9e..cc6e54dd3440 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -165,7 +165,7 @@ show_usage(void) {

" -4 use IPv4 query transport only\n"

" -6 use IPv6 query transport only\n"

" -m set memory debugging flag (trace|record|usage)\n"

-" -v print version number and exit\n", stderr);

+" -V print version number and exit\n", stderr);

exit(1);

}

@@ -255,7 +255,7 @@ printsection(dns_message_t *msg, dns_section_t sectionid,

isc_result_t result, loopresult;

isc_region_t r;

dns_name_t empty_name;

- char t[4096];

+ char tbuf[4096];

isc_boolean_t first;

isc_boolean_t no_rdata;

@@ -279,7 +279,7 @@ printsection(dns_message_t *msg, dns_section_t sectionid,

name = NULL;

dns_message_currentname(msg, sectionid, &name);

- isc_buffer_init(&target, t, sizeof(t));

+ isc_buffer_init(&target, tbuf, sizeof(tbuf));

first = ISC_TRUE;

print_name = name;

@@ -370,13 +370,13 @@ printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,

isc_buffer_t target;

isc_result_t result;

isc_region_t r;

- char t[4096];

+ char tbuf[4096];

UNUSED(msg);

if (headers)

printf(";; %s SECTION:\n", set_name);

- isc_buffer_init(&target, t, sizeof(t));

+ isc_buffer_init(&target, tbuf, sizeof(tbuf));

result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,

&target);

diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
index 99bf236d717d..9e6a9b0110ca 100644
--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -15,8 +15,6 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $Id: dig.h,v 1.114 2011/12/07 17:23:28 each Exp $ */

#ifndef DIG_H

#define DIG_H

@@ -259,7 +257,6 @@ extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source,

extern in_port_t port;

extern unsigned int timeout;

extern isc_mem_t *mctx;

-extern dns_messageid_t id;

extern int sendcount;

extern int ndots;

extern int lookup_counter;

diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 051ed34b9415..d3237fa5dc2e 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -425,13 +425,12 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {

puts("");

if (!short_form) {

- isc_boolean_t headers = ISC_TRUE;

puts("------------");

/* detailheader(query, msg);*/

- detailsection(query, msg, headers, DNS_SECTION_QUESTION);

- detailsection(query, msg, headers, DNS_SECTION_ANSWER);

- detailsection(query, msg, headers, DNS_SECTION_AUTHORITY);

- detailsection(query, msg, headers, DNS_SECTION_ADDITIONAL);

+ detailsection(query, msg, ISC_TRUE, DNS_SECTION_QUESTION);

+ detailsection(query, msg, ISC_TRUE, DNS_SECTION_ANSWER);

+ detailsection(query, msg, ISC_TRUE, DNS_SECTION_AUTHORITY);

+ detailsection(query, msg, ISC_TRUE, DNS_SECTION_ADDITIONAL);

puts("------------");

}

diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
index fca7b17d3cfa..8c1bd86f16d9 100644
--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -61,6 +61,7 @@ static dns_fixedname_t fixed;

static dns_name_t *name = NULL;

static isc_mem_t *mctx = NULL;

static isc_uint32_t ttl;

+static isc_boolean_t emitttl = ISC_FALSE;

static isc_result_t

initname(char *setname) {

@@ -295,7 +296,7 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,

isc_buffer_usedregion(&nameb, &r);

printf("%.*s ", (int)r.length, r.base);

- if (ttl != 0U)

+ if (emitttl)

printf("%u ", ttl);

isc_buffer_usedregion(&classb, &r);

@@ -415,6 +416,7 @@ main(int argc, char **argv) {

usekeyset = ISC_TRUE;

break;

case 'T':

+ emitttl = ISC_TRUE;

ttl = atol(isc_commandline_argument);

break;

case 'v':

@@ -489,7 +491,7 @@ main(int argc, char **argv) {

isc_result_totext(result));

isc_entropy_stopcallbacksources(ectx);

- setup_logging(verbose, mctx, &log);

+ setup_logging(mctx, &log);

dns_rdataset_init(&rdataset);

diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c
index f07f02ecf5b7..ff525f693faa 100644
--- a/bin/dnssec/dnssec-importkey.c
+++ b/bin/dnssec/dnssec-importkey.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -380,7 +380,7 @@ main(int argc, char **argv) {

isc_result_totext(result));

isc_entropy_stopcallbacksources(ectx);

- setup_logging(verbose, mctx, &log);

+ setup_logging(mctx, &log);

dns_rdataset_init(&rdataset);

diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 9dc9df75194d..bb26c33a7768 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -319,7 +319,7 @@ main(int argc, char **argv) {

fatal("could not initialize dst: %s",

isc_result_totext(ret));

- setup_logging(verbose, mctx, &log);

+ setup_logging(mctx, &log);

if (predecessor == NULL) {

if (label == NULL)

diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index 11d7e4f01366..2cd5d76ff516 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8

@@ -1,4 +1,4 @@

.\"

.\" Permission to use, copy, modify, and/or distribute this software for any

@@ -136,11 +136,11 @@ Deprecated in favor of \-T KEY.

.PP

\-L \fIttl\fR

.RS 4

-Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. Setting the default TTL to

+Sets the default TTL to use for this key when it is converted into a DNSKEY RR. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL. Setting the default TTL to

none

-removes it.

+is the same as leaving it unset.

.RE

.PP

\-p \fIprotocol\fR

@@ -307,7 +307,7 @@ RFC 4034.

.PP

Internet Systems Consortium

.SH "COPYRIGHT"

-Copyright \(co 2004, 2005, 2007\-2012, 2014 Internet Systems Consortium, Inc. ("ISC")

+Copyright \(co 2004, 2005, 2007\-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")

.br

diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 26504410db2e..3cae29c724fb 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -476,7 +476,7 @@ main(int argc, char **argv) {

fatal("could not initialize dst: %s",

isc_result_totext(ret));

- setup_logging(verbose, mctx, &log);

+ setup_logging(mctx, &log);

if (predecessor == NULL) {

if (prepub == -1)

@@ -541,6 +541,9 @@ main(int argc, char **argv) {

options |= DST_TYPE_KEY;

}

+ if (!dst_algorithm_supported(alg))

+ fatal("unsupported algorithm: %d", alg);

if (use_nsec3 &&

alg != DST_ALG_NSEC3DSA && alg != DST_ALG_NSEC3RSASHA1 &&

alg != DST_ALG_RSASHA256 && alg!= DST_ALG_RSASHA512 &&

@@ -708,8 +711,13 @@ main(int argc, char **argv) {

fatal("invalid DSS key size: %d", size);

break;

case DST_ALG_ECCGOST:

+ size = 256;

+ break;

case DST_ALG_ECDSA256:

+ size = 256;

+ break;

case DST_ALG_ECDSA384:

+ size = 384;

break;

case DST_ALG_HMACMD5:

options |= DST_TYPE_KEY;

diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 725c4e1cbb2f..472575f0d002 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook

@@ -2,7 +2,7 @@

"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"

[<!ENTITY mdash "—">]>

<!--

- Permission to use, copy, modify, and/or distribute this software for any

@@ -45,6 +45,7 @@

+ <year>2015</year>

<holder>Internet Systems Consortium, Inc. ("ISC")</holder>

</copyright>

@@ -301,8 +302,10 @@

into a DNSKEY RR. If the key is imported into a zone,

this is the TTL that will be used for it, unless there was

already a DNSKEY RRset in place, in which case the existing TTL

- would take precedence. Setting the default TTL to

- <literal>0</literal> or <literal>none</literal> removes it.

+ would take precedence. If this value is not set and there

+ is no existing DNSKEY RRset, the TTL will default to the

+ SOA TTL. Setting the default TTL to <literal>0</literal>

+ or <literal>none</literal> is the same as leaving it unset.

</para>

</listitem>

</varlistentry>

diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index 43837abecb11..9cf62ebc7660 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html

@@ -1,5 +1,5 @@

<!--

- Permission to use, copy, modify, and/or distribute this software for any

@@ -32,7 +32,7 @@

<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>

</div>

-<a name="id2543605"></a><h2>DESCRIPTION</h2>

+<a name="id2543608"></a><h2>DESCRIPTION</h2>

<p><span><strong class="command">dnssec-keygen</strong></span>

generates keys for DNSSEC (Secure DNS), as defined in RFC 2535

and RFC 4034. It can also generate keys for use with

@@ -46,7 +46,7 @@

</p>

</div>

-<a name="id2543623"></a><h2>OPTIONS</h2>

+<a name="id2543626"></a><h2>OPTIONS</h2>

<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>

<dd>

@@ -175,8 +175,10 @@

into a DNSKEY RR. If the key is imported into a zone,

this is the TTL that will be used for it, unless there was

already a DNSKEY RRset in place, in which case the existing TTL

- would take precedence. Setting the default TTL to

- <code class="literal">0</code> or <code class="literal">none</code> removes it.

+ would take precedence. If this value is not set and there

+ is no existing DNSKEY RRset, the TTL will default to the

+ SOA TTL. Setting the default TTL to <code class="literal">0</code>

+ or <code class="literal">none</code> is the same as leaving it unset.

</p></dd>

<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>

<dd><p>

@@ -260,7 +262,7 @@

</dl></div>

</div>

-<a name="id2544216"></a><h2>TIMING OPTIONS</h2>

+<a name="id2544220"></a><h2>TIMING OPTIONS</h2>

<p>

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.

If the argument begins with a '+' or '-', it is interpreted as

@@ -334,7 +336,7 @@

</dl></div>

</div>

-<a name="id2544406"></a><h2>GENERATED KEYS</h2>

+<a name="id2544410"></a><h2>GENERATED KEYS</h2>

<p>

When <span><strong class="command">dnssec-keygen</strong></span> completes

successfully,

@@ -380,7 +382,7 @@

</p>

</div>

-<a name="id2544625"></a><h2>EXAMPLE</h2>

+<a name="id2544492"></a><h2>EXAMPLE</h2>

<p>

To generate a 768-bit DSA key for the domain

<strong class="userinput"><code>example.com</code></strong>, the following command would be

@@ -401,7 +403,7 @@

</p>

</div>

-<a name="id2544668"></a><h2>SEE ALSO</h2>

+<a name="id2544604"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

<em class="citetitle">BIND 9 Administrator Reference Manual</em>,

<em class="citetitle">RFC 2539</em>,

@@ -410,7 +412,7 @@

</p>

</div>

-<a name="id2544699"></a><h2>AUTHOR</h2>

+<a name="id2544635"></a><h2>AUTHOR</h2>

<p><span class="corpauthor">Internet Systems Consortium</span>

</p>

</div>

diff --git a/bin/dnssec/dnssec-settime.8 b/bin/dnssec/dnssec-settime.8
index 87bc52dc7839..821e4db990f1 100644
--- a/bin/dnssec/dnssec-settime.8
+++ b/bin/dnssec/dnssec-settime.8

@@ -1,4 +1,4 @@

.\"

.\" Permission to use, copy, modify, and/or distribute this software for any

.\" purpose with or without fee is hereby granted, provided that the above

@@ -69,11 +69,11 @@ Sets the directory in which the key files are to reside.

.PP

\-L \fIttl\fR

.RS 4

none

-removes it.

+removes it from the key.

.RE

.PP

\-h

@@ -176,5 +176,5 @@ RFC 5011.

.PP

Internet Systems Consortium

.SH "COPYRIGHT"

-Copyright \(co 2009\-2011, 2014 Internet Systems Consortium, Inc. ("ISC")

+Copyright \(co 2009\-2011, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")

.br

diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c
index 88f8cf168331..3d18b61a6139 100644
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -162,7 +162,7 @@ main(int argc, char **argv) {

if (result != ISC_R_SUCCESS)

fatal("Out of memory");

- setup_logging(verbose, mctx, &log);

+ setup_logging(mctx, &log);

dns_result_register();

@@ -333,7 +333,6 @@ main(int argc, char **argv) {

isc_entropy_stopcallbacksources(ectx);

if (predecessor != NULL) {

- char keystr[DST_KEY_FORMATSIZE];

int major, minor;

if (prepub == -1)

diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook
index b2c6a2a2398a..942f1889cf60 100644
--- a/bin/dnssec/dnssec-settime.docbook
+++ b/bin/dnssec/dnssec-settime.docbook

@@ -2,7 +2,7 @@

"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"

[<!ENTITY mdash "—">]>

<!--

- Permission to use, copy, modify, and/or distribute this software for any

- purpose with or without fee is hereby granted, provided that the above

@@ -39,6 +39,7 @@

+ <year>2015</year>

<holder>Internet Systems Consortium, Inc. ("ISC")</holder>

</copyright>

</docinfo>

@@ -126,8 +127,10 @@

into a DNSKEY RR. If the key is imported into a zone,

this is the TTL that will be used for it, unless there was

already a DNSKEY RRset in place, in which case the existing TTL

- would take precedence. Setting the default TTL to

- <literal>0</literal> or <literal>none</literal> removes it.

+ would take precedence. If this value is not set and there

+ is no existing DNSKEY RRset, the TTL will default to the

+ SOA TTL. Setting the default TTL to <literal>0</literal>

+ or <literal>none</literal> removes it from the key.

