Browse Source

bind package update

Signed-off-by: webbuilder_pel7ppc64bebuilder0 <webbuilder@powerel.org>
master
webbuilder_pel7ppc64bebuilder0 6 years ago
parent
commit
9e27d6087a
  1. 79
      SOURCES/README.sdb_pgsql
  2. 63
      SOURCES/bind-9.3.1rc1-sdb_tools-Makefile.in
  3. 60
      SOURCES/bind-9.3.2-redhat_doc.patch
  4. 524
      SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch
  5. 243
      SOURCES/bind-9.3.2b2-sdbsrc.patch
  6. 27
      SOURCES/bind-9.5-PIE.patch
  7. 70
      SOURCES/bind-9.5-dlz-64bit.patch
  8. 270
      SOURCES/bind-9.5-libidn.patch
  9. 221
      SOURCES/bind-9.5-libidn2.patch
  10. 21
      SOURCES/bind-9.5-libidn3.patch
  11. 14
      SOURCES/bind-9.5-parallel-build.patch
  12. 102
      SOURCES/bind-9.5-sdb-sqlite-bld.patch
  13. 239
      SOURCES/bind-9.5-sdb.patch
  14. 1727
      SOURCES/bind-9.9-allow_external_dnskey.patch
  15. 740
      SOURCES/bind-9.9-dist-native-pkcs11.patch
  16. 25320
      SOURCES/bind-9.9-native-pkcs11.patch
  17. 27
      SOURCES/bind-9.9.1-P2-dlz-libdb.patch
  18. 66
      SOURCES/bind-9.9.1-P2-multlib-conflict.patch
  19. 12
      SOURCES/bind-9.9.3-include-update-h.patch
  20. 40
      SOURCES/bind-95-rh452060.patch
  21. 23
      SOURCES/bind-96-old-api.patch
  22. 13
      SOURCES/bind-99-socket-maxevents.patch
  23. 72
      SOURCES/bind-nonexec.patch
  24. 69
      SOURCES/bind.keys
  25. 1
      SOURCES/bind.tmpfiles.d
  26. 95
      SOURCES/bind93-rh490837.patch
  27. 26
      SOURCES/bind93-rh726120.patch
  28. 19
      SOURCES/bind95-rh461409.patch
  29. 226
      SOURCES/bind97-exportlib.patch
  30. 30
      SOURCES/bind97-rh478718.patch
  31. 153
      SOURCES/bind97-rh570851.patch
  32. 30
      SOURCES/bind97-rh645544.patch
  33. 14
      SOURCES/bind97-rh669163.patch
  34. 35
      SOURCES/bind97-rh693982.patch
  35. 40
      SOURCES/bind98-rh735103.patch
  36. 53
      SOURCES/bind99-CVE-2014-0591.patch
  37. 924
      SOURCES/bind99-CVE-2014-8500.patch
  38. 25
      SOURCES/bind99-CVE-2015-1349.patch
  39. 21
      SOURCES/bind99-CVE-2015-4620.patch
  40. 11
      SOURCES/bind99-CVE-2015-5477.patch
  41. 449
      SOURCES/bind99-CVE-2015-5722.patch
  42. 179
      SOURCES/bind99-CVE-2015-8000.patch
  43. 22
      SOURCES/bind99-CVE-2015-8704.patch
  44. 431
      SOURCES/bind99-CVE-2016-1285-CVE-2016-1286.patch
  45. 66
      SOURCES/bind99-CVE-2016-2775.patch
  46. 89
      SOURCES/bind99-CVE-2016-2776.patch
  47. 174
      SOURCES/bind99-CVE-2016-8864.patch
  48. 37
      SOURCES/bind99-CVE-2016-9131.patch
  49. 31
      SOURCES/bind99-CVE-2016-9147.patch
  50. 147
      SOURCES/bind99-CVE-2016-9444.patch
  51. 193
      SOURCES/bind99-CVE-2017-3135.patch
  52. 26
      SOURCES/bind99-CVE-2017-3136.patch
  53. 1126
      SOURCES/bind99-CVE-2017-3137.patch
  54. 497
      SOURCES/bind99-CVE-2017-3142+3143.patch
  55. 124
      SOURCES/bind99-CVE-2017-3145.patch
  56. 61
      SOURCES/bind99-ISC-Bugs-34738.patch
  57. 213
      SOURCES/bind99-ISC-Bugs-34870-v3.patch
  58. 31
      SOURCES/bind99-ISC-Bugs-35073.patch
  59. 42
      SOURCES/bind99-ISC-Bugs-35080.patch
  60. 685
      SOURCES/bind99-automatic-interface-scanning-rh1294506.patch
  61. 307
      SOURCES/bind99-coverity-fixes.patch
  62. 44
      SOURCES/bind99-coverity-fixes2.patch
  63. 5176
      SOURCES/bind99-dyndb.patch
  64. 13
      SOURCES/bind99-forward.patch
  65. 14
      SOURCES/bind99-libidn4.patch
  66. 41
      SOURCES/bind99-rh1067424.patch
  67. 53
      SOURCES/bind99-rh1072379.patch
  68. 164
      SOURCES/bind99-rh1098959.patch
  69. 408
      SOURCES/bind99-rh1214827.patch
  70. 178
      SOURCES/bind99-rh1215164.patch
  71. 67
      SOURCES/bind99-rh1215687-limits.patch
  72. 5539
      SOURCES/bind99-rh1220594-geoip.patch
  73. 12
      SOURCES/bind99-rh1259514.patch
  74. 58
      SOURCES/bind99-rh1291185.patch
  75. 1847
      SOURCES/bind99-rh1306610.patch
  76. 41
      SOURCES/bind99-rh1392362.patch
  77. 139
      SOURCES/bind99-rh1416304.patch
  78. 102
      SOURCES/bind99-rh1464850-2.patch
  79. 1849
      SOURCES/bind99-rh1464850.patch
  80. 434
      SOURCES/bind99-rh1470637-tests.patch
  81. 195
      SOURCES/bind99-rh1470637.patch
  82. 32
      SOURCES/bind99-rh1472862.patch
  83. 574
      SOURCES/bind99-rh1476013.patch
  84. 1961
      SOURCES/bind99-rh1501531.patch
  85. 44
      SOURCES/bind99-rh640538.patch
  86. 12
      SOURCES/bind99-rrl.patch
  87. 159
      SOURCES/bind99-rt43779.patch
  88. 482
      SOURCES/bind99-rt44318.patch
  89. BIN
      SOURCES/config-15.tar.bz2
  90. 148
      SOURCES/dnszone.schema
  91. 20
      SOURCES/generate-rndc-key.sh
  92. BIN
      SOURCES/geoip-testing-data.tar.xz
  93. 41
      SOURCES/ldap2zone.1
  94. 411
      SOURCES/ldap2zone.c
  95. 12
      SOURCES/named-chroot-setup.service
  96. 30
      SOURCES/named-chroot.service
  97. 26
      SOURCES/named-pkcs11.service
  98. 12
      SOURCES/named-sdb-chroot-setup.service
  99. 30
      SOURCES/named-sdb-chroot.service
  100. 1
      SOURCES/named-sdb.8
  101. Some files were not shown because too many files have changed in this diff Show More

79
SOURCES/README.sdb_pgsql

@ -0,0 +1,79 @@ @@ -0,0 +1,79 @@
PGSQL BIND SDB driver

The postgresql BIND SDB driver is of experimental status and should not be
used for production systems.

Usage:

o Use the named_sdb process ( put ENABLE_SDB=yes in /etc/sysconfig/named )

o Edit your named.conf to contain a database zone, eg. :
zone "pgdb.net." IN {
type master;
database "pgsql bind pgdb localhost pguser pgpasswd";
# ^- DB name ^-Table ^-host ^-user ^-password
};

o Create the database zone table
The table must contain the columns "name", "rdtype", and "rdata", and
is expected to contain a properly constructed zone. The program "zonetodb"
creates such a table.
zonetodb usage:
zonetodb origin file dbname dbtable

where
origin : zone origin, eg "pgdb.net."
file : master zone database file, eg. pgdb.net.db
dbname : name of postgresql database
dbtable: name of table in database

Eg. to import this zone in the file 'pgdb.net.db' into the 'bind' database
'pgdb' table:

---
#pgdb.net.db:
$TTL 1H
@ SOA localhost. root.localhost. ( 1
3H
1H
1W
1H )
NS localhost.
host1 A 192.168.2.1
host2 A 192.168.2.2
host3 A 192.168.2.3
host4 A 192.168.2.4
host5 A 192.168.2.5
host6 A 192.168.2.6
host7 A 192.168.2.7
---

Issue this command as the pgsql user authorized to update the bind database:
# zonetodb pgdb.net. pgdb.net.db bind pgdb

will create / update the pgdb table in the 'bind' db:

$ psql -dbind -c 'select * from pgdb;'
name | ttl | rdtype | rdata
----------------+------+--------+-----------------------------------------------------
pgdb.net | 3600 | SOA | localhost. root.localhost. 1 10800 3600 604800 3600
pgdb.net | 3600 | NS | localhost.
host1.pgdb.net | 3600 | A | 192.168.2.1
host2.pgdb.net | 3600 | A | 192.168.2.2
host3.pgdb.net | 3600 | A | 192.168.2.3
host4.pgdb.net | 3600 | A | 192.168.2.4
host5.pgdb.net | 3600 | A | 192.168.2.5
host6.pgdb.net | 3600 | A | 192.168.2.6
host7.pgdb.net | 3600 | A | 192.168.2.7
(9 rows)

I've tested exactly the above configuration with bind-sdb-9.3.1+ and it works OK.

NOTE: If you use pgsqldb SDB, ensure the postgresql service is started before the named
service .

USE AT YOUR OWN RISK!