</para>

</listitem>

</varlistentry>

diff --git a/bin/dnssec/dnssec-settime.html b/bin/dnssec/dnssec-settime.html
index 6cf3d2aab10d..0132e07ceee6 100644
--- a/bin/dnssec/dnssec-settime.html
+++ b/bin/dnssec/dnssec-settime.html

@@ -1,5 +1,5 @@

<!--

- Permission to use, copy, modify, and/or distribute this software for any

- purpose with or without fee is hereby granted, provided that the above

@@ -31,7 +31,7 @@

<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>

</div>

-<a name="id2543447"></a><h2>DESCRIPTION</h2>

+<a name="id2543450"></a><h2>DESCRIPTION</h2>

<p><span><strong class="command">dnssec-settime</strong></span>

reads a DNSSEC private key file and sets the key timing metadata

as specified by the <code class="option">-P</code>, <code class="option">-A</code>,

@@ -57,7 +57,7 @@

</p>

</div>

-<a name="id2543495"></a><h2>OPTIONS</h2>

+<a name="id2543498"></a><h2>OPTIONS</h2>

<dd><p>

@@ -80,8 +80,10 @@

into a DNSKEY RR. If the key is imported into a zone,

this is the TTL that will be used for it, unless there was

already a DNSKEY RRset in place, in which case the existing TTL

- would take precedence. Setting the default TTL to

- <code class="literal">0</code> or <code class="literal">none</code> removes it.

+ would take precedence. If this value is not set and there

+ is no existing DNSKEY RRset, the TTL will default to the

+ SOA TTL. Setting the default TTL to <code class="literal">0</code>

+ or <code class="literal">none</code> removes it from the key.

</p></dd>

<dd><p>

@@ -103,7 +105,7 @@

</dl></div>

</div>

-<a name="id2543692"></a><h2>TIMING OPTIONS</h2>

+<a name="id2543697"></a><h2>TIMING OPTIONS</h2>

<p>

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.

If the argument begins with a '+' or '-', it is interpreted as

@@ -182,7 +184,7 @@

</dl></div>

</div>

-<a name="id2543831"></a><h2>PRINTING OPTIONS</h2>

+<a name="id2543835"></a><h2>PRINTING OPTIONS</h2>

<p>

<span><strong class="command">dnssec-settime</strong></span> can also be used to print the

timing metadata associated with a key.

@@ -208,7 +210,7 @@

</dl></div>

</div>

-<a name="id2543909"></a><h2>SEE ALSO</h2>

+<a name="id2543913"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

<em class="citetitle">BIND 9 Administrator Reference Manual</em>,

@@ -216,7 +218,7 @@

</p>

</div>

-<a name="id2543942"></a><h2>AUTHOR</h2>

+<a name="id2543946"></a><h2>AUTHOR</h2>

<p><span class="corpauthor">Internet Systems Consortium</span>

</p>

</div>

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index d3250d9c4c99..d791edb53fac 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -132,7 +132,7 @@ static isc_mem_t *mctx = NULL;

static isc_entropy_t *ectx = NULL;

static dns_ttl_t zone_soa_min_ttl;

static dns_ttl_t soa_ttl;

-static FILE *fp = NULL;

+static FILE *outfp = NULL;

static char *tempfile = NULL;

static const dns_master_style_t *masterstyle;

static dns_masterformat_t inputformat = dns_masterformat_text;

@@ -152,7 +152,7 @@ static dns_name_t *gorigin; /* The database origin */

static int nsec3flags = 0;

static dns_iterations_t nsec3iter = 10U;

static unsigned char saltbuf[255];

-static unsigned char *salt = saltbuf;

+static unsigned char *gsalt = saltbuf;

static size_t salt_length = 0;

static isc_task_t *master = NULL;

static unsigned int ntasks = 0;

@@ -202,7 +202,7 @@ dumpnode(dns_name_t *name, dns_dbnode_t *node) {

if (!output_dnssec_only) {

result = dns_master_dumpnodetostream(mctx, gdb, gversion, node,

- name, masterstyle, fp);

+ name, masterstyle, outfp);

check_result(result, "dns_master_dumpnodetostream");

return;

}

@@ -244,7 +244,7 @@ dumpnode(dns_name_t *name, dns_dbnode_t *node) {

check_result(result, "dns_master_rdatasettotext");

isc_buffer_usedregion(buffer, &r);

- result = isc_stdio_write(r.base, 1, r.length, fp, NULL);

+ result = isc_stdio_write(r.base, 1, r.length, outfp, NULL);

check_result(result, "isc_stdio_write");

isc_buffer_clear(buffer);

@@ -285,8 +285,6 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key,

mctx, &b, &trdata);

isc_entropy_stopcallbacksources(ectx);

if (result != ISC_R_SUCCESS) {

- char keystr[DST_KEY_FORMATSIZE];

- dst_key_format(key, keystr, sizeof(keystr));

fatal("dnskey '%s' failed to sign data: %s",

keystr, isc_result_totext(result));

}

@@ -737,7 +735,7 @@ hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)

static void

hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,

unsigned int hashalg, unsigned int iterations,

- const unsigned char *salt, size_t salt_length,

+ const unsigned char *salt, size_t salt_len,

isc_boolean_t speculative)

{

char nametext[DNS_NAME_FORMATSIZE];

@@ -746,7 +744,7 @@ hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,

size_t i;

len = isc_iterated_hash(hash, hashalg, iterations,

- salt, (int)salt_length,

+ salt, (int)salt_len,

name->ndata, name->length);

if (verbose) {

dns_name_format(name, nametext, sizeof nametext);

@@ -828,7 +826,7 @@ hashlist_exists(const hashlist_t *l,

static void

addnowildcardhash(hashlist_t *l, /*const*/ dns_name_t *name,

unsigned int hashalg, unsigned int iterations,

- const unsigned char *salt, size_t salt_length)

+ const unsigned char *salt, size_t salt_len)

{

dns_fixedname_t fixed;

dns_name_t *wild;

@@ -855,7 +853,7 @@ addnowildcardhash(hashlist_t *l, /*const*/ dns_name_t *name,

fprintf(stderr, "adding no-wildcardhash for %s\n", namestr);

}

- hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_length,

+ hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_len,

ISC_TRUE);

}

@@ -1826,7 +1824,7 @@ nsecify(void) {

}

static void

-addnsec3param(const unsigned char *salt, size_t salt_length,

+addnsec3param(const unsigned char *salt, size_t salt_len,

dns_iterations_t iterations)

{

dns_dbnode_t *node = NULL;

@@ -1847,7 +1845,7 @@ addnsec3param(const unsigned char *salt, size_t salt_length,

nsec3param.flags = 0;

nsec3param.hash = unknownalg ? DNS_NSEC3_UNKNOWNALG : dns_hash_sha1;

nsec3param.iterations = iterations;

- nsec3param.salt_length = (unsigned char)salt_length;

+ nsec3param.salt_length = (unsigned char)salt_len;

DE_CONST(salt, nsec3param.salt);

isc_buffer_init(&b, nsec3parambuf, sizeof(nsec3parambuf));

@@ -1886,7 +1884,7 @@ addnsec3param(const unsigned char *salt, size_t salt_length,

static void

addnsec3(dns_name_t *name, dns_dbnode_t *node,

- const unsigned char *salt, size_t salt_length,

+ const unsigned char *salt, size_t salt_len,

unsigned int iterations, hashlist_t *hashlist,

dns_ttl_t ttl)

{

@@ -1900,7 +1898,7 @@ addnsec3(dns_name_t *name, dns_dbnode_t *node,

isc_result_t result;

dns_dbnode_t *nsec3node = NULL;

char namebuf[DNS_NAME_FORMATSIZE];

- size_t hash_length;

+ size_t hash_len;

dns_name_format(name, namebuf, sizeof(namebuf));

@@ -1908,16 +1906,16 @@ addnsec3(dns_name_t *name, dns_dbnode_t *node,

dns_rdataset_init(&rdataset);

dns_name_downcase(name, name, NULL);

- result = dns_nsec3_hashname(&hashname, hash, &hash_length,

+ result = dns_nsec3_hashname(&hashname, hash, &hash_len,

name, gorigin, dns_hash_sha1, iterations,

- salt, salt_length);

+ salt, salt_len);

check_result(result, "addnsec3: dns_nsec3_hashname()");

nexthash = hashlist_findnext(hashlist, hash);

result = dns_nsec3_buildrdata(gdb, gversion, node,

unknownalg ?

DNS_NSEC3_UNKNOWNALG : dns_hash_sha1,

nsec3flags, iterations,

- salt, salt_length,

+ salt, salt_len,

nexthash, ISC_SHA1_DIGESTLENGTH,

nsec3buffer, &rdata);

check_result(result, "addnsec3: dns_nsec3_buildrdata()");

@@ -1953,7 +1951,7 @@ addnsec3(dns_name_t *name, dns_dbnode_t *node,

static void

nsec3clean(dns_name_t *name, dns_dbnode_t *node,

unsigned int hashalg, unsigned int iterations,

- const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)

+ const unsigned char *salt, size_t salt_len, hashlist_t *hashlist)

{

dns_label_t label;

dns_rdata_nsec3_t nsec3;

@@ -2013,8 +2011,8 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node,

check_result(result, "dns_rdata_tostruct");

if (exists && nsec3.hash == hashalg &&

nsec3.iterations == iterations &&

- nsec3.salt_length == salt_length &&

- !memcmp(nsec3.salt, salt, salt_length))

+ nsec3.salt_length == salt_len &&

+ !memcmp(nsec3.salt, salt, salt_len))

continue;

rdatalist.rdclass = rdata.rdclass;

rdatalist.type = rdata.type;

@@ -2145,7 +2143,7 @@ remove_duplicates(void) {

static void

nsec3ify(unsigned int hashalg, dns_iterations_t iterations,

- const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)

+ const unsigned char *salt, size_t salt_len, hashlist_t *hashlist)

{

dns_dbiterator_t *dbiter = NULL;

dns_dbnode_t *node = NULL, *nextnode = NULL;

@@ -2241,7 +2239,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,

isc_result_totext(result));

dns_name_downcase(name, name, NULL);

hashlist_add_dns_name(hashlist, name, hashalg, iterations,

- salt, salt_length, ISC_FALSE);

+ salt, salt_len, ISC_FALSE);

dns_db_detachnode(gdb, &node);

* Add hashs for empty nodes. Use closest encloser logic.

@@ -2252,16 +2250,16 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,

dns_name_downcase(nextname, nextname, NULL);

dns_name_fullcompare(name, nextname, &order, &nlabels);

addnowildcardhash(hashlist, name, hashalg, iterations,

- salt, salt_length);

+ salt, salt_len);

count = dns_name_countlabels(nextname);

while (count > nlabels + 1) {

count--;

dns_name_split(nextname, count, NULL, nextname);

hashlist_add_dns_name(hashlist, nextname, hashalg,

- iterations, salt, salt_length,

+ iterations, salt, salt_len,

ISC_FALSE);

addnowildcardhash(hashlist, nextname, hashalg,

- iterations, salt, salt_length);

+ iterations, salt, salt_len);

}

dns_dbiterator_destroy(&dbiter);

@@ -2284,7 +2282,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,

zonecut = NULL;

done = ISC_FALSE;

- addnsec3param(salt, salt_length, iterations);

+ addnsec3param(salt, salt_len, iterations);

* Clean out NSEC3 records which don't match this chain.

@@ -2297,7 +2295,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,

result = dns_dbiterator_next(dbiter)) {

result = dns_dbiterator_current(dbiter, &node, name);

check_dns_dbiterator_current(result);

- nsec3clean(name, node, hashalg, iterations, salt, salt_length,

+ nsec3clean(name, node, hashalg, iterations, salt, salt_len,

hashlist);

dns_db_detachnode(gdb, &node);

}

@@ -2371,7 +2369,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,

* We need to pause here to release the lock on the database.

dns_dbiterator_pause(dbiter);

- addnsec3(name, node, salt, salt_length, iterations,

+ addnsec3(name, node, salt, salt_len, iterations,

hashlist, zone_soa_min_ttl);

dns_db_detachnode(gdb, &node);

@@ -2382,7 +2380,7 @@ nsec3ify(unsigned int hashalg, dns_iterations_t iterations,

while (count > nlabels + 1) {

count--;

dns_name_split(nextname, count, NULL, nextname);

- addnsec3(nextname, NULL, salt, salt_length,

+ addnsec3(nextname, NULL, salt, salt_len,

iterations, hashlist, zone_soa_min_ttl);

}

@@ -2644,7 +2642,7 @@ warnifallksk(dns_db_t *db) {

}

static void

-set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,

+set_nsec3params(isc_boolean_t update, isc_boolean_t set_salt,

isc_boolean_t set_optout, isc_boolean_t set_iter)

{

isc_result_t result;

@@ -2672,7 +2670,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,

nsec_datatype = dns_rdatatype_nsec3;

- if (!update_chain && set_salt) {

+ if (!update && set_salt) {

if (salt_length != orig_saltlen ||

memcmp(saltbuf, orig_salt, salt_length) != 0)

fatal("An NSEC3 chain exists with a different salt. "

@@ -2680,10 +2678,10 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,

} else if (!set_salt) {

salt_length = orig_saltlen;

memmove(saltbuf, orig_salt, orig_saltlen);

- salt = saltbuf;

+ gsalt = saltbuf;

}

- if (!update_chain && set_iter) {

+ if (!update && set_iter) {

if (nsec3iter != orig_iter)

fatal("An NSEC3 chain exists with different "

"iterations. Use -u to update it.");

@@ -2717,7 +2715,7 @@ set_nsec3params(isc_boolean_t update_chain, isc_boolean_t set_salt,

result = dns_rdata_tostruct(&rdata, &nsec3, NULL);

check_result(result, "dns_rdata_tostruct");

- if (!update_chain && set_optout) {

+ if (!update && set_optout) {

if (nsec3flags != nsec3.flags)

fatal("An NSEC3 chain exists with%s OPTOUT. "

"Use -u -%s to %s it.",

@@ -3407,7 +3405,7 @@ main(int argc, char *argv[]) {

if (directory == NULL)

directory = ".";

- setup_logging(verbose, mctx, &log);

+ setup_logging(mctx, &log);

argc -= isc_commandline_index;

argv += isc_commandline_index;

@@ -3608,7 +3606,7 @@ main(int argc, char *argv[]) {

if (!nonsecify) {

if (IS_NSEC3)

- nsec3ify(dns_hash_sha1, nsec3iter, salt, salt_length,

+ nsec3ify(dns_hash_sha1, nsec3iter, gsalt, salt_length,

&hashlist);

else

nsecify();

@@ -3624,7 +3622,7 @@ main(int argc, char *argv[]) {

}

if (output_stdout) {

- fp = stdout;

+ outfp = stdout;

if (outputformatstr == NULL)

masterstyle = &dns_master_style_full;

} else {

@@ -3637,9 +3635,9 @@ main(int argc, char *argv[]) {

check_result(result, "isc_file_mktemplate");

if (outputformat == dns_masterformat_text)

- result = isc_file_openunique(tempfile, &fp);

+ result = isc_file_openunique(tempfile, &outfp);

else

- result = isc_file_bopenunique(tempfile, &fp);

+ result = isc_file_bopenunique(tempfile, &outfp);

if (result != ISC_R_SUCCESS)

fatal("failed to open temporary output file: %s",

isc_result_totext(result));

@@ -3647,8 +3645,8 @@ main(int argc, char *argv[]) {

setfatalcallback(&removetempfile);

}

- print_time(fp);

- print_version(fp);

+ print_time(outfp);

+ print_version(outfp);

result = isc_taskmgr_create(mctx, ntasks, 0, &taskmgr);

if (result != ISC_R_SUCCESS)

@@ -3718,7 +3716,7 @@ main(int argc, char *argv[]) {

}

result = dns_master_dumptostream3(mctx, gdb, gversion,

masterstyle, outputformat,

- &header, fp);

+ &header, outfp);

check_result(result, "dns_master_dumptostream3");

}

@@ -3727,7 +3725,7 @@ main(int argc, char *argv[]) {

DESTROYLOCK(&statslock);

if (!output_stdout) {

- result = isc_stdio_close(fp);

+ result = isc_stdio_close(outfp);

check_result(result, "isc_stdio_close");

removefile = ISC_FALSE;

diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c
index 09e5211d47af..f68e4da5a596 100644
--- a/bin/dnssec/dnssec-verify.c
+++ b/bin/dnssec/dnssec-verify.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -272,7 +272,7 @@ main(int argc, char *argv[]) {

rdclass = strtoclass(classname);

- setup_logging(verbose, mctx, &log);

+ setup_logging(mctx, &log);

argc -= isc_commandline_index;

argv += isc_commandline_index;

diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index b1d1ed664bf2..42936414abc2 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -120,8 +120,8 @@ vbprintf(int level, const char *fmt, ...) {

}

void

-version(const char *program) {

- fprintf(stderr, "%s %s\n", program, VERSION);

+version(const char *name) {

+ fprintf(stderr, "%s %s\n", name, VERSION);

exit(0);

}

@@ -149,7 +149,7 @@ sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {

}

void

-setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {

+setup_logging(isc_mem_t *mctx, isc_log_t **logp) {

isc_result_t result;

isc_logdestination_t destination;

isc_logconfig_t *logconfig = NULL;

diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index f51bd0001a7b..2ad83d3d8616 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -57,7 +57,7 @@ sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);

#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + DNS_SECALG_FORMATSIZE + sizeof("65535"))

void

-setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp);

+setup_logging(isc_mem_t *mctx, isc_log_t **logp);

void

cleanup_logging(isc_log_t **logp);

diff --git a/bin/named/client.c b/bin/named/client.c
index aed3b178133c..f66ceda83d50 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -532,6 +532,17 @@ exit_check(ns_client_t *client) {

INSIST(client->recursionquota == NULL);

INSIST(!ISC_QLINK_LINKED(client, ilink));

+ if (manager != NULL) {

+ LOCK(&manager->listlock);

+ ISC_LIST_UNLINK(manager->clients, client, link);

+ LOCK(&manager->lock);

+ if (manager->exiting &&

+ ISC_LIST_EMPTY(manager->clients))

+ destroy_manager = ISC_TRUE;

+ UNLOCK(&manager->lock);

+ UNLOCK(&manager->listlock);

+ }

ns_query_free(client);

isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE);

isc_event_free((isc_event_t **)&client->sendevent);

@@ -549,16 +560,6 @@ exit_check(ns_client_t *client) {

}

dns_message_destroy(&client->message);

- if (manager != NULL) {

- LOCK(&manager->listlock);

- ISC_LIST_UNLINK(manager->clients, client, link);

- LOCK(&manager->lock);

- if (manager->exiting &&

- ISC_LIST_EMPTY(manager->clients))

- destroy_manager = ISC_TRUE;

- UNLOCK(&manager->lock);

- UNLOCK(&manager->listlock);

- }

* Detaching the task must be done after unlinking from

@@ -579,6 +580,13 @@ exit_check(ns_client_t *client) {

isc_mem_stats(client->mctx, stderr);

INSIST(0);

}

+ /*

+ * Destroy the fetchlock mutex that was created in

+ * ns_query_init().

+ */

+ DESTROYLOCK(&client->query.fetchlock);

isc_mem_putanddetach(&client->mctx, client, sizeof(*client));

}

@@ -1283,7 +1291,6 @@ client_addopt(ns_client_t *client) {

(ns_g_server->server_id != NULL ||

ns_g_server->server_usehostname)) {

if (ns_g_server->server_usehostname) {

- isc_result_t result;

result = ns_os_gethostname(nsid, sizeof(nsid));

if (result != ISC_R_SUCCESS) {

goto no_nsid;

@@ -1677,8 +1684,18 @@ client_request(isc_task_t *task, isc_event_t *event) {

* Deal with EDNS.

- opt = dns_message_getopt(client->message);

+ if (ns_g_noedns)

+ opt = NULL;

+ else

+ opt = dns_message_getopt(client->message);

if (opt != NULL) {

+ /*

+ * Are we dropping all EDNS queries?

+ */

+ if (ns_g_dropedns) {

+ ns_client_next(client, ISC_R_SUCCESS);

+ goto cleanup;

+ }

result = process_opt(client, opt);

if (result != ISC_R_SUCCESS)

goto cleanup;

diff --git a/bin/named/config.c b/bin/named/config.c
index ebc48cfc464e..a32f12e660ae 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c

@@ -522,6 +522,13 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,

REQUIRE(keysp != NULL && *keysp == NULL);

REQUIRE(countp != NULL);

+ /*

+ * Get system defaults.

+ */

+ result = ns_config_getport(config, &port);

+ if (result != ISC_R_SUCCESS)

+ goto cleanup;

newlist:

addrlist = cfg_tuple_get(list, "addresses");

portobj = cfg_tuple_get(list, "port");

@@ -534,10 +541,6 @@ ns_config_getipandkeylist(const cfg_obj_t *config, const cfg_obj_t *list,

goto cleanup;

}

port = (in_port_t) val;

- } else {

- result = ns_config_getport(config, &port);

- if (result != ISC_R_SUCCESS)

- goto cleanup;

}

result = ISC_R_NOMEMORY;

diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index a9174f3e31c4..b215408000e6 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -157,9 +157,15 @@ EXTERN int ns_g_listen INIT(3);

EXTERN isc_time_t ns_g_boottime;

EXTERN isc_boolean_t ns_g_memstatistics INIT(ISC_FALSE);

EXTERN isc_boolean_t ns_g_clienttest INIT(ISC_FALSE);

+EXTERN isc_boolean_t ns_g_dropedns INIT(ISC_FALSE);

+EXTERN isc_boolean_t ns_g_noedns INIT(ISC_FALSE);

EXTERN isc_boolean_t ns_g_nosoa INIT(ISC_FALSE);

EXTERN isc_boolean_t ns_g_noaa INIT(ISC_FALSE);

EXTERN isc_boolean_t ns_g_nonearest INIT(ISC_FALSE);

+EXTERN isc_boolean_t ns_g_notcp INIT(ISC_FALSE);

+EXTERN isc_boolean_t ns_g_disable6 INIT(ISC_FALSE);

+EXTERN isc_boolean_t ns_g_disable4 INIT(ISC_FALSE);

#undef EXTERN

#undef INIT

diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index 514d702978a9..850222ad02bf 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -392,7 +392,7 @@ ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,

if (result != ISC_R_SUCCESS)

goto cleanup_interface;

- if (accept_tcp == ISC_TRUE) {

+ if (!ns_g_notcp && accept_tcp == ISC_TRUE) {

result = ns_interface_accepttcp(ifp);

if (result != ISC_R_SUCCESS) {

@@ -638,7 +638,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,

if (isc_net_probeipv6() == ISC_R_SUCCESS)

scan_ipv6 = ISC_TRUE;

#ifdef WANT_IPV6

- else

+ else if (!ns_g_disable6)

isc_log_write(IFMGR_COMMON_LOGARGS,

verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),

"no IPv6 interfaces found");

@@ -646,7 +646,7 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,

if (isc_net_probeipv4() == ISC_R_SUCCESS)

scan_ipv4 = ISC_TRUE;

- else

+ else if (!ns_g_disable4)

isc_log_write(IFMGR_COMMON_LOGARGS,

verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),

"no IPv4 interfaces found");

diff --git a/bin/named/main.c b/bin/named/main.c
index 599c142fd498..6e340cc13c49 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -51,6 +51,10 @@

#include <dlz/dlz_dlopen_driver.h>

+#ifdef HAVE_GPERFTOOLS_PROFILER

+#include <gperftools/profiler.h>

+#endif

* Defining NS_MAIN provides storage declarations (rather than extern)

* for variables in named/globals.h.

@@ -72,6 +76,7 @@

#ifdef OPENSSL

#include <openssl/opensslv.h>

+#include <openssl/crypto.h>

#endif

#ifdef HAVE_LIBXML2

#include <libxml/xmlversion.h>

@@ -95,6 +100,10 @@

#define BACKTRACE_MAXFRAME 128

#endif

+extern unsigned int dns_zone_mkey_hour;

+extern unsigned int dns_zone_mkey_day;

+extern unsigned int dns_zone_mkey_month;

static isc_boolean_t want_stats = ISC_FALSE;

static char program_name[ISC_DIR_NAMEMAX] = "named";

static char absolute_conffile[ISC_DIR_PATHMAX];

@@ -409,8 +418,6 @@ parse_command_line(int argc, char *argv[]) {

int ch;

int port;

const char *p;

- isc_boolean_t disable6 = ISC_FALSE;

- isc_boolean_t disable4 = ISC_FALSE;

save_command_line(argc, argv);

@@ -420,20 +427,20 @@ parse_command_line(int argc, char *argv[]) {

while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {

switch (ch) {

case '4':

- if (disable4)

+ if (ns_g_disable4)

ns_main_earlyfatal("cannot specify -4 and -6");

if (isc_net_probeipv4() != ISC_R_SUCCESS)

ns_main_earlyfatal("IPv4 not supported by OS");

isc_net_disableipv6();

- disable6 = ISC_TRUE;

+ ns_g_disable6 = ISC_TRUE;

break;

case '6':

- if (disable6)

+ if (ns_g_disable6)

ns_main_earlyfatal("cannot specify -4 and -6");

if (isc_net_probeipv6() != ISC_R_SUCCESS)

ns_main_earlyfatal("IPv6 not supported by OS");

isc_net_disableipv4();

- disable4 = ISC_TRUE;

+ ns_g_disable4 = ISC_TRUE;

break;

case 'c':

ns_g_conffile = isc_commandline_argument;

@@ -522,10 +529,50 @@ parse_command_line(int argc, char *argv[]) {

maxudp = 512;

else if (!strcmp(isc_commandline_argument, "maxudp1460"))

maxudp = 1460;

+ else if (!strcmp(isc_commandline_argument, "dropedns"))

+ ns_g_dropedns = ISC_TRUE;

+ else if (!strcmp(isc_commandline_argument, "noedns"))

+ ns_g_noedns = ISC_TRUE;

+ else if (!strncmp(isc_commandline_argument,

+ "maxudp=", 7))

+ maxudp = atoi(isc_commandline_argument + 7);

else if (!strcmp(isc_commandline_argument, "nosyslog"))

ns_g_nosyslog = ISC_TRUE;

else if (!strcmp(isc_commandline_argument, "nonearest"))

ns_g_nonearest = ISC_TRUE;

+ else if (!strncmp(isc_commandline_argument,

+ "mkeytimers=", 11))

+ {

+ p = strtok(isc_commandline_argument + 11, "/");

+ if (p == NULL)

+ ns_main_earlyfatal("bad mkeytimer");

+ dns_zone_mkey_hour = atoi(p);

+ if (dns_zone_mkey_hour == 0)

+ ns_main_earlyfatal("bad mkeytimer");

+ p = strtok(NULL, "/");

+ if (p == NULL) {

+ dns_zone_mkey_day =

+ (24 * dns_zone_mkey_hour);

+ dns_zone_mkey_month =

+ (30 * dns_zone_mkey_day);

+ break;

+ }

+ dns_zone_mkey_day = atoi(p);

+ if (dns_zone_mkey_day < dns_zone_mkey_hour)

+ ns_main_earlyfatal("bad mkeytimer");

+ p = strtok(NULL, "/");

+ if (p == NULL) {

+ dns_zone_mkey_month =

+ (30 * dns_zone_mkey_day);

+ break;

+ }

+ dns_zone_mkey_month = atoi(p);

+ if (dns_zone_mkey_month < dns_zone_mkey_day)

+ ns_main_earlyfatal("bad mkeytimer");

+ } else if (!strcmp(isc_commandline_argument, "notcp"))

+ ns_g_notcp = ISC_TRUE;

else

fprintf(stderr, "unknown -T flag '%s\n",

isc_commandline_argument);

@@ -568,12 +615,20 @@ parse_command_line(int argc, char *argv[]) {

printf("compiled by Solaris Studio %x\n", __SUNPRO_C);

#endif

#ifdef OPENSSL

- printf("using OpenSSL version: %s\n",

+ printf("compiled with OpenSSL version: %s\n",

OPENSSL_VERSION_TEXT);

+#ifndef WIN32

+ printf("linked to OpenSSL version: %s\n",

+ SSLeay_version(SSLEAY_VERSION));

+#endif

#endif

#ifdef HAVE_LIBXML2

- printf("using libxml2 version: %s\n",

+ printf("compiled with libxml2 version: %s\n",

LIBXML_DOTTED_VERSION);

+#ifndef WIN32

+ printf("linked to libxml2 version: %s\n",

+ xmlParserVersion);

+#endif

#endif

exit(0);

case 'F':

@@ -1080,6 +1135,10 @@ main(int argc, char *argv[]) {

char *instance = NULL;

#endif

+#ifdef HAVE_GPERFTOOLS_PROFILER

+ (void) ProfilerStart(NULL);

+#endif

* Record version in core image.