63
SOURCES/bind-9.3.1rc1-sdb_tools-Makefile.in

@ -0,0 +1,63 @@ @@ -0,0 +1,63 @@
srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@

@BIND9_VERSION@

@BIND9_MAKE_INCLUDES@

CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include \
${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES}

CDEFINES = -DBIND9

DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
ISCLIBS = ../../lib/isc/libisc.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@

DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@

DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}

LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@

TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@

OBJS = zone2ldap.@O@ zonetodb.@O@

SRCS = zone2ldap.c zonetodb.c

MANPAGES = zone2ldap.1

EXT_CFLAGS =

@BIND9_MAKE_RULES@

zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zone2ldap.@O@ -lldap -llber ${LIBS}

zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}

clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}

installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1

install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1

60
SOURCES/bind-9.3.2-redhat_doc.patch

@ -0,0 +1,60 @@ @@ -0,0 +1,60 @@
--- bind-9.4.0/bin/named/named.8.redhat_doc 2007-01-30 01:23:44.000000000 +0100
+++ bind-9.4.0/bin/named/named.8 2007-03-12 15:39:19.000000000 +0100
@@ -205,6 +205,57 @@
\fI/var/run/named/named.pid\fR
.RS 4
The default process\-id file.
+.PP
+.SH "NOTES"
+.PP
+.TP
+\fBRed Hat SELinux BIND Security Profile:\fR
+.PP
+By default, Red Hat ships BIND with the most secure SELinux policy
+that will not prevent normal BIND operation and will prevent exploitation
+of all known BIND security vulnerabilities . See the selinux(8) man page
+for information about SElinux.
+.PP
+It is not necessary to run named in a chroot environment if the Red Hat
+SELinux policy for named is enabled. When enabled, this policy is far
+more secure than a chroot environment. Users are recommended to enable
+SELinux and remove the bind-chroot package.
+.PP
+With this extra security comes some restrictions:
+.PP
+By default, the SELinux policy does not allow named to write any master
+zone database files. Only the root user may create files in the $ROOTDIR/var/named
+zone database file directory (the options { "directory" } option), where
+$ROOTDIR is set in /etc/sysconfig/named.
+.PP
+The "named" group must be granted read privelege to
+these files in order for named to be enabled to read them.
+.PP
+Any file created in the zone database file directory is automatically assigned
+the SELinux file context named_zone_t .
+.PP
+By default, SELinux prevents any role from modifying named_zone_t files; this
+means that files in the zone database directory cannot be modified by dynamic
+DNS (DDNS) updates or zone transfers.
+.PP
+The Red Hat BIND distribution and SELinux policy creates three directories where
+named is allowed to create and modify files: /var/named/slaves, /var/named/dynamic
+/var/named/data. By placing files you want named to modify, such as
+slave or DDNS updateable zone files and database / statistics dump files in
+these directories, named will work normally and no further operator action is
+required. Files in these directories are automatically assigned the 'named_cache_t'
+file context, which SELinux allows named to write.
+.PP
+\fBRed Hat BIND SDB support:\fR
+.PP
+Red Hat ships named with compiled in Simplified Database Backend modules that ISC
+provides in the "contrib/sdb" directory. Install bind-sdb package if you want use them
+.PP
+The SDB modules for LDAP, PostGreSQL, DirDB and SQLite are compiled into named-sdb.
+.PP
+See the documentation for the various SDB modules in /usr/share/doc/bind-sdb-*/ .
+.br
+.PP
.RE
.SH "SEE ALSO"
.PP

524
SOURCES/bind-9.3.2b1-fix_sdb_ldap.patch

@ -0,0 +1,524 @@ @@ -0,0 +1,524 @@
diff -up bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap bind-9.5.1b1/bin/sdb_tools/Makefile.in
--- bind-9.5.1b1/bin/sdb_tools/Makefile.in.fix_sdb_ldap 2008-07-21 12:14:00.000000000 +0200
+++ bind-9.5.1b1/bin/sdb_tools/Makefile.in 2008-07-21 12:17:51.000000000 +0200
@@ -30,11 +30,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ zonetodb@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@
-OBJS = zone2ldap.@O@ zonetodb.@O@
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@
-SRCS = zone2ldap.c zonetodb.c
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c
MANPAGES = zone2ldap.1
@@ -48,6 +48,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLI
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
+ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
+
clean distclean manclean maintainer-clean::
rm -f ${TARGETS} ${OBJS}
@@ -57,5 +60,6 @@ installdirs:
install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1
diff -up bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap bind-9.5.1b1/bin/sdb_tools/zone2ldap.c
--- bind-9.5.1b1/bin/sdb_tools/zone2ldap.c.fix_sdb_ldap 2008-07-21 12:14:00.000000000 +0200
+++ bind-9.5.1b1/bin/sdb_tools/zone2ldap.c 2008-07-21 12:14:00.000000000 +0200
@@ -24,6 +24,7 @@
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/print.h>
+#include <isc/hash.h>
#include <isc/result.h>
#include <dns/db.h>
@@ -61,6 +62,9 @@ ldap_info;
/* usage Info */
void usage (void);
+/* Check for existence of (and possibly add) containing dNSZone objects */
+int lookup_dns_zones( ldap_info *ldinfo);
+
/* Add to the ldap dit */
void add_ldap_values (ldap_info * ldinfo);
@@ -77,7 +81,7 @@ char **hostname_to_dn_list (char *hostna
int get_attr_list_size (char **tmp);
/* Get a DN */
-char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag);
+char *build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone);
/* Add to RR list */
void add_to_rr_list (char *dn, char *name, char *type, char *data,
@@ -99,11 +103,27 @@ void
init_ldap_conn ();
void usage();
-char *argzone, *ldapbase, *binddn, *bindpw = NULL;
-const char *ldapsystem = "localhost";
-static const char *objectClasses[] =
- { "top", "dNSZone", NULL };
-static const char *topObjectClasses[] = { "top", NULL };
+static char *argzone, *ldapbase, *binddn, *bindpw = NULL;
+
+/* these are needed to placate gcc4's const-ness const-ernations : */
+static char localhost[] = "localhost";
+static char *ldapsystem=&(localhost[0]);
+/* dnszone schema class names: */
+static char topClass [] ="top";
+static char dNSZoneClass[] ="dNSZone";
+static char objectClass [] ="objectClass";
+static char dcObjectClass[]="dcObject";
+/* dnszone schema attribute names: */
+static char relativeDomainName[]="relativeDomainName";
+static char dNSTTL []="dNSTTL";
+static char zoneName []="zoneName";
+static char dc []="dc";
+static char sameZone []="@";
+/* LDAPMod mod_values: */
+static char *objectClasses []= { &(topClass[0]), &(dNSZoneClass[0]), NULL };
+static char *topObjectClasses []= { &(topClass[0]), &(dcObjectClass[0]), &(dNSZoneClass[0]), NULL };
+static char *dn_buffer [64]={NULL};
+
LDAP *conn;
unsigned int debug = 0;
@@ -119,12 +139,12 @@ main (int argc, char **argv)
isc_result_t result;
char *basedn;
ldap_info *tmp;
- LDAPMod *base_attrs[2];
- LDAPMod base;
+ LDAPMod *base_attrs[5];
+ LDAPMod base, dcBase, znBase, rdnBase;
isc_buffer_t buff;
char *zonefile=0L;
char fullbasedn[1024];
- char *ctmp;
+ char *ctmp, *zn, *dcp[2], *znp[2], *rdn[2];
dns_fixedname_t fixedzone, fixedname;
dns_rdataset_t rdataset;
char **dc_list;
@@ -137,7 +157,7 @@ main (int argc, char **argv)
extern char *optarg;
extern int optind, opterr, optopt;
int create_base = 0;
- int topt;
+ int topt, dcn, zdn, znlen;
if ((int) argc < 2)
{
@@ -145,7 +165,7 @@ main (int argc, char **argv)
exit (-1);
}
- while ((topt = getopt ((int) argc, argv, "D:w:b:z:f:h:?dcv")) != -1)
+ while ((topt = getopt ((int) argc, argv, "D:Ww:b:z:f:h:?dcv")) != -1)
{
switch (topt)
{
@@ -164,8 +184,11 @@ main (int argc, char **argv)
case 'w':
bindpw = strdup (optarg);
break;
+ case 'W':
+ bindpw = getpass("Enter LDAP Password: ");
+ break;
case 'b':
- ldapbase = strdup (optarg);
+ ldapbase = strdup (optarg);
break;
case 'z':
argzone = strdup (optarg);
@@ -277,27 +300,62 @@ main (int argc, char **argv)
{
if (debug)
printf ("Creating base zone DN %s\n", argzone);
-
+
dc_list = hostname_to_dn_list (argzone, argzone, DNS_TOP);
- basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC);
- for (ctmp = &basedn[strlen (basedn)]; ctmp >= &basedn[0]; ctmp--)
+ basedn = build_dn_from_dc_list (dc_list, 0, NO_SPEC, argzone);
+ if (debug)
+ printf ("base DN %s\n", basedn);
+
+ for (ctmp = &basedn[strlen (basedn)], dcn=0; ctmp >= &basedn[0]; ctmp--)
{
- if ((*ctmp == ',') || (ctmp == &basedn[0]))
+ if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
+
base.mod_op = LDAP_MOD_ADD;
- base.mod_type = (char*)"objectClass";
- base.mod_values = (char**)topObjectClasses;
+ base.mod_type = objectClass;
+ base.mod_values = topObjectClasses;
base_attrs[0] = (void*)&base;
- base_attrs[1] = NULL;
-
+
+ dcBase.mod_op = LDAP_MOD_ADD;
+ dcBase.mod_type = dc;
+ dcp[0]=dc_list[dcn];
+ dcp[1]=0L;
+ dcBase.mod_values=dcp;
+ base_attrs[1] = (void*)&dcBase;
+
+ znBase.mod_op = LDAP_MOD_ADD;
+ znBase.mod_type = zoneName;
+ for( zdn = dcn, znlen = 0; zdn >= 0; zdn-- )
+ znlen += strlen(dc_list[zdn])+1;
+ znp[0] = (char*)malloc(znlen+1);
+ znp[1] = 0L;
+ for( zdn = dcn, zn=znp[0]; zdn >= 0; zdn-- )
+ zn+=sprintf(zn,"%s%s",dc_list[zdn],
+ ((zdn > 0) && (*(dc_list[zdn-1])!='.')) ? "." : ""
+ );
+
+ znBase.mod_values = znp;
+ base_attrs[2] = (void*)&znBase;
+
+ rdnBase.mod_op = LDAP_MOD_ADD;
+ rdnBase.mod_type = relativeDomainName;
+ rdn[0] = strdup(sameZone);
+ rdn[1] = 0L;
+ rdnBase.mod_values = rdn;
+ base_attrs[3] = (void*)&rdnBase;
+
+ dcn++;
+
+ base.mod_values = topObjectClasses;
+ base_attrs[4] = NULL;
+
if (ldapbase)
{
if (ctmp != &basedn[0])
sprintf (fullbasedn, "%s,%s", ctmp + 1, ldapbase);
else
- sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
-
+ sprintf (fullbasedn, "%s,%s", ctmp, ldapbase);
}
else
{
@@ -306,8 +364,13 @@ main (int argc, char **argv)
else
sprintf (fullbasedn, "%s", ctmp);
}
+
+ if( debug )
+ printf("Full base dn: %s\n", fullbasedn);
+
result = ldap_add_s (conn, fullbasedn, base_attrs);
ldap_result_check ("intial ldap_add_s", fullbasedn, result);
+
}
}
@@ -383,14 +446,14 @@ generate_ldap (dns_name_t * dnsname, dns
isc_result_check (result, "dns_rdata_totext");
data[isc_buffer_usedlength (&buff)] = 0;
- dc_list = hostname_to_dn_list (name, argzone, DNS_OBJECT);
+ dc_list = hostname_to_dn_list ((char*)name, argzone, DNS_OBJECT);
len = (get_attr_list_size (dc_list) - 2);
- dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC);
+ dn = build_dn_from_dc_list (dc_list, ttl, WI_SPEC, argzone);
if (debug)
printf ("Adding %s (%s %s) to run queue list.\n", dn, type, data);
- add_to_rr_list (dn, dc_list[len], type, data, ttl, DNS_OBJECT);
+ add_to_rr_list (dn, dc_list[len], (char*)type, (char*)data, ttl, DNS_OBJECT);
}
@@ -430,7 +493,8 @@ add_to_rr_list (char *dn, char *name, ch
int attrlist;
char ldap_type_buffer[128];
char charttl[64];
-
+ char *zn;
+ int znlen;
if ((tmp = locate_by_dn (dn)) == NULL)
{
@@ -465,13 +529,13 @@ add_to_rr_list (char *dn, char *name, ch
}
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[0]->mod_type = (char*)"objectClass";
+ tmp->attrs[0]->mod_type = objectClass;
if (flags == DNS_OBJECT)
- tmp->attrs[0]->mod_values = (char**)objectClasses;
+ tmp->attrs[0]->mod_values = objectClasses;
else
{
- tmp->attrs[0]->mod_values = (char**)topObjectClasses;
+ tmp->attrs[0]->mod_values =topObjectClasses;
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
@@ -480,7 +544,7 @@ add_to_rr_list (char *dn, char *name, ch
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[1]->mod_type = (char*)"relativeDomainName";
+ tmp->attrs[1]->mod_type = relativeDomainName;
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -502,7 +566,7 @@ add_to_rr_list (char *dn, char *name, ch
tmp->attrs[2]->mod_values[1] = NULL;
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[3]->mod_type = (char*)"dNSTTL";
+ tmp->attrs[3]->mod_type = dNSTTL;
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -512,10 +576,21 @@ add_to_rr_list (char *dn, char *name, ch
tmp->attrs[3]->mod_values[0] = strdup (charttl);
tmp->attrs[3]->mod_values[1] = NULL;
+ znlen=strlen(gbl_zone);
+ if ( *(gbl_zone + (znlen-1)) == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ zn = (char*)malloc(znlen);
+ strncpy(zn,gbl_zone,znlen-1);
+ *(zn + (znlen-1))='\0';
+ }else
+ {
+ zn = gbl_zone;
+ }
+
tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[4]->mod_type = (char*)"zoneName";
+ tmp->attrs[4]->mod_type = zoneName;
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
- tmp->attrs[4]->mod_values[0] = gbl_zone;
+ tmp->attrs[4]->mod_values[0] = zn;
tmp->attrs[4]->mod_values[1] = NULL;
tmp->attrs[5] = NULL;
@@ -526,7 +601,7 @@ add_to_rr_list (char *dn, char *name, ch
else
{
- for (i = 0; tmp->attrs[i] != NULL; i++)
+ for (i = 0; tmp->attrs[i] != NULL; i++)
{
sprintf (ldap_type_buffer, "%sRecord", type);
if (!strncmp
@@ -595,69 +670,105 @@ char **
hostname_to_dn_list (char *hostname, char *zone, unsigned int flags)
{
char *tmp;
- static char *dn_buffer[64];
int i = 0;
- char *zname;
- char *hnamebuff;
-
- zname = strdup (hostname);
-
- if (flags == DNS_OBJECT)
- {
+ char *hname=0L, *last=0L;
+ int hlen=strlen(hostname), zlen=(strlen(zone));
- if (strlen (zname) != strlen (zone))
- {
- tmp = &zname[strlen (zname) - strlen (zone)];
- *--tmp = '\0';
- hnamebuff = strdup (zname);
- zname = ++tmp;
- }
- else
- hnamebuff = (char*)"@";
- }
- else
- {
- zname = zone;
- hnamebuff = NULL;
- }
-
- for (tmp = strrchr (zname, '.'); tmp != (char *) 0;
- tmp = strrchr (zname, '.'))
- {
- *tmp++ = '\0';
- dn_buffer[i++] = tmp;
- }
- dn_buffer[i++] = zname;
- dn_buffer[i++] = hnamebuff;
+/* printf("hostname: %s zone: %s\n",hostname, zone); */
+ hname=0L;
+ if(flags == DNS_OBJECT)
+ {
+ if( (zone[ zlen - 1 ] == '.') && (hostname[hlen - 1] != '.') )
+ {
+ hname=(char*)malloc(hlen + 1);
+ hlen += 1;
+ sprintf(hname, "%s.", hostname);
+ hostname = hname;
+ }
+ if(strcmp(hostname, zone) == 0)
+ {
+ if( hname == 0 )
+ hname=strdup(hostname);
+ last = strdup(sameZone);
+ }else
+ {
+ if( (hlen < zlen)
+ ||( strcmp( hostname + (hlen - zlen), zone ) != 0)
+ )
+ {
+ if( hname != 0 )
+ free(hname);
+ hname=(char*)malloc( hlen + zlen + 1);
+ if( *zone == '.' )
+ sprintf(hname, "%s%s", hostname, zone);
+ else
+ sprintf(hname,"%s",zone);
+ }else
+ {
+ if( hname == 0 )
+ hname = strdup(hostname);
+ }
+ last = hname;
+ }
+ }else
+ { /* flags == DNS_TOP */
+ hname = strdup(zone);
+ last = hname;
+ }
+
+ for (tmp = strrchr (hname, '.'); tmp != (char *) 0;
+ tmp = strrchr (hname, '.'))
+ {
+ if( *( tmp + 1 ) != '\0' )
+ {
+ *tmp = '\0';
+ dn_buffer[i++] = ++tmp;
+ }else
+ { /* trailing '.' ! */
+ dn_buffer[i++] = strdup(".");
+ *tmp = '\0';
+ if( tmp == hname )
+ break;
+ }
+ }
+ if( ( last != hname ) && (tmp != hname) )
+ dn_buffer[i++] = hname;
+ dn_buffer[i++] = last;
dn_buffer[i] = NULL;
-
return dn_buffer;
}
-
/* build an sdb compatible LDAP DN from a "dc_list" (char **).
* will append dNSTTL information to each RR Record, with the
* exception of "@"/SOA. */
char *
-build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag)
+build_dn_from_dc_list (char **dc_list, unsigned int ttl, int flag, char *zone)
{
int size;
- int x;
+ int x, znlen;
static char dn[1024];
char tmp[128];
+ char zn[DNS_NAME_MAXTEXT+1];
bzero (tmp, sizeof (tmp));
bzero (dn, sizeof (dn));
size = get_attr_list_size (dc_list);
+ znlen = strlen(zone);
+ if ( *(zone + (znlen-1)) == '.' )
+ { /* ldapdb MUST search by relative zone name */
+ memcpy(&(zn[0]),zone,znlen-1);
+ *(zn + (znlen-1))='\0';
+ zone = zn;
+ }
for (x = size - 2; x > 0; x--)
{
if (flag == WI_SPEC)
{
if (x == (size - 2) && (strncmp (dc_list[x], "@", 1) == 0) && (ttl))
- sprintf (tmp, "relativeDomainName=%s + dNSTTL=%d,", dc_list[x], ttl);
+ sprintf (tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else if (x == (size - 2))
- sprintf(tmp, "relativeDomainName=%s,",dc_list[x]);
+ sprintf(tmp, "zoneName=%s + relativeDomainName=%s,", zone, dc_list[x]);
else
sprintf(tmp,"dc=%s,", dc_list[x]);
}
@@ -683,6 +794,7 @@ void
init_ldap_conn ()
{
int result;
+ char ldb_tag[]="LDAP Bind";
conn = ldap_open (ldapsystem, LDAP_PORT);
if (conn == NULL)
{
@@ -692,7 +804,7 @@ init_ldap_conn ()
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
- ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
+ ldap_result_check ("ldap_simple_bind_s", ldb_tag , result);
}
/* Like isc_result_check, only for LDAP */
@@ -709,8 +821,6 @@ ldap_result_check (const char *msg, char
}
}
-
-
/* For running the ldap_info run queue. */
void
add_ldap_values (ldap_info * ldinfo)
@@ -718,14 +828,14 @@ add_ldap_values (ldap_info * ldinfo)
int result;
char dnbuffer[1024];
-
if (ldapbase != NULL)
sprintf (dnbuffer, "%s,%s", ldinfo->dn, ldapbase);
else
sprintf (dnbuffer, "%s", ldinfo->dn);
result = ldap_add_s (conn, dnbuffer, ldinfo->attrs);
- ldap_result_check ("ldap_add_s", dnbuffer, result);
+ ldap_result_check ("ldap_add_s", dnbuffer, result);
+
}
@@ -736,7 +846,7 @@ void
usage ()
{
fprintf (stderr,
- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n"
+ "zone2ldap -D [BIND DN] [-w BIND PASSWORD | -W:prompt] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n"
"\t[-c Create LDAP Base structure][-d Debug Output (lots !)]\n "
);
}