* strings named.core | grep "named version:"

@@ -1196,5 +1255,9 @@ main(int argc, char *argv[]) {

ns_os_shutdown();

+#ifdef HAVE_GPERFTOOLS_PROFILER

+ ProfilerStop();

+#endif

return (0);

}

diff --git a/bin/named/named.html b/bin/named/named.html
index 218639991fa6..0c1abf1894fb 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html

@@ -261,7 +261,7 @@

</p>

</div>

-<a name="id2544205"></a><h2>CONFIGURATION</h2>

+<a name="id2544137"></a><h2>CONFIGURATION</h2>

<p>

The <span><strong class="command">named</strong></span> configuration file is too complex

to describe in detail here. A complete description is provided

diff --git a/bin/named/query.c b/bin/named/query.c
index af8e5da8204d..706fdecd664d 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -614,6 +614,10 @@ ns_query_init(ns_client_t *client) {

client->query.timerset = ISC_FALSE;

client->query.rpz_st = NULL;

client->query.qname = NULL;

+ /*

+ * This mutex is destroyed when the client is destroyed in

+ * exit_check().

+ */

result = isc_mutex_init(&client->query.fetchlock);

if (result != ISC_R_SUCCESS)

return (result);

@@ -633,8 +637,10 @@ ns_query_init(ns_client_t *client) {

return (result);

}

result = query_newnamebuf(client);

- if (result != ISC_R_SUCCESS)

+ if (result != ISC_R_SUCCESS) {

query_freefreeversions(client, ISC_TRUE);

+ DESTROYLOCK(&client->query.fetchlock);

+ }

return (result);

}

@@ -4731,6 +4737,8 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,

DNS_RPZ_DONE_IPv4);

break;

case DNS_R_DELEGATION:

+ case DNS_R_DUPLICATE:

+ case DNS_R_DROP:

goto cleanup;

case DNS_R_EMPTYNAME:

case DNS_R_NXRRSET:

@@ -4749,12 +4757,13 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,

case ISC_R_FAILURE:

rpz_rewrite_ns_skip(client, nsname, result,

DNS_RPZ_DEBUG_LEVEL3,

- "NS db_find() ");

+ " NS rpz_rrset_find() ");

continue;

default:

rpz_rewrite_ns_skip(client, nsname, result,

DNS_RPZ_INFO_LEVEL,

- "unrecognized NS db_find() ");

+ " unrecognized NS"

+ " rpz_rrset_find() ");

continue;

}

@@ -5453,7 +5462,7 @@ dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset,

* Only perform the update if the client is in the allow query acl and

* returning the update would not cause a DNSSEC validation failure.

-static isc_boolean_t

+static isc_result_t

redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,

dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp,

dns_rdatatype_t qtype)

@@ -5472,7 +5481,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,

CTRACE("redirect");

if (client->view->redirect == NULL)

- return (ISC_FALSE);

+ return (ISC_R_NOTFOUND);

dns_fixedname_init(&fixed);

found = dns_fixedname_name(&fixed);

@@ -5482,15 +5491,15 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,

dns_clientinfo_init(&ci, client);

if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))

- return (ISC_FALSE);

+ return (ISC_R_NOTFOUND);

if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {

if (rdataset->trust == dns_trust_secure)

- return (ISC_FALSE);

+ return (ISC_R_NOTFOUND);

if (rdataset->trust == dns_trust_ultimate &&

(rdataset->type == dns_rdatatype_nsec ||

rdataset->type == dns_rdatatype_nsec3))

- return (ISC_FALSE);

+ return (ISC_R_NOTFOUND);

if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {

for (result = dns_rdataset_first(rdataset);

result == ISC_R_SUCCESS;

@@ -5501,7 +5510,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,

if (type == dns_rdatatype_nsec ||

type == dns_rdatatype_nsec3 ||

type == dns_rdatatype_rrsig)

- return (ISC_FALSE);

+ return (ISC_R_NOTFOUND);

}

@@ -5510,16 +5519,16 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,

dns_zone_getqueryacl(client->view->redirect),

ISC_TRUE);

if (result != ISC_R_SUCCESS)

- return (ISC_FALSE);

+ return (ISC_R_NOTFOUND);

result = dns_zone_getdb(client->view->redirect, &db);

if (result != ISC_R_SUCCESS)

- return (ISC_FALSE);

+ return (ISC_R_NOTFOUND);

dbversion = query_findversion(client, db);

if (dbversion == NULL) {

dns_db_detach(&db);

- return (ISC_FALSE);

+ return (ISC_R_NOTFOUND);

}

@@ -5528,16 +5537,22 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,

result = dns_db_findext(db, client->query.qname, dbversion->version,

qtype, 0, client->now, &node, found, &cm, &ci,

&trdataset, NULL);

- if (result != ISC_R_SUCCESS) {

+ if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {

+ if (dns_rdataset_isassociated(rdataset))

+ dns_rdataset_disassociate(rdataset);

+ if (dns_rdataset_isassociated(&trdataset))

+ dns_rdataset_disassociate(&trdataset);

+ goto nxrrset;

+ } else if (result != ISC_R_SUCCESS) {

if (dns_rdataset_isassociated(&trdataset))

dns_rdataset_disassociate(&trdataset);

if (node != NULL)

dns_db_detachnode(db, &node);

dns_db_detach(&db);

- return (ISC_FALSE);

+ return (ISC_R_NOTFOUND);

}

- CTRACE("redirect: found data: done");

+ CTRACE("redirect: found data: done");

dns_name_copy(found, name, NULL);

if (dns_rdataset_isassociated(rdataset))

dns_rdataset_disassociate(rdataset);

@@ -5545,6 +5560,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,

dns_rdataset_clone(&trdataset, rdataset);

dns_rdataset_disassociate(&trdataset);

}

+ nxrrset:

if (*nodep != NULL)

dns_db_detachnode(*dbp, nodep);

dns_db_detach(dbp);

@@ -5557,7 +5573,7 @@ redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,

client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |

NS_QUERYATTR_NOADDITIONAL);

- return (ISC_TRUE);

+ return (result);

}

@@ -5584,7 +5600,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)

int order;

isc_buffer_t *dbuf;

isc_buffer_t b;

- isc_result_t result, eresult;

+ isc_result_t result, eresult, tresult;

dns_fixedname_t fixed;

dns_fixedname_t wildcardname;

dns_dbversion_t *version, *zversion;

@@ -5599,6 +5615,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)

int line = -1;

isc_boolean_t dns64_exclude, dns64;

isc_boolean_t nxrewrite = ISC_FALSE;

+ isc_boolean_t redirected = ISC_FALSE;

dns_clientinfomethods_t cm;

dns_clientinfo_t ci;

isc_boolean_t associated;

@@ -5785,7 +5802,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)

dns_db_t *tdb = NULL;

dns_zone_t *tzone = NULL;

dns_dbversion_t *tversion = NULL;

- isc_result_t tresult;

tresult = query_getzonedb(client, client->query.qname, qtype,

DNS_GETDB_PARTIAL, &tzone, &tdb,

@@ -6275,8 +6291,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)

* We're authoritative for an ancestor of QNAME.

if (!USECACHE(client) || !RECURSIONOK(client)) {

- dns_fixedname_t fixed;

dns_fixedname_init(&fixed);

dns_name_copy(fname,

dns_fixedname_name(&fixed), NULL);

@@ -6422,8 +6436,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)

else

RECURSE_ERROR(result);

} else {

- dns_fixedname_t fixed;

dns_fixedname_init(&fixed);

dns_name_copy(fname,

dns_fixedname_name(&fixed), NULL);

@@ -6538,6 +6550,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)

* Look for a NSEC3 record if we don't have a NSEC record.

nxrrset_rrsig:

+ if (redirected)

+ goto cleanup;

if (!dns_rdataset_isassociated(rdataset) &&

WANTDNSSEC(client)) {

if ((fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) {

@@ -6658,10 +6672,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)

case DNS_R_NXDOMAIN:

INSIST(is_zone);

- if (!empty_wild &&

- redirect(client, fname, rdataset, &node, &db, &version,

- type))

- break;

+ if (!empty_wild) {

+ tresult = redirect(client, fname, rdataset, &node,

+ &db, &version, type);

+ if (tresult == ISC_R_SUCCESS)

+ break;

+ if (tresult == DNS_R_NXRRSET) {

+ redirected = ISC_TRUE;

+ goto iszone_nxrrset;

+ }

+ if (tresult == DNS_R_NCACHENXRRSET) {

+ redirected = ISC_TRUE;

+ is_zone = ISC_FALSE;

+ goto ncache_nxrrset;

+ }

if (dns_rdataset_isassociated(rdataset)) {

* If we've got a NSEC record, we need to save the

@@ -6724,9 +6749,22 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)

goto cleanup;

case DNS_R_NCACHENXDOMAIN:

- if (redirect(client, fname, rdataset, &node, &db, &version,

- type))

+ tresult = redirect(client, fname, rdataset, &node,

+ &db, &version, type);

+ if (tresult == ISC_R_SUCCESS)

break;

+ if (tresult == DNS_R_NXRRSET) {

+ redirected = ISC_TRUE;

+ is_zone = ISC_TRUE;

+ goto iszone_nxrrset;

+ }

+ if (tresult == DNS_R_NCACHENXRRSET) {

+ redirected = ISC_TRUE;

+ result = tresult;

+ goto ncache_nxrrset;

+ }

+ /* FALLTHROUGH */

case DNS_R_NCACHENXRRSET:

ncache_nxrrset:

INSIST(!is_zone);

diff --git a/bin/named/server.c b/bin/named/server.c
index 84e3ecf32108..84b4067bf400 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -15,8 +15,6 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $Id$ */

/*! \file */

#include <config.h>

@@ -2017,16 +2015,19 @@ create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view,

dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);

dns_zone_setnotifytype(zone, dns_notifytype_no);

dns_zone_setdialup(zone, dns_dialuptype_no);

- if (view->queryacl)

+ if (view->queryacl != NULL)

dns_zone_setqueryacl(zone, view->queryacl);

else

dns_zone_clearqueryacl(zone);

- if (view->queryonacl)

+ if (view->queryonacl != NULL)

dns_zone_setqueryonacl(zone, view->queryonacl);

else

dns_zone_clearqueryonacl(zone);

dns_zone_clearupdateacl(zone);

- dns_zone_clearxfracl(zone);

+ if (view->transferacl != NULL)

+ dns_zone_setxfracl(zone, view->transferacl);

+ else

+ dns_zone_clearxfracl(zone);

CHECK(setquerystats(zone, view->mctx, statlevel));

if (db != NULL) {

@@ -2052,6 +2053,9 @@ create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view,

dns_db_closeversion(db, &version, ISC_FALSE);

if (db != NULL)

dns_db_detach(&db);

+ INSIST(version == NULL);

return (result);

}

@@ -2423,7 +2427,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

result = ns_config_get(maps, "dns64", &obj);

if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&

strcmp(view->name, "_meta")) {

- const cfg_listelt_t *element;

isc_netaddr_t na, suffix, *sp;

unsigned int prefixlen;

const char *server, *contact;

@@ -2894,7 +2897,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

{

const cfg_obj_t *peers = NULL;

- const cfg_listelt_t *element;

dns_peerlist_t *newpeers = NULL;

(void)ns_config_get(cfgmaps, "server", &peers);

@@ -2919,7 +2921,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

{

const cfg_obj_t *rrsetorder = NULL;

- const cfg_listelt_t *element;

(void)ns_config_get(maps, "rrset-order", &rrsetorder);

CHECK(dns_order_create(mctx, &order));

@@ -3219,18 +3220,13 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

element != NULL;

element = cfg_list_next(element))

{

- const char *str;

- isc_buffer_t b;

dns_name_t *dlv;

obj = cfg_listelt_value(element);

- str = cfg_obj_asstring(cfg_tuple_get(obj,

- "trust-anchor"));

- isc_buffer_constinit(&b, str, strlen(str));

- isc_buffer_add(&b, strlen(str));

+ obj = cfg_tuple_get(obj, "trust-anchor");

dlv = dns_fixedname_name(&view->dlv_fixed);

- CHECK(dns_name_fromtext(dlv, &b, dns_rootname,

- DNS_NAME_DOWNCASE, NULL));

+ CHECK(dns_name_fromstring(dlv, cfg_obj_asstring(obj),

+ DNS_NAME_DOWNCASE, NULL));

view->dlv = dns_fixedname_name(&view->dlv_fixed);