243
SOURCES/bind-9.3.2b2-sdbsrc.patch

@ -0,0 +1,243 @@ @@ -0,0 +1,243 @@
--- bind-9.3.2b2/contrib/sdb/ldap/zone2ldap.c.sdbsrc 2005-08-16 00:43:03.000000000 -0400
+++ bind-9.3.2b2/contrib/sdb/ldap/zone2ldap.c 2005-11-15 12:57:44.000000000 -0500
@@ -59,16 +59,16 @@
ldap_info;
/* usage Info */
-void usage ();
+void usage (void);
/* Add to the ldap dit */
void add_ldap_values (ldap_info * ldinfo);
/* Init an ldap connection */
-void init_ldap_conn ();
+void init_ldap_conn (void);
/* Ldap error checking */
-void ldap_result_check (char *msg, char *dn, int err);
+void ldap_result_check (const char *msg, char *dn, int err);
/* Put a hostname into a char ** array */
char **hostname_to_dn_list (char *hostname, char *zone, unsigned int flags);
@@ -84,7 +84,7 @@
unsigned int ttl, unsigned int flags);
/* Error checking */
-void isc_result_check (isc_result_t res, char *errorstr);
+void isc_result_check (isc_result_t res, const char *errorstr);
/* Generate LDIF Format files */
void generate_ldap (dns_name_t * dnsname, dns_rdata_t * rdata,
@@ -93,11 +93,17 @@
/* head pointer to the list */
ldap_info *ldap_info_base = NULL;
+ldap_info *
+locate_by_dn (char *dn);
+void
+init_ldap_conn ();
+void usage();
+
char *argzone, *ldapbase, *binddn, *bindpw = NULL;
-char *ldapsystem = "localhost";
-static char *objectClasses[] =
+const char *ldapsystem = "localhost";
+static const char *objectClasses[] =
{ "top", "dNSZone", NULL };
-static char *topObjectClasses[] = { "top", NULL };
+static const char *topObjectClasses[] = { "top", NULL };
LDAP *conn;
unsigned int debug = 0;
@@ -106,7 +112,7 @@
#endif
int
-main (int *argc, char **argv)
+main (int argc, char **argv)
{
isc_mem_t *mctx = NULL;
isc_entropy_t *ectx = NULL;
@@ -116,7 +122,7 @@
LDAPMod *base_attrs[2];
LDAPMod base;
isc_buffer_t buff;
- char *zonefile;
+ char *zonefile=0L;
char fullbasedn[1024];
char *ctmp;
dns_fixedname_t fixedzone, fixedname;
@@ -280,9 +286,9 @@
if ((*ctmp == ',') || (ctmp == &basedn[0]))
{
base.mod_op = LDAP_MOD_ADD;
- base.mod_type = "objectClass";
- base.mod_values = topObjectClasses;
- base_attrs[0] = &base;
+ base.mod_type = (char*)"objectClass";
+ base.mod_values = (char**)topObjectClasses;
+ base_attrs[0] = (void*)&base;
base_attrs[1] = NULL;
if (ldapbase)
@@ -337,7 +343,7 @@
* I should probably rename this function, as not to cause any
* confusion with the isc* routines. Will exit on error. */
void
-isc_result_check (isc_result_t res, char *errorstr)
+isc_result_check (isc_result_t res, const char *errorstr)
{
if (res != ISC_R_SUCCESS)
{
@@ -449,7 +455,7 @@
exit (-1);
}
- for (i = 0; i < flags; i++)
+ for (i = 0; i < (int)flags; i++)
{
tmp->attrs[i] = (LDAPMod *) malloc (sizeof (LDAPMod));
if (tmp->attrs[i] == (LDAPMod *) NULL)
@@ -459,13 +465,13 @@
}
}
tmp->attrs[0]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[0]->mod_type = "objectClass";
+ tmp->attrs[0]->mod_type = (char*)"objectClass";
if (flags == DNS_OBJECT)
- tmp->attrs[0]->mod_values = objectClasses;
+ tmp->attrs[0]->mod_values = (char**)objectClasses;
else
{
- tmp->attrs[0]->mod_values = topObjectClasses;
+ tmp->attrs[0]->mod_values = (char**)topObjectClasses;
tmp->attrs[1] = NULL;
tmp->attrcnt = 2;
tmp->next = ldap_info_base;
@@ -474,7 +480,7 @@
}
tmp->attrs[1]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[1]->mod_type = "relativeDomainName";
+ tmp->attrs[1]->mod_type = (char*)"relativeDomainName";
tmp->attrs[1]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[1]->mod_values == (char **)NULL)
@@ -496,7 +502,7 @@
tmp->attrs[2]->mod_values[1] = NULL;
tmp->attrs[3]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[3]->mod_type = "dNSTTL";
+ tmp->attrs[3]->mod_type = (char*)"dNSTTL";
tmp->attrs[3]->mod_values = (char **) calloc (sizeof (char *), 2);
if (tmp->attrs[3]->mod_values == (char **)NULL)
@@ -507,7 +513,7 @@
tmp->attrs[3]->mod_values[1] = NULL;
tmp->attrs[4]->mod_op = LDAP_MOD_ADD;
- tmp->attrs[4]->mod_type = "zoneName";
+ tmp->attrs[4]->mod_type = (char*)"zoneName";
tmp->attrs[4]->mod_values = (char **)calloc(sizeof(char *), 2);
tmp->attrs[4]->mod_values[0] = gbl_zone;
tmp->attrs[4]->mod_values[1] = NULL;
@@ -607,7 +613,7 @@
zname = ++tmp;
}
else
- hnamebuff = "@";
+ hnamebuff = (char*)"@";
}
else
{
@@ -686,12 +692,12 @@
}
result = ldap_simple_bind_s (conn, binddn, bindpw);
- ldap_result_check ("ldap_simple_bind_s", "LDAP Bind", result);
+ ldap_result_check ("ldap_simple_bind_s", (char*)"LDAP Bind", result);
}
/* Like isc_result_check, only for LDAP */
void
-ldap_result_check (char *msg, char *dn, int err)
+ldap_result_check (const char *msg, char *dn, int err)
{
if ((err != LDAP_SUCCESS) && (err != LDAP_ALREADY_EXISTS))
{
@@ -730,5 +736,8 @@
usage ()
{
fprintf (stderr,
- "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]
- [-c Create LDAP Base structure][-d Debug Output (lots !)] \n ");}
+ "zone2ldap -D [BIND DN] -w [BIND PASSWORD] -b [BASE DN] -z [ZONE] -f [ZONE FILE] -h [LDAP HOST]\n"
+ "\t[-c Create LDAP Base structure][-d Debug Output (lots !)]\n "
+ );
+}
+
--- bind-9.3.2b2/contrib/sdb/bdb/bdb.c.sdbsrc 2002-07-02 00:45:34.000000000 -0400
+++ bind-9.3.2b2/contrib/sdb/bdb/bdb.c 2005-11-15 12:57:44.000000000 -0500
@@ -43,7 +43,7 @@
#include <dns/lib.h>
#include <dns/ttl.h>
-#include <named/bdb.h>
+#include "bdb.h"
#include <named/globals.h>
#include <named/config.h>
--- bind-9.3.2b2/contrib/sdb/pgsql/pgsqldb.c.sdbsrc 2004-03-08 04:04:22.000000000 -0500
+++ bind-9.3.2b2/contrib/sdb/pgsql/pgsqldb.c 2005-11-15 12:57:44.000000000 -0500
@@ -23,7 +23,7 @@
#include <string.h>
#include <stdlib.h>
-#include <pgsql/libpq-fe.h>
+#include <libpq-fe.h>
#include <isc/mem.h>
#include <isc/print.h>
--- bind-9.3.2b2/contrib/sdb/pgsql/zonetodb.c.sdbsrc 2005-09-05 22:12:40.000000000 -0400
+++ bind-9.3.2b2/contrib/sdb/pgsql/zonetodb.c 2005-11-15 12:58:12.000000000 -0500
@@ -37,7 +37,7 @@
#include <dns/rdatatype.h>
#include <dns/result.h>
-#include <pgsql/libpq-fe.h>
+#include <libpq-fe.h>
/*
* Generate a PostgreSQL table from a zone.
@@ -54,6 +54,9 @@
char str[10240];
void
+closeandexit(int status);
+
+void
closeandexit(int status) {
if (conn != NULL)
PQfinish(conn);
@@ -61,6 +64,9 @@
}
void
+check_result(isc_result_t result, const char *message);
+
+void
check_result(isc_result_t result, const char *message) {
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "%s: %s\n", message,
@@ -84,7 +90,8 @@
}
*dest++ = 0;
}
-
+void
+addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata);
void
addrdata(dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata) {
unsigned char namearray[DNS_NAME_MAXTEXT + 1];

27
SOURCES/bind-9.5-PIE.patch

@ -0,0 +1,27 @@ @@ -0,0 +1,27 @@
--- bind-9.5.0b2/bin/named/Makefile.in.pie 2008-02-11 17:21:47.000000000 +0100
+++ bind-9.5.0b2/bin/named/Makefile.in 2008-02-11 17:22:10.000000000 +0100
@@ -100,8 +100,12 @@ HTMLPAGES = named.html lwresd.html named
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -fpie
+
@BIND9_MAKE_RULES@
+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
+
main.@O@: main.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-DVERSION=\"${VERSION}\" \
diff -up bind-9.5.0b2/bin/named/unix/Makefile.in.pie bind-9.5.0b2/bin/named/unix/Makefile.in
--- bind-9.5.0b2/bin/named/unix/Makefile.in.pie 2008-02-11 17:22:21.000000000 +0100
+++ bind-9.5.0b2/bin/named/unix/Makefile.in 2008-02-11 17:23:00.000000000 +0100
@@ -19,6 +19,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
+EXT_CFLAGS = -fpie
+
@BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \

70
SOURCES/bind-9.5-dlz-64bit.patch

@ -0,0 +1,70 @@ @@ -0,0 +1,70 @@
diff -up bind-9.9.0/contrib/dlz/config.dlz.in.64bit bind-9.9.0/contrib/dlz/config.dlz.in
--- bind-9.9.0/contrib/dlz/config.dlz.in.64bit 2011-11-05 06:14:28.000000000 +0100
+++ bind-9.9.0/contrib/dlz/config.dlz.in 2012-04-24 14:52:08.398511143 +0200
@@ -17,6 +17,13 @@
#
dlzdir='${DLZ_DRIVER_DIR}'
+AC_MSG_CHECKING([for target libdir])
+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}],
+ [target_lib=lib64],
+ [target_lib=lib],
+)
+AC_MSG_RESULT(["$target_lib"])
+
#
# Private autoconf macro to simplify configuring drivers:
#
@@ -135,9 +142,9 @@ then
then
use_dlz_mysql=$d
mysql_include=$d/include/mysql
- if test -d $d/lib/mysql
+ if test -d $d/${target_lib}/mysql
then
- mysql_lib=$d/lib/mysql
+ mysql_lib=$d/${target_lib}/mysql
else
mysql_lib=$d/lib
fi
@@ -274,11 +281,11 @@ case "$use_dlz_bdb" in
bdb_libnames="db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
for d in $bdb_libnames
do
- if test -f "$dd/lib/lib${d}.so"
+ if test -f "$dd/${target_lib}/lib${d}.so"
then
if test "$dd" != "/usr"
then
- dlz_bdb_libs="-L${dd}/lib "
+ dlz_bdb_libs="-L${dd}/${target_lib} "
else
dlz_bdb_libs=""
fi
@@ -383,7 +390,7 @@ case "$use_dlz_ldap" in
*)
DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
[-I$use_dlz_ldap/include],
- [-L$use_dlz_ldap/lib -lldap -llber])
+ [-L$use_dlz_ldap/${target_lib} -lldap -llber])
AC_MSG_RESULT(
[using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
@@ -407,7 +414,7 @@ then
odbcdirs="/usr /usr/local /usr/pkg"
for d in $odbcdirs
do
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
then
use_dlz_odbc=$d
break
@@ -427,7 +434,7 @@ case "$use_dlz_odbc" in
*)
DLZ_ADD_DRIVER(ODBC, dlz_odbc_driver,
[-I$use_dlz_odbc/include],
- [-L$use_dlz_odbc/lib -lodbc])
+ [-L$use_dlz_odbc/${target_lib} -lodbc])
AC_MSG_RESULT([using ODBC from $use_dlz_odbc])
;;

270
SOURCES/bind-9.5-libidn.patch

@ -0,0 +1,270 @@ @@ -0,0 +1,270 @@
diff -up bind-9.7.0b1/bin/dig/dighost.c.libidn bind-9.7.0b1/bin/dig/dighost.c
--- bind-9.7.0b1/bin/dig/dighost.c.libidn 2009-09-16 01:48:09.000000000 +0200
+++ bind-9.7.0b1/bin/dig/dighost.c 2009-10-20 10:49:26.719056220 +0200
@@ -44,6 +44,11 @@
#include <idn/api.h>
#endif
+#ifdef WITH_LIBIDN
+#include <stringprep.h>
+#include <idna.h>
+#endif
+
#include <dns/byaddr.h>
#ifdef DIG_SIGCHASE
#include <dns/callbacks.h>
@@ -153,6 +158,14 @@ static void idn_check_result(idn_result
int idnoptions = 0;
#endif
+#ifdef WITH_LIBIDN
+static isc_result_t libidn_locale_to_utf8 (const char* from, char **to);
+static isc_result_t libidn_utf8_to_ascii (const char* from, char *to);
+static isc_result_t output_filter (isc_buffer_t *buffer,
+ unsigned int used_org,
+ isc_boolean_t absolute);
+#endif
+
/*%
* Exit Codes:
*
@@ -1184,6 +1197,9 @@ setup_system(void) {
dig_searchlist_t *domain = NULL;
lwres_result_t lwresult;
unsigned int lwresflags;
+#ifdef WITH_LIBIDN
+ isc_result_t result;
+#endif
debug("setup_system()");
@@ -1242,8 +1258,15 @@ setup_system(void) {
#ifdef WITH_IDN
initialize_idn();
+
+#endif
+#ifdef WITH_LIBIDN
+ result = dns_name_settotextfilter(output_filter);
+ check_result(result, "dns_name_settotextfilter");
+#ifdef HAVE_SETLOCALE
+ setlocale (LC_ALL, "");
+#endif
#endif
-
if (keyfile[0] != 0)
setup_file_key();
else if (keysecret[0] != 0)
@@ -1957,12 +1980,18 @@ setup_lookup(dig_lookup_t *lookup) {
idn_result_t mr;
char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
#endif
+#ifdef WITH_LIBIDN
+ char *utf8_str = NULL, utf8_name[MXNAME], ascii_name[MXNAME];
+#endif
#ifdef WITH_IDN
result = dns_name_settotextfilter(output_filter);
check_result(result, "dns_name_settotextfilter");
#endif
-
+#ifdef WITH_LIBIDN
+ result = dns_name_settotextfilter (output_filter);
+ check_result(result, "dns_name_settotextfilter");
+#endif
REQUIRE(lookup != NULL);
INSIST(!free_now);
@@ -1999,6 +2028,16 @@ setup_lookup(dig_lookup_t *lookup) {
mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
utf8_textname, sizeof(utf8_textname));
idn_check_result(mr, "convert textname to UTF-8");
+#elif defined (WITH_LIBIDN)
+ result = libidn_locale_to_utf8 (lookup->textname, &utf8_str);
+ check_result (result, "converting textname to UTF-8");
+ len = strlen (utf8_str);
+ if (len < MXNAME) {
+ (void) strcpy (utf8_name, utf8_str);
+ } else {
+ fatal ("Too long name");
+ }
+ isc_mem_free (mctx, utf8_str);
#endif
/*
@@ -2018,6 +2057,15 @@ setup_lookup(dig_lookup_t *lookup) {
lookup->origin = ISC_LIST_HEAD(search_list);
lookup->need_search = ISC_FALSE;
}
+#elif defined (WITH_LIBIDN)
+ if ((count_dots(utf8_name) >= ndots) || !usesearch) {
+ lookup->origin = NULL; /* Force abs lookup */
+ lookup->done_as_is = ISC_TRUE;
+ lookup->need_search = usesearch;
+ } else if (lookup->origin == NULL && usesearch) {
+ lookup->origin = ISC_LIST_HEAD(search_list);
+ lookup->need_search = ISC_FALSE;
+ }
#else
if ((count_dots(lookup->textname) >= ndots) || !usesearch) {
lookup->origin = NULL; /* Force abs lookup */
@@ -2044,6 +2092,20 @@ setup_lookup(dig_lookup_t *lookup) {
IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
idn_textname, sizeof(idn_textname));
idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
+#elif defined (WITH_LIBIDN)
+ if (lookup->origin != NULL) {
+ result = libidn_locale_to_utf8 (lookup->origin->origin, &utf8_str);
+ check_result (result, "convert origin to UTF-8");
+ if (len + strlen (utf8_str) + 1 < MXNAME) {
+ utf8_name[len++] = '.';
+ (void) strcpy (utf8_name + len, utf8_str);
+ } else {
+ fatal ("Too long name + origin");
+ }
+ isc_mem_free (mctx, utf8_str);
+ }
+
+ result = libidn_utf8_to_ascii (utf8_name, ascii_name);
#else
if (lookup->origin != NULL) {
debug("trying origin %s", lookup->origin->origin);
@@ -2099,6 +2161,13 @@ setup_lookup(dig_lookup_t *lookup) {
result = dns_name_fromtext(lookup->name, &b,
dns_rootname, 0,
&lookup->namebuf);
+#elif defined (WITH_LIBIDN)
+ len = strlen (ascii_name);
+ isc_buffer_init(&b, ascii_name, len);
+ isc_buffer_add(&b, len);
+ result = dns_name_fromtext(lookup->name, &b,
+ dns_rootname, 0,
+ &lookup->namebuf);
#else
len = strlen(lookup->textname);
isc_buffer_init(&b, lookup->textname, len);
@@ -3617,7 +3686,7 @@ destroy_libs(void) {
void * ptr;
dig_message_t *chase_msg;
#endif
-#ifdef WITH_IDN
+#if defined (WITH_IDN) || defined (WITH_LIBIDN)
isc_result_t result;
#endif
@@ -3656,6 +3725,10 @@ destroy_libs(void) {
result = dns_name_settotextfilter(NULL);
check_result(result, "dns_name_settotextfilter");
#endif
+#ifdef WITH_LIBIDN
+ result = dns_name_settotextfilter (NULL);
+ check_result(result, "clearing dns_name_settotextfilter");
+#endif
dns_name_destroy();
if (commctx != NULL) {
@@ -3834,6 +3907,79 @@ idn_check_result(idn_result_t r, const c
}
}
#endif /* WITH_IDN */
+#ifdef WITH_LIBIDN
+/* If stringprep_locale_to_utf8 fails simple copy string */
+static isc_result_t
+libidn_locale_to_utf8 (const char *from, char **to) {
+ char *utf8_str;
+
+ utf8_str = stringprep_locale_to_utf8 (from);
+ if (utf8_str == NULL) {
+ *to = isc_mem_allocate (mctx, strlen (from) + 1);
+ if (*to == NULL)
+ return (ISC_R_NOMEMORY);
+ (void) strcpy (*to, from);
+ } else {
+ *to = isc_mem_allocate (mctx, strlen (utf8_str) + 1);
+ if (*to == NULL)
+ return (ISC_R_NOMEMORY);
+ (void) strcpy (*to, utf8_str);
+ free (utf8_str);
+ }
+ return (ISC_R_SUCCESS);
+}
+static isc_result_t
+libidn_utf8_to_ascii (const char *from, char *to) {
+ char *ascii;
+
+ if (idna_to_ascii_8z (from, &ascii, 0) != IDNA_SUCCESS)
+ return (ISC_R_FAILURE);
+
+ (void) strcpy (to, ascii);
+ free (ascii);
+ return (ISC_R_SUCCESS);
+}
+/* based on idnkit's code*/
+static isc_result_t
+output_filter (isc_buffer_t *buffer, unsigned int used_org,
+ isc_boolean_t absolute) {
+ char tmp1[MXNAME], *tmp2;
+ size_t fromlen, tolen;
+ isc_boolean_t end_with_dot;
+
+ fromlen = isc_buffer_usedlength(buffer) - used_org;
+ if (fromlen >= MXNAME)
+ return (ISC_R_SUCCESS);
+ memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen);
+ end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
+ if (absolute && !end_with_dot) {
+ fromlen++;
+ if (fromlen >= MXNAME)
+ return (ISC_R_SUCCESS);
+ tmp1[fromlen - 1] = '.';
+ }
+ tmp1[fromlen] = '\0';
+
+ if (idna_to_unicode_lzlz (tmp1, &tmp2, 0) != IDNA_SUCCESS)
+ return (ISC_R_SUCCESS);
+
+ (void) strcpy (tmp1, tmp2);
+ free (tmp2);
+
+ tolen = strlen(tmp1);
+ if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
+ tolen--;
+
+ if (isc_buffer_length(buffer) < used_org + tolen)
+ return (ISC_R_NOSPACE);
+
+ isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org);
+ memcpy(isc_buffer_used(buffer), tmp1, tolen);
+ isc_buffer_add(buffer, tolen);
+
+ return (ISC_R_SUCCESS);
+}
+#endif /* WITH_LIBIDN*/
#ifdef DIG_SIGCHASE
void
diff -up bind-9.7.0b1/bin/dig/Makefile.in.libidn bind-9.7.0b1/bin/dig/Makefile.in
--- bind-9.7.0b1/bin/dig/Makefile.in.libidn 2009-09-22 10:47:55.000000000 +0200
+++ bind-9.7.0b1/bin/dig/Makefile.in 2009-10-20 10:50:06.201543709 +0200
@@ -46,10 +46,10 @@ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS}
${LWRESDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
- ${ISCLIBS} @IDNLIBS@ @LIBS@
+ ${ISCLIBS} @IDNLIBS@ @LIBS@ -lidn
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
- ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
+ ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ -lidn
SUBDIRS =
@@ -67,6 +67,8 @@ HTMLPAGES = dig.html host.html nslookup.
MANOBJS = ${MANPAGES} ${HTMLPAGES}
+EXT_CFLAGS = -DWITH_LIBIDN
+
@BIND9_MAKE_RULES@
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}