}

} else

@@ -3264,28 +3260,22 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

obj = NULL;

result = ns_config_get(maps, "root-delegation-only", &obj);

if (result == ISC_R_SUCCESS) {

+ dns_fixedname_t fixed;

+ dns_name_t *name;

+ const cfg_obj_t *exclude;

dns_view_setrootdelonly(view, ISC_TRUE);

- if (!cfg_obj_isvoid(obj)) {

- dns_fixedname_t fixed;

- dns_name_t *name;

- isc_buffer_t b;

- const char *str;

- const cfg_obj_t *exclude;

- dns_fixedname_init(&fixed);

- name = dns_fixedname_name(&fixed);

- for (element = cfg_list_first(obj);

- element != NULL;

- element = cfg_list_next(element)) {

- exclude = cfg_listelt_value(element);

- str = cfg_obj_asstring(exclude);

- isc_buffer_constinit(&b, str, strlen(str));

- isc_buffer_add(&b, strlen(str));

- CHECK(dns_name_fromtext(name, &b, dns_rootname,

- 0, NULL));

- CHECK(dns_view_excludedelegationonly(view,

- name));

- }

+ dns_fixedname_init(&fixed);

+ name = dns_fixedname_name(&fixed);

+ for (element = cfg_list_first(obj);

+ element != NULL;

+ element = cfg_list_next(element)) {

+ exclude = cfg_listelt_value(element);

+ CHECK(dns_name_fromstring(name,

+ cfg_obj_asstring(exclude),

+ 0, NULL));

+ CHECK(dns_view_excludedelegationonly(view, name));

}

} else

dns_view_setrootdelonly(view, ISC_FALSE);

@@ -3314,7 +3304,6 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

dns_fixedname_t fixed;

dns_name_t *name;

isc_buffer_t buffer;

- const char *str;

char server[DNS_NAME_FORMATSIZE + 1];

char contact[DNS_NAME_FORMATSIZE + 1];

const char *empty_dbtype[4] =

@@ -3328,11 +3317,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

obj = NULL;

result = ns_config_get(maps, "empty-server", &obj);

if (result == ISC_R_SUCCESS) {

- str = cfg_obj_asstring(obj);

- isc_buffer_constinit(&buffer, str, strlen(str));

- isc_buffer_add(&buffer, strlen(str));

- CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,

- NULL));

+ CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj),

+ 0, NULL));

isc_buffer_init(&buffer, server, sizeof(server) - 1);

CHECK(dns_name_totext(name, ISC_FALSE, &buffer));

server[isc_buffer_usedlength(&buffer)] = 0;

@@ -3343,11 +3329,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

obj = NULL;

result = ns_config_get(maps, "empty-contact", &obj);

if (result == ISC_R_SUCCESS) {

- str = cfg_obj_asstring(obj);

- isc_buffer_constinit(&buffer, str, strlen(str));

- isc_buffer_add(&buffer, strlen(str));

- CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,

- NULL));

+ CHECK(dns_name_fromstring(name, cfg_obj_asstring(obj),

+ 0, NULL));

isc_buffer_init(&buffer, contact, sizeof(contact) - 1);

CHECK(dns_name_totext(name, ISC_FALSE, &buffer));

contact[isc_buffer_usedlength(&buffer)] = 0;

@@ -3379,16 +3362,12 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

empty != NULL;

empty = empty_zones[++empty_zone])

{

- dns_forwarders_t *forwarders = NULL;

- dns_view_t *pview = NULL;

+ dns_forwarders_t *dnsforwarders = NULL;

- isc_buffer_constinit(&buffer, empty, strlen(empty));

- isc_buffer_add(&buffer, strlen(empty));

* Look for zone on drop list.

- CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,

- NULL));

+ CHECK(dns_name_fromstring(name, empty, 0, NULL));

if (disablelist != NULL &&

on_disable_list(disablelist, name))

continue;

@@ -3407,9 +3386,9 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

* empty zone for it.

result = dns_fwdtable_find(view->fwdtable, name,

- &forwarders);

+ &dnsforwarders);

if (result == ISC_R_SUCCESS &&

- forwarders->fwdpolicy == dns_fwdpolicy_only)

+ dnsforwarders->fwdpolicy == dns_fwdpolicy_only)

continue;

@@ -3860,16 +3839,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,

if (dns_name_equal(origin, dns_rootname)) {

const char *hintsfile = cfg_obj_asstring(fileobj);

- result = configure_hints(view, hintsfile);

- if (result != ISC_R_SUCCESS) {

- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,

- NS_LOGMODULE_SERVER,

- ISC_LOG_ERROR,

- "could not configure root hints "

- "from '%s': %s", hintsfile,

- isc_result_totext(result));

- goto cleanup;

- }

+ CHECK(configure_hints(view, hintsfile));

* Hint zones may also refer to delegation only points.

@@ -5158,10 +5129,11 @@ load_configuration(const char *filename, ns_server_t *server,

isc_portset_addrange(v4portset, udpport_low,

udpport_high);

}

- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,

- NS_LOGMODULE_SERVER, ISC_LOG_INFO,

- "using default UDP/IPv4 port range: [%d, %d]",

- udpport_low, udpport_high);

+ if (!ns_g_disable4)

+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,

+ NS_LOGMODULE_SERVER, ISC_LOG_INFO,

+ "using default UDP/IPv4 port range: "

+ "[%d, %d]", udpport_low, udpport_high);

}

(void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);

if (avoidv4ports != NULL)

@@ -5180,10 +5152,11 @@ load_configuration(const char *filename, ns_server_t *server,

isc_portset_addrange(v6portset, udpport_low,

udpport_high);

}

- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,

- NS_LOGMODULE_SERVER, ISC_LOG_INFO,

- "using default UDP/IPv6 port range: [%d, %d]",

- udpport_low, udpport_high);

+ if (!ns_g_disable6)

+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,

+ NS_LOGMODULE_SERVER, ISC_LOG_INFO,

+ "using default UDP/IPv6 port range: "

+ "[%d, %d]", udpport_low, udpport_high);

}

(void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);

if (avoidv6ports != NULL)

@@ -5684,7 +5657,6 @@ load_configuration(const char *filename, ns_server_t *server,

(void)cfg_map_get(logobj, "category",

&categories);

if (categories != NULL) {

- const cfg_listelt_t *element;

for (element = cfg_list_first(categories);

element != NULL;

element = cfg_list_next(element))

@@ -6650,7 +6622,7 @@ zone_from_args(ns_server_t *server, char *args, const char *zonetxt,

tresult = putstr(text, problem);

if (tresult == ISC_R_SUCCESS)

- putnull(text);

+ (void) putnull(text);

}

cleanup:

@@ -7397,7 +7369,7 @@ ns_server_validation(ns_server_t *server, char *args) {

continue;

result = dns_view_flushcache(view);

if (result != ISC_R_SUCCESS)

- goto out;

+ goto cleanup;

view->enablevalidation = enable;

changed = ISC_TRUE;

}

@@ -7405,7 +7377,7 @@ ns_server_validation(ns_server_t *server, char *args) {

result = ISC_R_SUCCESS;

else

result = ISC_R_FAILURE;

- out:

+ cleanup:

isc_task_endexclusive(server->task);

return (result);

}

@@ -7810,7 +7782,6 @@ list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,

dns_name_t *origin;

dns_rbtnode_t *node;

dns_tsigkey_t *tkey;

- unsigned int n;

const char *viewname;

if (view != NULL)

@@ -7844,21 +7815,26 @@ list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,

if (tkey->generated) {

dns_name_format(tkey->creator, creatorstr,

sizeof(creatorstr));

- n = snprintf((char *)isc_buffer_used(text),

- isc_buffer_availablelength(text),

- "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n",

- viewname, namestr, creatorstr);

+ if (*foundkeys != 0)

+ CHECK(putstr(text, "\n"));

+ CHECK(putstr(text, "view \""));

+ CHECK(putstr(text, viewname));

+ CHECK(putstr(text,

+ "\"; type \"dynamic\"; key \""));

+ CHECK(putstr(text, namestr));

+ CHECK(putstr(text, "\"; creator \""));

+ CHECK(putstr(text, creatorstr));

+ CHECK(putstr(text, "\";"));

} else {

- n = snprintf((char *)isc_buffer_used(text),

- isc_buffer_availablelength(text),

- "view \"%s\"; type \"static\"; key \"%s\";\n",

- viewname, namestr);

+ if (*foundkeys != 0)

+ CHECK(putstr(text, "\n"));

+ CHECK(putstr(text, "view \""));

+ CHECK(putstr(text, viewname));

+ CHECK(putstr(text,

+ "\"; type \"static\"; key \""));

+ CHECK(putstr(text, namestr));

+ CHECK(putstr(text, "\";"));

}

- if (n >= isc_buffer_availablelength(text)) {

- dns_rbtnodechain_invalidate(&chain);

- return (ISC_R_NOSPACE);

- }

- isc_buffer_add(text, n);

}

result = dns_rbtnodechain_next(&chain, &foundname, origin);

if (result == ISC_R_NOMORE)

@@ -7870,12 +7846,14 @@ list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,

}

return (ISC_R_SUCCESS);

+cleanup:

+ return (result);

}

isc_result_t

ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {

isc_result_t result;

- unsigned int n;

dns_view_t *view;

unsigned int foundkeys = 0;

@@ -7903,16 +7881,16 @@ ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {

}

isc_task_endexclusive(server->task);

- if (foundkeys == 0) {

- n = snprintf((char *)isc_buffer_used(text),

- isc_buffer_availablelength(text),

- "no tsig keys found.\n");

- if (n >= isc_buffer_availablelength(text))

- return (ISC_R_NOSPACE);

- isc_buffer_add(text, n);

- }

+ if (foundkeys == 0)

+ CHECK(putstr(text, "no tsig keys found."));

+ if (isc_buffer_usedlength(text) > 0)

+ CHECK(putnull(text));

return (ISC_R_SUCCESS);

+ cleanup:

+ return (result);

}

@@ -8575,6 +8553,16 @@ ns_server_del_zone(ns_server_t *server, char *args, isc_buffer_t *text) {

result = isc_stdio_read(buf, 1, 1024, ifp, &n);

}

+ /*

+ * Close files before overwriting the nzfile

+ * with the temporary file as it's necessary on

+ * some platforms (win32).

+ */

+ (void) isc_stdio_close(ifp);

+ ifp = NULL;

+ (void) isc_stdio_close(ofp);

+ ofp = NULL;

/* Move temporary into place */

CHECK(isc_file_rename(tmpname, view->new_zone_file));

} else {

@@ -8605,12 +8593,12 @@ ns_server_del_zone(ns_server_t *server, char *args, isc_buffer_t *text) {

putnull(text);

if (ifp != NULL)

isc_stdio_close(ifp);

- if (ofp != NULL) {

+ if (ofp != NULL)

isc_stdio_close(ofp);

+ if (tmpname != NULL) {

isc_file_remove(tmpname);

- }

- if (tmpname != NULL)

isc_mem_free(server->mctx, tmpname);

+ }

if (zone != NULL)

dns_zone_detach(&zone);

@@ -8656,7 +8644,7 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) {

isc_boolean_t first = ISC_TRUE;

isc_boolean_t list = ISC_FALSE, clear = ISC_FALSE;

isc_boolean_t chain = ISC_FALSE;

- char keystr[DNS_SECALG_FORMATSIZE + 7];

+ char keystr[DNS_SECALG_FORMATSIZE + 7]; /* <5-digit keyid>/<alg> */

unsigned short hash = 0, flags = 0, iter = 0, saltlen = 0;

unsigned char salt[255];

const char *ptr;

@@ -8682,7 +8670,7 @@ ns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) {

ptr = next_token(&args, " \t");

if (ptr == NULL)

return (ISC_R_UNEXPECTEDEND);

- memmove(keystr, ptr, sizeof(keystr));

+ strlcpy(keystr, ptr, sizeof(keystr));

} else if (strcasecmp(ptr, "-nsec3param") == 0) {

const char *hashstr, *flagstr, *iterstr;

char nbuf[512];

diff --git a/bin/named/update.c b/bin/named/update.c
index 01e3c58de573..a526b02a1024 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c

@@ -3239,6 +3239,8 @@ update_action(isc_task_t *task, isc_event_t *event) {

uev->ev_type = DNS_EVENT_UPDATEDONE;

uev->ev_action = updatedone_action;

isc_task_send(client->task, &event);

+ INSIST(ver == NULL);

INSIST(event == NULL);

}

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index b3839762d336..5b473d1b2951 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -15,8 +15,6 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $Id$ */

/*% */

#include <config.h>

@@ -710,6 +708,8 @@ configure_staticstub(const cfg_obj_t *zconfig, dns_zone_t *zone,

}

+ INSIST(dbversion == NULL);

return (result);

}

diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index b77938d080f7..a68b00e0b9d7 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -15,8 +15,6 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $Id$ */

/*! \file */

#include <config.h>

@@ -140,8 +138,8 @@ static isc_boolean_t local_only = ISC_FALSE;

static isc_taskmgr_t *taskmgr = NULL;

static isc_task_t *global_task = NULL;

static isc_event_t *global_event = NULL;

-static isc_log_t *lctx = NULL;

-static isc_mem_t *mctx = NULL;

+static isc_log_t *glctx = NULL;

+static isc_mem_t *gmctx = NULL;

static dns_dispatchmgr_t *dispatchmgr = NULL;

static dns_requestmgr_t *requestmgr = NULL;

static isc_socketmgr_t *socketmgr = NULL;

@@ -151,7 +149,7 @@ static dns_dispatch_t *dispatchv6 = NULL;

static dns_message_t *updatemsg = NULL;

static dns_fixedname_t fuserzone;

static dns_name_t *userzone = NULL;

-static dns_name_t *zonename = NULL;

+static dns_name_t *zname = NULL;

static dns_name_t tmpzonename;

static dns_name_t restart_master;

static dns_tsig_keyring_t *gssring = NULL;

@@ -160,10 +158,14 @@ static dst_key_t *sig0key = NULL;

static lwres_context_t *lwctx = NULL;

static lwres_conf_t *lwconf;

static isc_sockaddr_t *servers = NULL;

+static isc_sockaddr_t *master_servers = NULL;

static isc_boolean_t default_servers = ISC_TRUE;

static int ns_inuse = 0;

+static int master_inuse = 0;

static int ns_total = 0;

-static isc_sockaddr_t *localaddr = NULL;

+static int master_total = 0;

+static isc_sockaddr_t *localaddr4 = NULL;

+static isc_sockaddr_t *localaddr6 = NULL;

static const char *keyfile = NULL;

static char *keystr = NULL;

static isc_entropy_t *entropy = NULL;

@@ -189,8 +191,10 @@ typedef struct nsu_requestinfo {

} nsu_requestinfo_t;

static void

-sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,

- dns_message_t *msg, dns_request_t **request);

+sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,

+ dns_request_t **request);

+static void

+send_update(dns_name_t *zonename, isc_sockaddr_t *master);

ISC_PLATFORM_NORETURN_PRE static void

fatal(const char *format, ...)

@@ -217,9 +221,8 @@ typedef struct nsu_gssinfo {

static void

start_gssrequest(dns_name_t *master);

static void

-send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,

- dns_message_t *msg, dns_request_t **request,

- gss_ctx_id_t context);

+send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,

+ dns_request_t **request, gss_ctx_id_t context);

static void

recvgss(isc_task_t *task, isc_event_t *event);

#endif /* GSSAPI */

@@ -243,8 +246,7 @@ struct entropysource {

static ISC_LIST(entropysource_t) sources;

static void

-setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx)

+setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {

isc_result_t result;

isc_entropysource_t *source = NULL;

entropysource_t *elt;

@@ -294,6 +296,16 @@ cleanup_entropy(isc_entropy_t **ectx) {

isc_entropy_detach(ectx);

}

+static void

+master_from_servers(void) {

+ if (master_servers != NULL && master_servers != servers)

+ isc_mem_put(gmctx, master_servers,

+ master_total * sizeof(isc_sockaddr_t));

+ master_servers = servers;

+ master_total = ns_total;

+ master_inuse = ns_inuse;

static dns_rdataclass_t

getzoneclass(void) {

@@ -416,7 +428,7 @@ reset_system(void) {

if (updatemsg != NULL)

dns_message_reset(updatemsg, DNS_MESSAGE_INTENTRENDER);

else {

- result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,

+ result = dns_message_create(gmctx, DNS_MESSAGE_INTENTRENDER,

&updatemsg);

check_result(result, "dns_message_create");

}

@@ -521,13 +533,13 @@ setup_keystr(void) {

char *secretstr;

char *s, *n;

dns_fixedname_t fkeyname;

- dns_name_t *keyname;

+ dns_name_t *mykeyname;

char *name;

dns_name_t *hmacname = NULL;

isc_uint16_t digestbits = 0;

dns_fixedname_init(&fkeyname);

- keyname = dns_fixedname_name(&fkeyname);

+ mykeyname = dns_fixedname_name(&fkeyname);

debug("Creating key...");

@@ -552,11 +564,12 @@ setup_keystr(void) {

isc_buffer_add(&keynamesrc, (unsigned int)(n - name));

debug("namefromtext");

- result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname, 0, NULL);

+ result = dns_name_fromtext(mykeyname, &keynamesrc, dns_rootname, 0,

+ NULL);

check_result(result, "dns_name_fromtext");

secretlen = strlen(secretstr) * 3 / 4;

- secret = isc_mem_allocate(mctx, secretlen);

+ secret = isc_mem_allocate(gmctx, secretlen);

if (secret == NULL)

fatal("out of memory");

@@ -571,8 +584,8 @@ setup_keystr(void) {

secretlen = isc_buffer_usedlength(&secretbuf);

debug("keycreate");

- result = dns_tsigkey_create(keyname, hmacname, secret, secretlen,

- ISC_FALSE, NULL, 0, 0, mctx, NULL,

+ result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen,

+ ISC_FALSE, NULL, 0, 0, gmctx, NULL,

&tsigkey);

if (result != ISC_R_SUCCESS)

fprintf(stderr, "could not create key from %s: %s\n",

@@ -581,7 +594,7 @@ setup_keystr(void) {

dst_key_setbits(tsigkey->key, digestbits);

failure:

if (secret != NULL)

- isc_mem_free(mctx, secret);

+ isc_mem_free(gmctx, secret);

}

@@ -594,7 +607,7 @@ read_sessionkey(isc_mem_t *mctx, isc_log_t *lctx) {

const cfg_obj_t *key = NULL;

const cfg_obj_t *secretobj = NULL;

const cfg_obj_t *algorithmobj = NULL;

- const char *keyname;

+ const char *mykeyname;

const char *secretstr;

const char *algorithm;

isc_result_t result;

@@ -621,13 +634,13 @@ read_sessionkey(isc_mem_t *mctx, isc_log_t *lctx) {

if (secretobj == NULL || algorithmobj == NULL)

fatal("key must have algorithm and secret");

- keyname = cfg_obj_asstring(cfg_map_getname(key));

+ mykeyname = cfg_obj_asstring(cfg_map_getname(key));

secretstr = cfg_obj_asstring(secretobj);

algorithm = cfg_obj_asstring(algorithmobj);

- len = strlen(algorithm) + strlen(keyname) + strlen(secretstr) + 3;

+ len = strlen(algorithm) + strlen(mykeyname) + strlen(secretstr) + 3;

keystr = isc_mem_allocate(mctx, len);

- snprintf(keystr, len, "%s:%s:%s", algorithm, keyname, secretstr);

+ snprintf(keystr, len, "%s:%s:%s", algorithm, mykeyname, secretstr);

setup_keystr();

cleanup:

@@ -714,11 +727,23 @@ static void

doshutdown(void) {

isc_task_detach(&global_task);

+ /*

+ * The isc_mem_put of master_servers must be before the

+ * isc_mem_put of servers as it sets the servers pointer

+ * to NULL.

+ */

+ if (master_servers != NULL && master_servers != servers)

+ isc_mem_put(gmctx, master_servers,

+ master_total * sizeof(isc_sockaddr_t));

if (servers != NULL)

- isc_mem_put(mctx, servers, ns_total * sizeof(isc_sockaddr_t));

+ isc_mem_put(gmctx, servers, ns_total * sizeof(isc_sockaddr_t));

- if (localaddr != NULL)

- isc_mem_put(mctx, localaddr, sizeof(isc_sockaddr_t));

+ if (localaddr4 != NULL)

+ isc_mem_put(gmctx, localaddr4, sizeof(isc_sockaddr_t));

+ if (localaddr6 != NULL)

+ isc_mem_put(gmctx, localaddr6, sizeof(isc_sockaddr_t));

if (tsigkey != NULL) {

ddebug("Freeing TSIG key");

@@ -805,25 +830,31 @@ setup_system(void) {

if (!have_ipv4 && !have_ipv6)

fatal("could not find either IPv4 or IPv6");

- result = isc_log_create(mctx, &lctx, &logconfig);

+ result = isc_log_create(gmctx, &glctx, &logconfig);

check_result(result, "isc_log_create");

- isc_log_setcontext(lctx);

- dns_log_init(lctx);

- dns_log_setcontext(lctx);

+ isc_log_setcontext(glctx);

+ dns_log_init(glctx);

+ dns_log_setcontext(glctx);

result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);

check_result(result, "isc_log_usechannel");

- isc_log_setdebuglevel(lctx, logdebuglevel);

+ isc_log_setdebuglevel(glctx, logdebuglevel);

- lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);

+ lwresult = lwres_context_create(&lwctx, gmctx, mem_alloc, mem_free, 1);

if (lwresult != LWRES_R_SUCCESS)

fatal("lwres_context_create failed");

(void)lwres_conf_parse(lwctx, RESOLV_CONF);

lwconf = lwres_conf_get(lwctx);

+ if (servers != NULL) {

+ if (master_servers == servers)

+ master_servers = NULL;

+ isc_mem_put(gmctx, servers, ns_total * sizeof(isc_sockaddr_t));

+ }

ns_inuse = 0;

if (local_only || lwconf->nsnext <= 0) {

struct in_addr in;

@@ -832,14 +863,10 @@ setup_system(void) {

if (local_only && keyfile == NULL)

keyfile = SESSION_KEYFILE;

- default_servers = ISC_FALSE;

- if (servers != NULL)

- isc_mem_put(mctx, servers,

- ns_total * sizeof(isc_sockaddr_t));

+ default_servers = !local_only;

ns_total = (have_ipv4 ? 1 : 0) + (have_ipv6 ? 1 : 0);

- servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));

+ servers = isc_mem_get(gmctx, ns_total * sizeof(isc_sockaddr_t));

if (servers == NULL)

fatal("out of memory");

@@ -855,7 +882,7 @@ setup_system(void) {

}

} else {

ns_total = lwconf->nsnext;

- servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));

+ servers = isc_mem_get(gmctx, ns_total * sizeof(isc_sockaddr_t));

if (servers == NULL)

fatal("out of memory");

for (i = 0; i < ns_total; i++) {

@@ -876,22 +903,22 @@ setup_system(void) {

}

- setup_entropy(mctx, NULL, &entropy);

+ setup_entropy(gmctx, NULL, &entropy);

- result = isc_hash_create(mctx, entropy, DNS_NAME_MAXWIRE);

+ result = isc_hash_create(gmctx, entropy, DNS_NAME_MAXWIRE);

check_result(result, "isc_hash_create");

isc_hash_init();

- result = dns_dispatchmgr_create(mctx, entropy, &dispatchmgr);

+ result = dns_dispatchmgr_create(gmctx, entropy, &dispatchmgr);

check_result(result, "dns_dispatchmgr_create");

- result = isc_socketmgr_create(mctx, &socketmgr);

+ result = isc_socketmgr_create(gmctx, &socketmgr);

check_result(result, "dns_socketmgr_create");

- result = isc_timermgr_create(mctx, &timermgr);

+ result = isc_timermgr_create(gmctx, &timermgr);

check_result(result, "dns_timermgr_create");

- result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);

+ result = isc_taskmgr_create(gmctx, 1, 0, &taskmgr);

check_result(result, "isc_taskmgr_create");

result = isc_task_create(taskmgr, 0, &global_task);

@@ -900,7 +927,7 @@ setup_system(void) {

result = isc_task_onshutdown(global_task, shutdown_program, NULL);

check_result(result, "isc_task_onshutdown");

- result = dst_lib_init(mctx, entropy, 0);

+ result = dst_lib_init(gmctx, entropy, 0);

check_result(result, "dst_lib_init");

is_dst_up = ISC_TRUE;

@@ -931,7 +958,7 @@ setup_system(void) {

check_result(result, "dns_dispatch_getudp (v4)");

}

- result = dns_requestmgr_create(mctx, timermgr,

+ result = dns_requestmgr_create(gmctx, timermgr,

socketmgr, taskmgr, dispatchmgr,

dispatchv4, dispatchv6, &requestmgr);

check_result(result, "dns_requestmgr_create");

@@ -939,12 +966,12 @@ setup_system(void) {

if (keystr != NULL)

setup_keystr();

else if (local_only) {

- result = read_sessionkey(mctx, lctx);

+ result = read_sessionkey(gmctx, glctx);

if (result != ISC_R_SUCCESS)

fatal("can't read key from %s: %s\n",

keyfile, isc_result_totext(result));

} else if (keyfile != NULL)

- setup_keyfile(mctx, lctx);

+ setup_keyfile(gmctx, glctx);

}

static void

@@ -1154,7 +1181,7 @@ parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) {

result = dns_message_gettempname(msg, namep);

check_result(result, "dns_message_gettempname");

- result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE);

+ result = isc_buffer_allocate(gmctx, &namebuf, DNS_NAME_MAXWIRE);

check_result(result, "isc_buffer_allocate");

dns_name_init(*namep, NULL);

dns_name_setbuffer(*namep, namebuf);

@@ -1189,21 +1216,21 @@ parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass,

if (*cmdline != 0) {

dns_rdatacallbacks_init(&callbacks);

- result = isc_lex_create(mctx, strlen(cmdline), &lex);

+ result = isc_lex_create(gmctx, strlen(cmdline), &lex);

check_result(result, "isc_lex_create");

isc_buffer_init(&source, cmdline, strlen(cmdline));

isc_buffer_add(&source, strlen(cmdline));

result = isc_lex_openbuffer(lex, &source);

check_result(result, "isc_lex_openbuffer");

- result = isc_buffer_allocate(mctx, &buf, MAXWIRE);

+ result = isc_buffer_allocate(gmctx, &buf, MAXWIRE);

check_result(result, "isc_buffer_allocate");

result = dns_rdata_fromtext(NULL, rdataclass, rdatatype, lex,

- dns_rootname, 0, mctx, buf,

+ dns_rootname, 0, gmctx, buf,

&callbacks);

isc_lex_destroy(&lex);

if (result == ISC_R_SUCCESS) {

isc_buffer_usedregion(buf, &r);

- result = isc_buffer_allocate(mctx, &newbuf, r.length);

+ result = isc_buffer_allocate(gmctx, &newbuf, r.length);

check_result(result, "isc_buffer_allocate");

isc_buffer_putmem(newbuf, r.base, r.length);

isc_buffer_usedregion(newbuf, &r);

@@ -1396,13 +1423,17 @@ evaluate_server(char *cmdline) {

}

- if (servers != NULL)