221
SOURCES/bind-9.5-libidn2.patch

@ -0,0 +1,221 @@ @@ -0,0 +1,221 @@
diff -up bind-9.5.0b1/bin/dig/dighost.c.libidn2 bind-9.5.0b1/bin/dig/dighost.c
--- bind-9.5.0b1/bin/dig/dighost.c.libidn2 2007-12-10 13:12:26.000000000 +0100
+++ bind-9.5.0b1/bin/dig/dighost.c 2007-12-10 14:21:09.000000000 +0100
@@ -153,7 +153,7 @@ int idnoptions = 0;
#endif
#ifdef WITH_LIBIDN
-static isc_result_t libidn_locale_to_utf8 (const char* from, char **to);
+static isc_result_t libidn_locale_to_utf8 (const char* from, char *to);
static isc_result_t libidn_utf8_to_ascii (const char* from, char *to);
static isc_result_t output_filter (isc_buffer_t *buffer,
unsigned int used_org,
@@ -1764,17 +1764,13 @@ setup_lookup(dig_lookup_t *lookup) {
char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
#endif
#ifdef WITH_LIBIDN
- char *utf8_str = NULL, utf8_name[MXNAME], ascii_name[MXNAME];
+ char utf8_str[MXNAME], utf8_name[MXNAME], ascii_name[MXNAME];
#endif
-#ifdef WITH_IDN
+#if defined (WITH_IDN) || defined (WITH_LIBIDN)
result = dns_name_settotextfilter(output_filter);
check_result(result, "dns_name_settotextfilter");
#endif
-#ifdef WITH_LIBIDN
- result = dns_name_settotextfilter (output_filter);
- check_result(result, "dns_name_settotextfilter");
-#endif
REQUIRE(lookup != NULL);
INSIST(!free_now);
@@ -1812,15 +1808,13 @@ setup_lookup(dig_lookup_t *lookup) {
utf8_textname, sizeof(utf8_textname));
idn_check_result(mr, "convert textname to UTF-8");
#elif defined (WITH_LIBIDN)
- result = libidn_locale_to_utf8 (lookup->textname, &utf8_str);
- check_result (result, "converting textname to UTF-8");
+ result = libidn_locale_to_utf8 (lookup->textname, utf8_str);
+ check_result (result, "convert textname to UTF-8");
len = strlen (utf8_str);
- if (len < MXNAME) {
+ if (len < MXNAME)
(void) strcpy (utf8_name, utf8_str);
- } else {
+ else
fatal ("Too long name");
- }
- isc_mem_free (mctx, utf8_str);
#endif
/*
@@ -1833,24 +1827,11 @@ setup_lookup(dig_lookup_t *lookup) {
if (lookup->new_search) {
#ifdef WITH_IDN
if ((count_dots(utf8_textname) >= ndots) || !usesearch) {
- lookup->origin = NULL; /* Force abs lookup */
- lookup->done_as_is = ISC_TRUE;
- lookup->need_search = usesearch;
- } else if (lookup->origin == NULL && usesearch) {
- lookup->origin = ISC_LIST_HEAD(search_list);
- lookup->need_search = ISC_FALSE;
- }
#elif defined (WITH_LIBIDN)
if ((count_dots(utf8_name) >= ndots) || !usesearch) {
- lookup->origin = NULL; /* Force abs lookup */
- lookup->done_as_is = ISC_TRUE;
- lookup->need_search = usesearch;
- } else if (lookup->origin == NULL && usesearch) {
- lookup->origin = ISC_LIST_HEAD(search_list);
- lookup->need_search = ISC_FALSE;
- }
#else
if ((count_dots(lookup->textname) >= ndots) || !usesearch) {
+#endif
lookup->origin = NULL; /* Force abs lookup */
lookup->done_as_is = ISC_TRUE;
lookup->need_search = usesearch;
@@ -1858,7 +1839,6 @@ setup_lookup(dig_lookup_t *lookup) {
lookup->origin = ISC_LIST_HEAD(search_list);
lookup->need_search = ISC_FALSE;
}
-#endif
}
#ifdef WITH_IDN
@@ -1877,15 +1857,12 @@ setup_lookup(dig_lookup_t *lookup) {
idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
#elif defined (WITH_LIBIDN)
if (lookup->origin != NULL) {
- result = libidn_locale_to_utf8 (lookup->origin->origin, &utf8_str);
+ result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str);
check_result (result, "convert origin to UTF-8");
- if (len + strlen (utf8_str) + 1 < MXNAME) {
- utf8_name[len++] = '.';
+ if (len + strlen (utf8_str) < MXNAME)
(void) strcpy (utf8_name + len, utf8_str);
- } else {
+ else
fatal ("Too long name + origin");
- }
- isc_mem_free (mctx, utf8_str);
}
result = libidn_utf8_to_ascii (utf8_name, ascii_name);
@@ -3600,76 +3577,85 @@ idn_check_result(idn_result_t r, const c
}
#endif /* WITH_IDN */
#ifdef WITH_LIBIDN
-/* If stringprep_locale_to_utf8 fails simple copy string */
static isc_result_t
-libidn_locale_to_utf8 (const char *from, char **to) {
+libidn_locale_to_utf8 (const char *from, char *to) {
char *utf8_str;
+ debug ("libidn_locale_to_utf8");
utf8_str = stringprep_locale_to_utf8 (from);
- if (utf8_str == NULL) {
- *to = isc_mem_allocate (mctx, strlen (from) + 1);
- if (*to == NULL)
- return (ISC_R_NOMEMORY);
- (void) strcpy (*to, from);
- } else {
- *to = isc_mem_allocate (mctx, strlen (utf8_str) + 1);
- if (*to == NULL)
- return (ISC_R_NOMEMORY);
- (void) strcpy (*to, utf8_str);
+ if (utf8_str != NULL) {
+ (void) strcpy (to, utf8_str);
free (utf8_str);
+ return ISC_R_SUCCESS;
}
- return (ISC_R_SUCCESS);
+
+ debug ("libidn_locale_to_utf8: failure");
+ return ISC_R_FAILURE;
}
static isc_result_t
libidn_utf8_to_ascii (const char *from, char *to) {
char *ascii;
+ int iresult;
- if (idna_to_ascii_8z (from, &ascii, 0) != IDNA_SUCCESS)
- return (ISC_R_FAILURE);
+ debug ("libidn_utf8_to_ascii");
+ iresult = idna_to_ascii_8z (from, &ascii, 0);
+ if (iresult != IDNA_SUCCESS) {
+ debug ("idna_to_ascii_8z: %s", idna_strerror (iresult));
+ return ISC_R_FAILURE;
+ }
(void) strcpy (to, ascii);
free (ascii);
- return (ISC_R_SUCCESS);
+ return ISC_R_SUCCESS;
}
-/* based on idnkit's code*/
+
static isc_result_t
output_filter (isc_buffer_t *buffer, unsigned int used_org,
isc_boolean_t absolute) {
+
char tmp1[MXNAME], *tmp2;
size_t fromlen, tolen;
isc_boolean_t end_with_dot;
+ int iresult;
+
+ debug ("output_filter");
- fromlen = isc_buffer_usedlength(buffer) - used_org;
+ fromlen = isc_buffer_usedlength (buffer) - used_org;
if (fromlen >= MXNAME)
- return (ISC_R_SUCCESS);
- memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen);
+ return ISC_R_SUCCESS;
+ memcpy (tmp1, (char *) isc_buffer_base (buffer) + used_org, fromlen);
end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
if (absolute && !end_with_dot) {
fromlen++;
if (fromlen >= MXNAME)
- return (ISC_R_SUCCESS);
+ return ISC_R_SUCCESS;
tmp1[fromlen - 1] = '.';
}
tmp1[fromlen] = '\0';
- if (idna_to_unicode_lzlz (tmp1, &tmp2, 0) != IDNA_SUCCESS)
- return (ISC_R_SUCCESS);
+ iresult = idna_to_unicode_8z8z (tmp1, &tmp2, 0);
+ if (iresult != IDNA_SUCCESS) {
+ debug ("output_filter: %s", idna_strerror (iresult));
+ return ISC_R_SUCCESS;
+ }
(void) strcpy (tmp1, tmp2);
free (tmp2);
- tolen = strlen(tmp1);
+ tolen = strlen (tmp1);
if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
tolen--;
- if (isc_buffer_length(buffer) < used_org + tolen)
- return (ISC_R_NOSPACE);
+ if (isc_buffer_length (buffer) < used_org + tolen)
+ return ISC_R_NOSPACE;
+
+ debug ("%s", tmp1);
- isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org);
- memcpy(isc_buffer_used(buffer), tmp1, tolen);
- isc_buffer_add(buffer, tolen);
+ isc_buffer_subtract (buffer, isc_buffer_usedlength (buffer) - used_org);
+ memcpy (isc_buffer_used (buffer), tmp1, tolen);
+ isc_buffer_add (buffer, tolen);
- return (ISC_R_SUCCESS);
+ return ISC_R_SUCCESS;
}
#endif /* WITH_LIBIDN*/

21
SOURCES/bind-9.5-libidn3.patch

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
diff -up bind-9.5.0b1/bin/dig/dighost.c.libidn3 bind-9.5.0b1/bin/dig/dighost.c
--- bind-9.5.0b1/bin/dig/dighost.c.libidn3 2007-12-20 13:24:27.000000000 +0100
+++ bind-9.5.0b1/bin/dig/dighost.c 2007-12-20 13:27:10.000000000 +0100
@@ -1859,10 +1859,13 @@ setup_lookup(dig_lookup_t *lookup) {
if (lookup->origin != NULL) {
result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str);
check_result (result, "convert origin to UTF-8");
- if (len + strlen (utf8_str) < MXNAME)
- (void) strcpy (utf8_name + len, utf8_str);
- else
- fatal ("Too long name + origin");
+ if (len > 0 && utf8_name[len - 1] != '.') {
+ utf8_name[len++] = '.';
+ if (len + strlen (utf8_str) < MXNAME)
+ (void) strcpy (utf8_name + len, utf8_str);
+ else
+ fatal ("Too long name + origin");
+ }
}
result = libidn_utf8_to_ascii (utf8_name, ascii_name);

14
SOURCES/bind-9.5-parallel-build.patch

@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
diff -up bind-9.5.0b1/lib/dns/Makefile.in.parallel bind-9.5.0b1/lib/dns/Makefile.in
--- bind-9.5.0b1/lib/dns/Makefile.in.parallel 2008-01-17 18:27:38.000000000 +0100
+++ bind-9.5.0b1/lib/dns/Makefile.in 2008-01-17 18:27:45.000000000 +0100
@@ -19,10 +19,6 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-
@BIND9_VERSION@
@LIBDNS_API@

102
SOURCES/bind-9.5-sdb-sqlite-bld.patch

@ -0,0 +1,102 @@ @@ -0,0 +1,102 @@
diff -up bind-9.8.1rc1/bin/named-sdb/main.c.sdb-sqlite-bld bind-9.8.1rc1/bin/named-sdb/main.c
--- bind-9.8.1rc1/bin/named-sdb/main.c.sdb-sqlite-bld 2011-08-31 14:41:15.646020840 +0200
+++ bind-9.8.1rc1/bin/named-sdb/main.c 2011-08-31 14:41:35.132019452 +0200
@@ -85,6 +85,7 @@
/* #include "xxdb.h" */
#include "ldapdb.h"
#include "pgsqldb.h"
+#include "sqlitedb.h"
#include "dirdb.h"
#ifdef CONTRIB_DLZ
@@ -792,6 +793,7 @@ setup(void) {
ldapdb_clear();
pgsqldb_clear();
+ sqlitedb_clear();
dirdb_clear();
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
@@ -921,6 +923,23 @@ setup(void) {
ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded."
);
+ result = sqlitedb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB sqlite3 module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB sqlite3 zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB sqlite3 DB zone database module loaded."
+ );
+
result = dirdb_init();
if (result != ISC_R_SUCCESS)
{
@@ -971,6 +990,7 @@ cleanup(void) {
ldapdb_clear();
pgsqldb_clear();
+ sqlitedb_clear();
dirdb_clear();
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
diff -up bind-9.8.1rc1/bin/named-sdb/Makefile.in.sdb-sqlite-bld bind-9.8.1rc1/bin/named-sdb/Makefile.in
--- bind-9.8.1rc1/bin/named-sdb/Makefile.in.sdb-sqlite-bld 2011-08-31 14:41:15.646020840 +0200
+++ bind-9.8.1rc1/bin/named-sdb/Makefile.in 2011-08-31 14:41:15.658020839 +0200
@@ -28,10 +28,10 @@ top_srcdir = @top_srcdir@
#
# Add database drivers here.
#
-DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ dirdb.@O@
-DBDRIVER_SRCS = ldapdb.c pgsqldb.c dirdb.c
+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ sqlitedb.@O@ dirdb.@O@
+DBDRIVER_SRCS = ldapdb.c pgsqldb.c sqlitedb.c dirdb.c
DBDRIVER_INCLUDES =
-DBDRIVER_LIBS = -lldap -llber -lpq
+DBDRIVER_LIBS = -lldap -llber -lpq -lsqlite3
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
diff -up bind-9.8.1rc1/bin/sdb_tools/Makefile.in.sdb-sqlite-bld bind-9.8.1rc1/bin/sdb_tools/Makefile.in
--- bind-9.8.1rc1/bin/sdb_tools/Makefile.in.sdb-sqlite-bld 2011-08-31 14:41:15.651020840 +0200
+++ bind-9.8.1rc1/bin/sdb_tools/Makefile.in 2011-08-31 14:41:15.658020839 +0200
@@ -32,11 +32,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@
+TARGETS = zone2ldap@EXEEXT@ ldap2zone@EXEEXT@ zonetodb@EXEEXT@ zone2sqlite@EXEEXT@
-OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@
+OBJS = zone2ldap.@O@ ldap2zone.@O@ zonetodb.@O@ zone2sqlite.@O@
-SRCS = zone2ldap.c ldap2zone.c zonetodb.c
+SRCS = zone2ldap.c ldap2zone.c zonetodb.c zone2sqlite.c
MANPAGES = zone2ldap.1
@@ -50,6 +50,9 @@ zone2ldap@EXEEXT@: zone2ldap.@O@ ${DEPLI
zonetodb@EXEEXT@: zonetodb.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ zonetodb.@O@ -lpq ${LIBS}
+zone2sqlite@EXEEXT@: zone2sqlite.@O@ ${DEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ zone2sqlite.@O@ -lsqlite3 -lssl ${LIBS}
+
ldap2zone@EXEEXT@: ldap2zone.@O@ ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ldap2zone.@O@ -lldap -llber ${LIBS}
@@ -64,4 +67,5 @@ install:: ${TARGETS} installdirs
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2ldap@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ldap2zone@EXEEXT@ ${DESTDIR}${sbindir}
${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zonetodb@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} zone2sqlite@EXEEXT@ ${DESTDIR}${sbindir}
${INSTALL_DATA} ${srcdir}/zone2ldap.1 ${DESTDIR}${mandir}/man1/zone2ldap.1