- isc_mem_put(mctx, servers, ns_total * sizeof(isc_sockaddr_t));

+ if (servers != NULL) {

+ if (master_servers == servers)

+ master_servers = NULL;

+ isc_mem_put(gmctx, servers, ns_total * sizeof(isc_sockaddr_t));

+ }

default_servers = ISC_FALSE;

ns_total = MAX_SERVERADDRS;

- servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));

+ ns_inuse = 0;

+ servers = isc_mem_get(gmctx, ns_total * sizeof(isc_sockaddr_t));

if (servers == NULL)

fatal("out of memory");

@@ -1442,17 +1473,19 @@ evaluate_local(char *cmdline) {

}

- if (localaddr == NULL) {

- localaddr = isc_mem_get(mctx, sizeof(isc_sockaddr_t));

- if (localaddr == NULL)

+ if (have_ipv6 && inet_pton(AF_INET6, local, &in6) == 1) {

+ if (localaddr6 == NULL)

+ localaddr6 = isc_mem_get(gmctx, sizeof(isc_sockaddr_t));

+ if (localaddr6 == NULL)

fatal("out of memory");

- }

- if (have_ipv6 && inet_pton(AF_INET6, local, &in6) == 1)

- isc_sockaddr_fromin6(localaddr, &in6, (in_port_t)port);

- else if (have_ipv4 && inet_pton(AF_INET, local, &in4) == 1)

- isc_sockaddr_fromin(localaddr, &in4, (in_port_t)port);

- else {

+ isc_sockaddr_fromin6(localaddr6, &in6, (in_port_t)port);

+ } else if (have_ipv4 && inet_pton(AF_INET, local, &in4) == 1) {

+ if (localaddr4 == NULL)

+ localaddr4 = isc_mem_get(gmctx, sizeof(isc_sockaddr_t));

+ if (localaddr4 == NULL)

+ fatal("out of memory");

+ isc_sockaddr_fromin(localaddr4, &in4, (in_port_t)port);

+ } else {

fprintf(stderr, "invalid address %s", local);

return (STATUS_SYNTAX);

}

@@ -1467,7 +1500,7 @@ evaluate_key(char *cmdline) {

isc_buffer_t b;

isc_result_t result;

dns_fixedname_t fkeyname;

- dns_name_t *keyname;

+ dns_name_t *mykeyname;

int secretlen;

unsigned char *secret = NULL;

isc_buffer_t secretbuf;

@@ -1482,7 +1515,7 @@ evaluate_key(char *cmdline) {

}

dns_fixedname_init(&fkeyname);

- keyname = dns_fixedname_name(&fkeyname);

+ mykeyname = dns_fixedname_name(&fkeyname);

n = strchr(namestr, ':');

if (n != NULL) {

@@ -1493,7 +1526,7 @@ evaluate_key(char *cmdline) {

isc_buffer_init(&b, namestr, strlen(namestr));

isc_buffer_add(&b, strlen(namestr));

- result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);

+ result = dns_name_fromtext(mykeyname, &b, dns_rootname, 0, NULL);

if (result != ISC_R_SUCCESS) {

fprintf(stderr, "could not parse key name\n");

return (STATUS_SYNTAX);

@@ -1505,7 +1538,7 @@ evaluate_key(char *cmdline) {

return (STATUS_SYNTAX);

}

secretlen = strlen(secretstr) * 3 / 4;

- secret = isc_mem_allocate(mctx, secretlen);

+ secret = isc_mem_allocate(gmctx, secretlen);

if (secret == NULL)

fatal("out of memory");

@@ -1514,17 +1547,17 @@ evaluate_key(char *cmdline) {

if (result != ISC_R_SUCCESS) {

fprintf(stderr, "could not create key from %s: %s\n",

secretstr, isc_result_totext(result));

- isc_mem_free(mctx, secret);

+ isc_mem_free(gmctx, secret);

return (STATUS_SYNTAX);

}

secretlen = isc_buffer_usedlength(&secretbuf);

if (tsigkey != NULL)

dns_tsigkey_detach(&tsigkey);

- result = dns_tsigkey_create(keyname, hmacname, secret, secretlen,

- ISC_FALSE, NULL, 0, 0, mctx, NULL,

+ result = dns_tsigkey_create(mykeyname, hmacname, secret, secretlen,

+ ISC_FALSE, NULL, 0, 0, gmctx, NULL,

&tsigkey);

- isc_mem_free(mctx, secret);

+ isc_mem_free(gmctx, secret);

if (result != ISC_R_SUCCESS) {

fprintf(stderr, "could not create key from %s %s: %s\n",

namestr, secretstr, dns_result_totext(result));

@@ -1568,7 +1601,7 @@ evaluate_realm(char *cmdline) {

int n;

if (realm != NULL) {

- isc_mem_free(mctx, realm);

+ isc_mem_free(gmctx, realm);

realm = NULL;

}

@@ -1579,7 +1612,7 @@ evaluate_realm(char *cmdline) {

n = snprintf(buf, sizeof(buf), "@%s", word);

if (n < 0 || (size_t)n >= sizeof(buf))

fatal("realm is too long");

- realm = isc_mem_strdup(mctx, buf);

+ realm = isc_mem_strdup(gmctx, buf);

if (realm == NULL)

fatal("out of memory");

return (STATUS_MORE);

@@ -1904,7 +1937,7 @@ show_message(FILE *stream, dns_message_t *msg, const char *description) {

}

if (buf != NULL)

isc_buffer_free(&buf);

- result = isc_buffer_allocate(mctx, &buf, bufsz);

+ result = isc_buffer_allocate(gmctx, &buf, bufsz);

check_result(result, "isc_buffer_allocate");

result = dns_message_totext(msg, style, 0, buf);

bufsz *= 2;

@@ -2117,6 +2150,19 @@ check_tsig_error(dns_rdataset_t *rdataset, isc_buffer_t *b) {

}

+static isc_boolean_t

+next_master(const char *caller, isc_sockaddr_t *addr, isc_result_t eresult) {

+ char addrbuf[ISC_SOCKADDR_FORMATSIZE];

+ isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));

+ fprintf(stderr, "; Communication with %s failed: %s\n",

+ addrbuf, isc_result_totext(eresult));

+ if (++master_inuse >= master_total)

+ return (ISC_FALSE);

+ ddebug("%s: trying next server", caller);

+ return (ISC_TRUE);

static void

update_completed(isc_task_t *task, isc_event_t *event) {

dns_requestevent_t *reqev = NULL;

@@ -2141,13 +2187,22 @@ update_completed(isc_task_t *task, isc_event_t *event) {

}

if (reqev->result != ISC_R_SUCCESS) {

- fprintf(stderr, "; Communication with server failed: %s\n",

- isc_result_totext(reqev->result));

- seenerror = ISC_TRUE;

- goto done;

+ if (!next_master("recvsoa", &master_servers[master_inuse],

+ reqev->result)) {

+ seenerror = ISC_TRUE;

+ goto done;

+ }

+ ddebug("Destroying request [%p]", request);

+ dns_request_destroy(&request);

+ dns_message_renderreset(updatemsg);

+ dns_message_settsigkey(updatemsg, NULL);

+ send_update(zname, &master_servers[master_inuse]);

+ isc_event_free(&event);

+ return;

}

- result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &answer);

+ result = dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &answer);

check_result(result, "dns_message_create");

result = dns_request_getresponse(request, answer,

DNS_MESSAGEPARSE_PRESERVEORDER);

@@ -2201,24 +2256,23 @@ update_completed(isc_task_t *task, isc_event_t *event) {

done:

dns_request_destroy(&request);

if (usegsstsig) {

- dns_name_free(&tmpzonename, mctx);

- dns_name_free(&restart_master, mctx);

+ dns_name_free(&tmpzonename, gmctx);

+ dns_name_free(&restart_master, gmctx);

}

isc_event_free(&event);

done_update();

}

static void

-send_update(dns_name_t *zonename, isc_sockaddr_t *master,

- isc_sockaddr_t *srcaddr)

+send_update(dns_name_t *zone, isc_sockaddr_t *master) {

isc_result_t result;

dns_request_t *request = NULL;

unsigned int options = DNS_REQUESTOPT_CASE;

+ isc_sockaddr_t *srcaddr;

ddebug("send_update()");

- setzone(zonename);

+ setzone(zone);

if (usevc)

options |= DNS_REQUESTOPT_TCP;

@@ -2233,6 +2287,11 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,

fprintf(stderr, "Sending update to %s\n", addrbuf);

}

+ if (isc_sockaddr_pf(master) == AF_INET6)

+ srcaddr = localaddr6;

+ else

+ srcaddr = localaddr4;

/* Windows doesn't like the tsig name to be compressed. */

if (updatemsg->tsigname)

updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;

@@ -2278,6 +2337,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {

nsu_requestinfo_t *reqinfo;

dns_message_t *soaquery = NULL;

isc_sockaddr_t *addr;

+ isc_sockaddr_t *srcaddr;

isc_boolean_t seencname = ISC_FALSE;

dns_name_t tname;

unsigned int nlabels;

@@ -2299,7 +2359,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {

if (shuttingdown) {

dns_request_destroy(&request);

dns_message_destroy(&soaquery);

- isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));

+ isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t));

isc_event_free(&event);

maybeshutdown();

return;

@@ -2311,20 +2371,20 @@ recvsoa(isc_task_t *task, isc_event_t *event) {

dns_request_destroy(&request);

dns_message_renderreset(soaquery);

dns_message_settsigkey(soaquery, NULL);

- sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);

- isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));

+ sendrequest(&servers[ns_inuse], soaquery, &request);

+ isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t));

isc_event_free(&event);

setzoneclass(dns_rdataclass_none);

return;

}

- isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));

+ isc_mem_put(gmctx, reqinfo, sizeof(nsu_requestinfo_t));

reqinfo = NULL;

isc_event_free(&event);

reqev = NULL;

ddebug("About to create rcvmsg");

- result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);

+ result = dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);

check_result(result, "dns_message_create");

result = dns_request_getresponse(request, rcvmsg,

DNS_MESSAGEPARSE_PRESERVEORDER);

@@ -2332,15 +2392,21 @@ recvsoa(isc_task_t *task, isc_event_t *event) {

dns_message_destroy(&rcvmsg);

ddebug("Destroying request [%p]", request);

dns_request_destroy(&request);

- reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t));

+ reqinfo = isc_mem_get(gmctx, sizeof(nsu_requestinfo_t));

if (reqinfo == NULL)

fatal("out of memory");

reqinfo->msg = soaquery;

reqinfo->addr = addr;

dns_message_renderreset(soaquery);

ddebug("retrying soa request without TSIG");

- result = dns_request_createvia3(requestmgr, soaquery,

- localaddr, addr, 0, NULL,

+ if (isc_sockaddr_pf(addr) == AF_INET6)

+ srcaddr = localaddr6;

+ else

+ srcaddr = localaddr4;

+ result = dns_request_createvia3(requestmgr, soaquery, srcaddr,

+ addr, 0, NULL,

FIND_TIMEOUT * 20,

FIND_TIMEOUT, 3,

global_task, recvsoa, reqinfo,

@@ -2434,9 +2500,9 @@ recvsoa(isc_task_t *task, isc_event_t *event) {

dns_name_clone(&soa.origin, &master);

if (userzone != NULL)

- zonename = userzone;

+ zname = userzone;

else

- zonename = name;

+ zname = name;

if (debugging) {

char namestr[DNS_NAME_FORMATSIZE];

@@ -2444,38 +2510,45 @@ recvsoa(isc_task_t *task, isc_event_t *event) {

fprintf(stderr, "The master is: %s\n", namestr);

}

- if (servers == NULL) {

+ if (default_servers) {

char serverstr[DNS_NAME_MAXTEXT+1];

isc_buffer_t buf;

+ size_t size;

isc_buffer_init(&buf, serverstr, sizeof(serverstr));

result = dns_name_totext(&master, ISC_TRUE, &buf);

check_result(result, "dns_name_totext");

serverstr[isc_buffer_usedlength(&buf)] = 0;

- ns_total = MAX_SERVERADDRS;

- servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));

- if (servers == NULL)

+ if (master_servers != NULL && master_servers != servers)

+ isc_mem_put(gmctx, master_servers,

+ master_total * sizeof(isc_sockaddr_t));

+ master_total = MAX_SERVERADDRS;

+ size = master_total * sizeof(isc_sockaddr_t);

+ master_servers = isc_mem_get(gmctx, size);

+ if (master_servers == NULL)

fatal("out of memory");

- memset(servers, 0, ns_total * sizeof(isc_sockaddr_t));

- get_addresses(serverstr, dnsport, servers, ns_total);

- }

+ memset(master_servers, 0, size);

+ get_addresses(serverstr, dnsport, master_servers, master_total);

+ master_inuse = 0;

+ } else

+ master_from_servers();

dns_rdata_freestruct(&soa);

#ifdef GSSAPI

if (usegsstsig) {

dns_name_init(&tmpzonename, NULL);

- dns_name_dup(zonename, mctx, &tmpzonename);

+ dns_name_dup(zname, gmctx, &tmpzonename);

dns_name_init(&restart_master, NULL);

- dns_name_dup(&master, mctx, &restart_master);

+ dns_name_dup(&master, gmctx, &restart_master);

start_gssrequest(&master);

} else {

- send_update(zonename, &servers[ns_inuse], localaddr);

+ send_update(zname, &master_servers[master_inuse]);

setzoneclass(dns_rdataclass_none);

}

#else

- send_update(zonename, &servers[ns_inuse], localaddr);

+ send_update(zname, &master_servers[master_inuse]);

setzoneclass(dns_rdataclass_none);