239
SOURCES/bind-9.5-sdb.patch

@ -0,0 +1,239 @@ @@ -0,0 +1,239 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
index 187ec23..e6179e7 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -19,8 +19,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named named-pkcs11 rndc dig dnssec dnssec-pkcs11 tools tests nsupdate \
- check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
+SUBDIRS = named named-pkcs11 named-sdb rndc dig dnssec dnssec-pkcs11 tools tests nsupdate \
+ check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/bin/named-sdb/Makefile.in b/bin/named-sdb/Makefile.in
index bc5be2a..71324d9 100644
--- a/bin/named-sdb/Makefile.in
+++ b/bin/named-sdb/Makefile.in
@@ -34,10 +34,10 @@ top_srcdir = @top_srcdir@
#
# Add database drivers here.
#
-DBDRIVER_OBJS =
-DBDRIVER_SRCS =
+DBDRIVER_OBJS = ldapdb.@O@ pgsqldb.@O@ dirdb.@O@
+DBDRIVER_SRCS = ldapdb.c pgsqldb.c dirdb.c
DBDRIVER_INCLUDES =
-DBDRIVER_LIBS =
+DBDRIVER_LIBS = -lldap -llber -lpq
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
@@ -83,7 +83,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named-sdb@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -146,7 +146,7 @@ config.@O@: config.c bind.keys.h
-DNS_SYSCONFDIR=\"${sysconfdir}\" \
-c ${srcdir}/config.c
-named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
+named-sdb@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -177,15 +177,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
+
+install:: named-sdb@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb@EXEEXT@ ${DESTDIR}${sbindir}
@DLZ_DRIVER_RULES@
diff --git a/bin/named-sdb/main.c b/bin/named-sdb/main.c
index a00687f..4fba625 100644
--- a/bin/named-sdb/main.c
+++ b/bin/named-sdb/main.c
@@ -86,6 +86,9 @@
* Include header files for database drivers here.
*/
/* #include "xxdb.h" */
+#include "ldapdb.h"
+#include "pgsqldb.h"
+#include "dirdb.h"
#ifdef CONTRIB_DLZ
/*
@@ -817,6 +820,10 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
+ ldapdb_clear();
+ pgsqldb_clear();
+ dirdb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product,
ns_g_version, saved_command_line);
@@ -929,6 +936,57 @@ setup(void) {
isc_result_totext(result));
#endif
+ result = ldapdb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB ldap module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB ldap zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB ldap zone database module loaded."
+ );
+
+ result = pgsqldb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB pgsql module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB pgsql zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB postgreSQL DB zone database module loaded."
+ );
+
+ result = dirdb_init();
+ if (result != ISC_R_SUCCESS)
+ {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB directory DB module initialisation failed: %s.",
+ isc_result_totext(result)
+ );
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_ERROR,
+ "SDB directory DB zone database will be unavailable."
+ );
+ }else
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+ ISC_LOG_NOTICE, "SDB directory DB zone database module loaded."
+ );
+
ns_server_create(ns_g_mctx, &ns_g_server);
}
@@ -960,6 +1018,10 @@ cleanup(void) {
dns_name_destroy();
+ ldapdb_clear();
+ pgsqldb_clear();
+ dirdb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index bc5be2a..3c69c9b 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -51,7 +51,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
+CDEFINES = @CRYPTO@
CWARNINGS =
@@ -75,11 +75,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
SUBDIRS = unix
@@ -94,8 +94,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -110,8 +109,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -187,7 +185,5 @@ install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
-@DLZ_DRIVER_RULES@
-
named-symtbl.@O@: named-symtbl.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
diff --git a/configure.in b/configure.in
index 9bb9a2a..d72093f 100644
--- a/configure.in
+++ b/configure.in
@@ -4018,12 +4018,15 @@ AC_CONFIG_FILES([
bin/named-pkcs11/Makefile
bin/named-pkcs11/unix/Makefile
bin/named/unix/Makefile
+ bin/named-sdb/Makefile
+ bin/named-sdb/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
bin/python/Makefile
bin/python/dnssec-checkds.py
bin/python/dnssec-coverage.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile
bin/tests/atomic/Makefile
bin/tests/db/Makefile