#endif

@@ -2501,22 +2574,29 @@ recvsoa(isc_task_t *task, isc_event_t *event) {

dns_request_destroy(&request);

dns_message_renderreset(soaquery);

dns_message_settsigkey(soaquery, NULL);

- sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);

+ sendrequest(&servers[ns_inuse], soaquery, &request);

goto out;

}

static void

-sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,

- dns_message_t *msg, dns_request_t **request)

+sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,

+ dns_request_t **request)

{

isc_result_t result;

nsu_requestinfo_t *reqinfo;

+ isc_sockaddr_t *srcaddr;

- reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t));

+ reqinfo = isc_mem_get(gmctx, sizeof(nsu_requestinfo_t));

if (reqinfo == NULL)

fatal("out of memory");

reqinfo->msg = msg;

reqinfo->addr = destaddr;

+ if (isc_sockaddr_pf(destaddr) == AF_INET6)

+ srcaddr = localaddr6;

+ else

+ srcaddr = localaddr4;

result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr, 0,

default_servers ? NULL : tsigkey,

FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,

@@ -2531,8 +2611,7 @@ sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,

* Get the realm from the users kerberos ticket if possible

static void

-get_ticket_realm(isc_mem_t *mctx)

+get_ticket_realm(isc_mem_t *mctx) {

krb5_context ctx;

krb5_error_code rc;

krb5_ccache ccache;

@@ -2589,7 +2668,7 @@ start_gssrequest(dns_name_t *master) {

dns_name_t *servname;

dns_fixedname_t fname;

char namestr[DNS_NAME_FORMATSIZE];

- char keystr[DNS_NAME_FORMATSIZE];

+ char mykeystr[DNS_NAME_FORMATSIZE];

char *err_message = NULL;

debug("start_gssrequest");

@@ -2598,7 +2677,7 @@ start_gssrequest(dns_name_t *master) {

if (gssring != NULL)

dns_tsigkeyring_detach(&gssring);

gssring = NULL;

- result = dns_tsigkeyring_create(mctx, &gssring);

+ result = dns_tsigkeyring_create(gmctx, &gssring);

if (result != ISC_R_SUCCESS)

fatal("dns_tsigkeyring_create failed: %s",

@@ -2606,7 +2685,7 @@ start_gssrequest(dns_name_t *master) {

dns_name_format(master, namestr, sizeof(namestr));

if (kserver == NULL) {

- kserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));

+ kserver = isc_mem_get(gmctx, sizeof(isc_sockaddr_t));

if (kserver == NULL)

fatal("out of memory");

}

@@ -2619,7 +2698,7 @@ start_gssrequest(dns_name_t *master) {

servname = dns_fixedname_name(&fname);

if (realm == NULL)

- get_ticket_realm(mctx);

+ get_ticket_realm(gmctx);

result = isc_string_printf(servicename, sizeof(servicename),

"DNS/%s%s", namestr, realm ? realm : "");

@@ -2637,13 +2716,13 @@ start_gssrequest(dns_name_t *master) {

keyname = dns_fixedname_name(&fkname);

isc_random_get(&val);

- result = isc_string_printf(keystr, sizeof(keystr), "%u.sig-%s",

+ result = isc_string_printf(mykeystr, sizeof(mykeystr), "%u.sig-%s",

val, namestr);

if (result != ISC_R_SUCCESS)

- fatal("isc_string_printf(keystr) failed: %s",

+ fatal("isc_string_printf(mykeystr) failed: %s",

isc_result_totext(result));

- isc_buffer_init(&buf, keystr, strlen(keystr));

- isc_buffer_add(&buf, strlen(keystr));

+ isc_buffer_init(&buf, mykeystr, strlen(mykeystr));

+ isc_buffer_add(&buf, strlen(mykeystr));

result = dns_name_fromtext(keyname, &buf, dns_rootname, 0, NULL);

if (result != ISC_R_SUCCESS)

@@ -2654,7 +2733,7 @@ start_gssrequest(dns_name_t *master) {

keyname->attributes |= DNS_NAMEATTR_NOCOMPRESS;

rmsg = NULL;

- result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &rmsg);

+ result = dns_message_create(gmctx, DNS_MESSAGE_INTENTRENDER, &rmsg);

if (result != ISC_R_SUCCESS)

fatal("dns_message_create failed: %s",

isc_result_totext(result));

@@ -2663,7 +2742,7 @@ start_gssrequest(dns_name_t *master) {

context = GSS_C_NO_CONTEXT;

result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0,

&context, use_win2k_gsstsig,

- mctx, &err_message);

+ gmctx, &err_message);

if (result == ISC_R_FAILURE)

fatal("tkey query failed: %s",

err_message != NULL ? err_message : "unknown error");

@@ -2671,20 +2750,20 @@ start_gssrequest(dns_name_t *master) {

fatal("dns_tkey_buildgssquery failed: %s",

isc_result_totext(result));

- send_gssrequest(localaddr, kserver, rmsg, &request, context);

+ send_gssrequest(kserver, rmsg, &request, context);

}

static void

-send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,

- dns_message_t *msg, dns_request_t **request,

- gss_ctx_id_t context)

+send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,

+ dns_request_t **request, gss_ctx_id_t context)

{

isc_result_t result;

nsu_gssinfo_t *reqinfo;

unsigned int options = 0;

+ isc_sockaddr_t *srcaddr;

debug("send_gssrequest");

- reqinfo = isc_mem_get(mctx, sizeof(nsu_gssinfo_t));

+ reqinfo = isc_mem_get(gmctx, sizeof(nsu_gssinfo_t));

if (reqinfo == NULL)

fatal("out of memory");

reqinfo->msg = msg;

@@ -2692,6 +2771,12 @@ send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,

reqinfo->context = context;

options |= DNS_REQUESTOPT_TCP;

+ if (isc_sockaddr_pf(destaddr) == AF_INET6)

+ srcaddr = localaddr6;

+ else

+ srcaddr = localaddr4;

result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr,

options, tsigkey, FIND_TIMEOUT * 20,

FIND_TIMEOUT, 3, global_task, recvgss,

@@ -2735,7 +2820,7 @@ recvgss(isc_task_t *task, isc_event_t *event) {

if (shuttingdown) {

dns_request_destroy(&request);

dns_message_destroy(&tsigquery);

- isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));

+ isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));

isc_event_free(&event);

maybeshutdown();

return;

@@ -2746,18 +2831,18 @@ recvgss(isc_task_t *task, isc_event_t *event) {

ddebug("Destroying request [%p]", request);

dns_request_destroy(&request);

dns_message_renderreset(tsigquery);

- sendrequest(localaddr, &servers[ns_inuse], tsigquery, &request);

- isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));

+ sendrequest(&servers[ns_inuse], tsigquery, &request);

+ isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));

isc_event_free(&event);

return;

}

- isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));

+ isc_mem_put(gmctx, reqinfo, sizeof(nsu_gssinfo_t));

isc_event_free(&event);

reqev = NULL;

ddebug("recvgss creating rcvmsg");

- result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);

+ result = dns_message_create(gmctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);

check_result(result, "dns_message_create");

result = dns_request_getresponse(request, rcvmsg,

@@ -2800,8 +2885,7 @@ recvgss(isc_task_t *task, isc_event_t *event) {

switch (result) {

case DNS_R_CONTINUE:

- send_gssrequest(localaddr, kserver, tsigquery, &request,

- context);

+ send_gssrequest(kserver, tsigquery, &request, context);

break;

case ISC_R_SUCCESS:

@@ -2834,7 +2918,7 @@ recvgss(isc_task_t *task, isc_event_t *event) {

check_result(result, "dns_message_checksig");

#endif /* 0 */

- send_update(&tmpzonename, &servers[ns_inuse], localaddr);

+ send_update(&tmpzonename, &master_servers[master_inuse]);

setzoneclass(dns_rdataclass_none);

break;

@@ -2868,13 +2952,19 @@ start_update(void) {

if (answer != NULL)

dns_message_destroy(&answer);

- if (userzone != NULL && ! usegsstsig) {

- send_update(userzone, &servers[ns_inuse], localaddr);

+ /*

+ * If we have both the zone and the servers we have enough information

+ * to send the update straight away otherwise we need to discover

+ * the zone and / or the master server.

+ */

+ if (userzone != NULL && !default_servers && !usegsstsig) {

+ master_from_servers();

+ send_update(userzone, &master_servers[master_inuse]);

setzoneclass(dns_rdataclass_none);

return;

}

- result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,

+ result = dns_message_create(gmctx, DNS_MESSAGE_INTENTRENDER,

&soaquery);

check_result(result, "dns_message_create");

@@ -2931,7 +3021,7 @@ start_update(void) {

dns_message_addname(soaquery, name, DNS_SECTION_QUESTION);

ns_inuse = 0;

- sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);

+ sendrequest(&servers[ns_inuse], soaquery, &request);

}

static void

@@ -2951,11 +3041,11 @@ cleanup(void) {

dns_tsigkeyring_detach(&gssring);

}

if (kserver != NULL) {

- isc_mem_put(mctx, kserver, sizeof(isc_sockaddr_t));

+ isc_mem_put(gmctx, kserver, sizeof(isc_sockaddr_t));

kserver = NULL;

}

if (realm != NULL) {

- isc_mem_free(mctx, realm);

+ isc_mem_free(gmctx, realm);

realm = NULL;

}

#endif

@@ -2982,12 +3072,12 @@ cleanup(void) {

dns_name_destroy();

ddebug("Removing log context");

- isc_log_destroy(&lctx);

+ isc_log_destroy(&glctx);

ddebug("Destroying memory context");

if (memdebugging)

- isc_mem_stats(mctx, stderr);

- isc_mem_destroy(&mctx);

+ isc_mem_stats(gmctx, stderr);

+ isc_mem_destroy(&gmctx);

}

static void

@@ -3027,14 +3117,14 @@ main(int argc, char **argv) {

pre_parse_args(argc, argv);

- result = isc_mem_create(0, 0, &mctx);

+ result = isc_mem_create(0, 0, &gmctx);

check_result(result, "isc_mem_create");

- parse_args(argc, argv, mctx, &entropy);

+ parse_args(argc, argv, gmctx, &entropy);

setup_system();

- result = isc_app_onrun(mctx, global_task, getinput, NULL);

+ result = isc_app_onrun(gmctx, global_task, getinput, NULL);

check_result(result, "isc_app_onrun");

(void)isc_app_run();

diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index edb3a3110904..87e966937e3d 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -78,7 +78,7 @@ static isccc_ccmsg_t ccmsg;

static isccc_region_t secret;

static isc_boolean_t failed = ISC_FALSE;

static isc_boolean_t c_flag = ISC_FALSE;

-static isc_mem_t *mctx;

+static isc_mem_t *rndc_mctx;

static int sends, recvs, connects;

static char *command;

static char *args;

@@ -405,7 +405,7 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {

r.length = len;

r.base = databuf;

- isccc_ccmsg_init(mctx, sock, &ccmsg);

+ isccc_ccmsg_init(rndc_mctx, sock, &ccmsg);

isccc_ccmsg_setmaxsize(&ccmsg, 1024 * 1024);

DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,

@@ -812,12 +812,12 @@ main(int argc, char **argv) {

isc_random_get(&serial);

- DO("create memory context", isc_mem_create(0, 0, &mctx));

- DO("create socket manager", isc_socketmgr_create(mctx, &socketmgr));

- DO("create task manager", isc_taskmgr_create(mctx, 1, 0, &taskmgr));

+ DO("create memory context", isc_mem_create(0, 0, &rndc_mctx));

+ DO("create socket manager", isc_socketmgr_create(rndc_mctx, &socketmgr));

+ DO("create task manager", isc_taskmgr_create(rndc_mctx, 1, 0, &taskmgr));

DO("create task", isc_task_create(taskmgr, 0, &task));

- DO("create logging context", isc_log_create(mctx, &log, &logconfig));

+ DO("create logging context", isc_log_create(rndc_mctx, &log, &logconfig));

isc_log_setcontext(log);

DO("setting log tag", isc_log_settag(logconfig, progname));

logdest.file.stream = stderr;

@@ -831,7 +831,7 @@ main(int argc, char **argv) {

DO("enabling log channel", isc_log_usechannel(logconfig, "stderr",

NULL, NULL));

- parse_config(mctx, log, keyname, &pctx, &config);

+ parse_config(rndc_mctx, log, keyname, &pctx, &config);

isccc_result_register();

@@ -846,7 +846,7 @@ main(int argc, char **argv) {

for (i = 0; i < argc; i++)

argslen += strlen(argv[i]) + 1;

- args = isc_mem_get(mctx, argslen);

+ args = isc_mem_get(rndc_mctx, argslen);

if (args == NULL)

DO("isc_mem_get", ISC_R_NOMEMORY);

@@ -870,7 +870,7 @@ main(int argc, char **argv) {

if (nserveraddrs == 0)

get_addresses(servername, (in_port_t) remoteport);

- DO("post event", isc_app_onrun(mctx, task, rndc_start, NULL));

+ DO("post event", isc_app_onrun(rndc_mctx, task, rndc_start, NULL));

result = isc_app_run();

if (result != ISC_R_SUCCESS)

@@ -888,15 +888,15 @@ main(int argc, char **argv) {

cfg_obj_destroy(pctx, &config);

cfg_parser_destroy(&pctx);

- isc_mem_put(mctx, args, argslen);

+ isc_mem_put(rndc_mctx, args, argslen);

isccc_ccmsg_invalidate(&ccmsg);

dns_name_destroy();

if (show_final_mem)

- isc_mem_stats(mctx, stderr);

+ isc_mem_stats(rndc_mctx, stderr);

- isc_mem_destroy(&mctx);

+ isc_mem_destroy(&rndc_mctx);

if (failed)

return (1);