1727
SOURCES/bind-9.9-allow_external_dnskey.patch

File diff suppressed because it is too large Load Diff

740
SOURCES/bind-9.9-dist-native-pkcs11.patch

@ -0,0 +1,740 @@ @@ -0,0 +1,740 @@
diff --git a/bin/Makefile.in b/bin/Makefile.in
index 87ca5b2..187ec23 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -19,7 +19,7 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
-SUBDIRS = named rndc dig dnssec tools tests nsupdate \
+SUBDIRS = named named-pkcs11 rndc dig dnssec dnssec-pkcs11 tools tests nsupdate \
check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
TARGETS =
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
index 64e1846..7846662 100644
--- a/bin/dnssec-pkcs11/Makefile.in
+++ b/bin/dnssec-pkcs11/Makefile.in
@@ -23,18 +23,18 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
- @CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+ @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../../lib/isc/libisc.@A@
-ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_PK11_LIBS@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
+ISCNOSYMLIBS = ../../lib/isc-pkcs11/libisc-pkcs11-nosymtbl.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
@@ -43,10 +43,10 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
-TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
- dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
- dnssec-revoke@EXEEXT@ dnssec-settime@EXEEXT@ \
- dnssec-verify@EXEEXT@ dnssec-importkey@EXEEXT@
+TARGETS = dnssec-keygen-pkcs11@EXEEXT@ dnssec-signzone-pkcs11@EXEEXT@ \
+ dnssec-keyfromlabel-pkcs11@EXEEXT@ dnssec-dsfromkey-pkcs11@EXEEXT@ \
+ dnssec-revoke-pkcs11@EXEEXT@ dnssec-settime-pkcs11@EXEEXT@ \
+ dnssec-verify-pkcs11@EXEEXT@ dnssec-importkey-pkcs11@EXEEXT@
OBJS = dnssectool.@O@
@@ -67,15 +67,15 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -83,7 +83,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-signzone.c
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
${FINALBUILDCMD}
@@ -91,19 +91,19 @@ dnssec-verify.@O@: dnssec-verify.c
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-c ${srcdir}/dnssec-verify.c
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
${FINALBUILDCMD}
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-revoke.@O@ ${OBJS} ${LIBS}
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-settime.@O@ ${OBJS} ${LIBS}
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
dnssec-importkey.@O@ ${OBJS} ${LIBS}
@@ -114,11 +114,9 @@ docclean manclean maintainer-clean::
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
- for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
clean distclean::
rm -f ${TARGETS}
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 64e1846..cfb5628 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -25,7 +25,7 @@ top_srcdir = @top_srcdir@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
-CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+CDEFINES = -DVERSION=\"${VERSION}\" \
@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS =
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
index 8b9e87a..5b7d939 100644
--- a/bin/named-pkcs11/Makefile.in
+++ b/bin/named-pkcs11/Makefile.in
@@ -45,26 +45,26 @@ DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
- ${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
- ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+ ${LWRES_INCLUDES} ${DNS_PKCS11_INCLUDES} ${BIND9_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_PKCS11_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO_PK11@
CWARNINGS =
-DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
-ISCLIBS = ../../lib/isc/libisc.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
@@ -73,15 +73,15 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCNOSYMLIBS} \
- ${DLZDRIVER_LIBS} ${DBDRIVER_LIBS} @LIBS@
+ @LIBS@
SUBDIRS = unix
-TARGETS = named@EXEEXT@ lwresd@EXEEXT@
+TARGETS = named-pkcs11@EXEEXT@
GEOIPLINKOBJS = geoip.@O@
@@ -92,8 +92,7 @@ OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \
tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
zoneconf.@O@ \
lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
- lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
- ${DLZDRIVER_OBJS} ${DBDRIVER_OBJS}
+ lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@
UOBJS = unix/os.@O@ unix/dlz_dlopen_driver.@O@
@@ -108,8 +107,7 @@ SRCS = builtin.c client.c config.c control.c \
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
- lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
- ${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
+ lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c
MANPAGES = named.8 lwresd.8 named.conf.5
@@ -145,7 +143,7 @@ config.@O@: config.c bind.keys.h
-DNS_SYSCONFDIR=\"${sysconfdir}\" \
-c ${srcdir}/config.c
-named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
+named-pkcs11@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
@@ -176,15 +174,9 @@ statschannel.@O@: bind9.xsl.h bind9.ver3.xsl.h
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
- $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
- (cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
- ${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
+
+install:: named-pkcs11@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
@DLZ_DRIVER_RULES@
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 8b9e87a..5ba3f56 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -49,7 +49,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
-CDEFINES = @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES = @CONTRIB_DLZ@ @CRYPTO@
CWARNINGS =
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index 15d3fb5..32cc753 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -20,13 +20,13 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@
-CINCLUDES = ${ISC_INCLUDES}
+CINCLUDES = ${ISC_PKCS11_INCLUDES}
CDEFINES =
-ISCLIBS = ../../lib/isc/libisc.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
DEPLIBS = ${ISCDEPLIBS}
diff --git a/configure.in b/configure.in
index 5c79d6d..6c08de9 100644
--- a/configure.in
+++ b/configure.in
@@ -659,10 +659,10 @@ AC_ARG_WITH(pkcs11,
openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
if test "$use_openssl" = "auto"
then
- if test "$want_native_pkcs11" = "yes"
- then
- use_openssl="native_pkcs11"
- else
+# if test "$want_native_pkcs11" = "yes"
+# then
+# use_openssl="native_pkcs11"
+# else
for d in $openssldirs
do
if test -f $d/include/openssl/opensslv.h
@@ -671,7 +671,7 @@ then
break
fi
done
- fi
+# fi
fi
OPENSSL_ECDSA=""
OPENSSL_GOST=""
@@ -730,11 +730,11 @@ case "$use_openssl" in
If you don't want OpenSSL, use --without-openssl])
;;
*)
- if test "$want_native_pkcs11" = "yes"
- then
- AC_MSG_RESULT()
- AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
- fi
+# if test "$want_native_pkcs11" = "yes"
+# then
+# AC_MSG_RESULT()
+# AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
+# fi
if test "$use_openssl" = "yes"
then
# User did not specify a path - guess it
@@ -1014,6 +1014,7 @@ AC_SUBST(OPENSSL_ECDSA)
AC_SUBST(OPENSSL_GOST)
DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
#
# Use OpenSSL for hash functions
@@ -1195,7 +1196,7 @@ case "$use_pkcs11" in
esac
AC_SUBST(PKCS11_PROVIDER)
-
+CRYPTO_PK11=""
PKCS11_ECDSA=""
PKCS11_GOST=""
AC_MSG_CHECKING(for native PKCS11)
@@ -1203,7 +1204,7 @@ AC_MSG_CHECKING(for native PKCS11)
case "$want_native_pkcs11" in
yes)
AC_MSG_RESULT(using native PKCS11 crypto)
- CRYPTO="-DPKCS11CRYPTO"
+ CRYPTO_PK11="-DPKCS11CRYPTO"
PKCS11LINKOBJS='${PKCS11LINKOBJS}'
PKCS11LINKSRCS='${PKCS11LINKSRCS}'
PKCS11_TEST=pkcs11
@@ -1240,6 +1241,7 @@ esac
AC_SUBST(PKCS11LINKOBJS)
AC_SUBST(PKCS11LINKSRCS)
AC_SUBST(CRYPTO)
+AC_SUBST(CRYPTO_PK11)
AC_SUBST(PKCS11_ECDSA)
AC_SUBST(PKCS11_GOST)
AC_SUBST(PKCS11_TEST)
@@ -1531,12 +1533,13 @@ AC_SUBST(USE_GSSAPI)
AC_SUBST(DST_GSSAPI_INC)
AC_SUBST(DNS_GSSAPI_LIBS)
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
-
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
#
# Applications linking with libdns also need to link with these libraries.
#
AC_SUBST(DNS_CRYPTO_LIBS)
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
#
# was --with-randomdev specified?
@@ -4014,7 +4017,10 @@ AC_CONFIG_FILES([
bin/confgen/unix/Makefile
bin/dig/Makefile
bin/dnssec/Makefile
+ bin/dnssec-pkcs11/Makefile
bin/named/Makefile
+ bin/named-pkcs11/Makefile
+ bin/named-pkcs11/unix/Makefile
bin/named/unix/Makefile
bin/nsupdate/Makefile
bin/pkcs11/Makefile
@@ -4097,11 +4103,19 @@ AC_CONFIG_FILES([
lib/dns/include/dns/Makefile
lib/dns/include/dst/Makefile
lib/dns/tests/Makefile
+ lib/dns-pkcs11/Makefile
+ lib/dns-pkcs11/include/Makefile
+ lib/dns-pkcs11/include/dns/Makefile
+ lib/dns-pkcs11/include/dst/Makefile
lib/export/Makefile
lib/export/dns/Makefile
lib/export/dns/include/Makefile
lib/export/dns/include/dns/Makefile
lib/export/dns/include/dst/Makefile
+ lib/export/dns-pkcs11/Makefile
+ lib/export/dns-pkcs11/include/Makefile
+ lib/export/dns-pkcs11/include/dns/Makefile
+ lib/export/dns-pkcs11/include/dst/Makefile
lib/export/irs/Makefile
lib/export/irs/include/Makefile
lib/export/irs/include/irs/Makefile
@@ -4115,6 +4129,16 @@ AC_CONFIG_FILES([
lib/export/isc/unix/Makefile
lib/export/isc/unix/include/Makefile
lib/export/isc/unix/include/isc/Makefile
+ lib/export/isc-pkcs11/$thread_dir/Makefile
+ lib/export/isc-pkcs11/$thread_dir/include/Makefile
+ lib/export/isc-pkcs11/$thread_dir/include/isc/Makefile
+ lib/export/isc-pkcs11/Makefile
+ lib/export/isc-pkcs11/include/Makefile
+ lib/export/isc-pkcs11/include/isc/Makefile
+ lib/export/isc-pkcs11/nls/Makefile
+ lib/export/isc-pkcs11/unix/Makefile
+ lib/export/isc-pkcs11/unix/include/Makefile
+ lib/export/isc-pkcs11/unix/include/isc/Makefile
lib/export/isccfg/Makefile
lib/export/isccfg/include/Makefile
lib/export/isccfg/include/isccfg/Makefile
@@ -4143,6 +4167,24 @@ AC_CONFIG_FILES([
lib/isc/unix/include/Makefile
lib/isc/unix/include/isc/Makefile
lib/isc/unix/include/pkcs11/Makefile
+ lib/isc-pkcs11/$arch/Makefile
+ lib/isc-pkcs11/$arch/include/Makefile
+ lib/isc-pkcs11/$arch/include/isc/Makefile
+ lib/isc-pkcs11/$thread_dir/Makefile
+ lib/isc-pkcs11/$thread_dir/include/Makefile
+ lib/isc-pkcs11/$thread_dir/include/isc/Makefile
+ lib/isc-pkcs11/Makefile
+ lib/isc-pkcs11/include/Makefile
+ lib/isc-pkcs11/include/isc/Makefile
+ lib/isc-pkcs11/include/isc/platform.h
+ lib/isc-pkcs11/include/pk11/Makefile
+ lib/isc-pkcs11/include/pkcs11/Makefile
+ lib/isc-pkcs11/tests/Makefile
+ lib/isc-pkcs11/nls/Makefile
+ lib/isc-pkcs11/unix/Makefile
+ lib/isc-pkcs11/unix/include/Makefile
+ lib/isc-pkcs11/unix/include/isc/Makefile
+ lib/isc-pkcs11/unix/include/pkcs11/Makefile
lib/isccc/Makefile
lib/isccc/include/Makefile
lib/isccc/include/isccc/Makefile
diff --git a/lib/Makefile.in b/lib/Makefile.in
index 8dc1d38..8e48d5e 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -23,7 +23,7 @@ top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
-SUBDIRS = isc isccc dns isccfg bind9 lwres tests
+SUBDIRS = isc isccc dns isccfg bind9 lwres tests isc-pkcs11 dns-pkcs11
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
index ae316c5..1a79768 100644
--- a/lib/dns-pkcs11/Makefile.in
+++ b/lib/dns-pkcs11/Makefile.in
@@ -27,16 +27,16 @@ top_srcdir = @top_srcdir@
USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_PKCS11_INCLUDES} \
@DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@ ${USE_ISC_SPNEGO}
CWARNINGS =
-ISCLIBS = ../../lib/isc/libisc.@A@
+ISCLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
-ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCDEPLIBS = ../../lib/isc-pkcs11/libisc-pkcs11.@A@
LIBS = @LIBS@
@@ -131,24 +131,24 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
+libdns-pkcs11.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libdns.la: ${OBJS}
+libdns-pkcs11.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
-timestamp: libdns.@A@
+timestamp: libdns-pkcs11.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
clean distclean::
rm -f libdns.@A@ timestamp
@@ -181,7 +181,7 @@ code.h: gen
./gen -s ${srcdir} > code.h
gen: gen.c
- ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc-pkcs11/include \
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
rbtdb64.@O@: rbtdb.c
diff --git a/lib/export/Makefile.in b/lib/export/Makefile.in
index 1fd7216..a8a1342 100644
--- a/lib/export/Makefile.in
+++ b/lib/export/Makefile.in
@@ -21,7 +21,7 @@ top_srcdir = @top_srcdir@
# Attempt to disable parallel processing.
.NOTPARALLEL:
.NO_PARALLEL:
-SUBDIRS = isc dns isccfg irs samples
+SUBDIRS = isc dns isccfg irs samples isc-pkcs11 dns-pkcs11
TARGETS =
@BIND9_MAKE_RULES@
diff --git a/lib/export/dns-pkcs11/Makefile.in b/lib/export/dns-pkcs11/Makefile.in
index 887acb9..0f8abd3 100644
--- a/lib/export/dns-pkcs11/Makefile.in
+++ b/lib/export/dns-pkcs11/Makefile.in
@@ -15,7 +15,7 @@
# $Id$
top_srcdir = @top_srcdir@
-srcdir = @top_srcdir@/lib/dns
+srcdir = @top_srcdir@/lib/dns-pkcs11
export_srcdir = @top_srcdir@/lib/export
# Attempt to disable parallel processing.
@@ -28,16 +28,16 @@ export_srcdir = @top_srcdir@/lib/export
@BIND9_MAKE_INCLUDES@
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} -I${export_srcdir}/isc/include \
- ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} -I${export_srcdir}/isc-pkcs11/include \
+ ${ISC_PKCS11_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DUSE_MD5 @CRYPTO@ @USE_GSSAPI@
+CDEFINES = -DUSE_MD5 @CRYPTO_PK11@ @USE_GSSAPI@
CWARNINGS =
-ISCLIBS = ../isc/libisc-export.@A@
+ISCLIBS = ../isc-pkcs11/libisc-pkcs11-export.@A@
-ISCDEPLIBS = ../isc/libisc-export.@A@
+ISCDEPLIBS = ../isc-pkcs11/libisc-pkcs11-export.@A@
LIBS = @LIBS@
@@ -118,29 +118,29 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libdns-export.@SA@: ${OBJS}
+libdns-pkcs11-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libdns-export.la: ${OBJS}
+libdns-pkcs11-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
-timestamp: libdns-export.@A@
+timestamp: libdns-pkcs11-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-pkcs11-export.@A@ \
${DESTDIR}${export_libdir}/
clean distclean::
- rm -f libdns-export.@A@ timestamp
+ rm -f libdns-pkcs11-export.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
diff --git a/lib/export/isc-pkcs11/Makefile.in b/lib/export/isc-pkcs11/Makefile.in
index 4f4a9f7..f8224e7 100644
--- a/lib/export/isc-pkcs11/Makefile.in
+++ b/lib/export/isc-pkcs11/Makefile.in
@@ -15,7 +15,7 @@
# $Id: Makefile.in,v 1.8 2010/06/09 23:50:58 tbox Exp $
top_srcdir = @top_srcdir@
-srcdir = @top_srcdir@/lib/isc
+srcdir = @top_srcdir@/lib/isc-pkcs11
export_srcdir = @top_srcdir@/lib/export
@BIND9_VERSION@
@@ -25,9 +25,9 @@ export_srcdir = @top_srcdir@/lib/export
CINCLUDES = -I${srcdir}/unix/include \
-I${srcdir}/@ISC_THREAD_DIR@/include \
-I${srcdir}/@ISC_ARCH_DIR@/include \
- -I${export_srcdir}/isc/include -I${srcdir}/include \
+ -I${export_srcdir}/isc-pkcs11/include -I${srcdir}/include \
@ISC_OPENSSL_INC@
-CDEFINES = @CRYPTO@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \
+CDEFINES = @CRYPTO_PK11@ -DUSE_APPIMPREGISTER -DUSE_MEMIMPREGISTER \
-DUSE_SOCKETIMPREGISTER -DUSE_TASKIMPREGISTER \
-DUSE_TIMERIMPREGISTER
CWARNINGS =
@@ -119,26 +119,26 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisc-export.@SA@: ${OBJS}
+libisc-pkcs11-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisc-export.la: ${OBJS}
+libisc-pkcs11-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS}
-timestamp: libisc-export.@A@
+timestamp: libisc-pkcs11-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-pkcs11-export.@A@ \
${DESTDIR}${export_libdir}
clean distclean::
- rm -f libisc-export.@A@ libisc-export.la timestamp
+ rm -f libisc-pkcs11-export.@A@ libisc-pkcs11-export.la timestamp
diff --git a/lib/isc-pkcs11/Makefile.in b/lib/isc-pkcs11/Makefile.in
index df62ec9..d9f0107 100644
--- a/lib/isc-pkcs11/Makefile.in
+++ b/lib/isc-pkcs11/Makefile.in
@@ -31,8 +31,8 @@ CINCLUDES = -I${srcdir}/unix/include \
-I${srcdir}/@ISC_THREAD_DIR@/include \
-I${srcdir}/@ISC_ARCH_DIR@/include \
-I./include \
- -I${srcdir}/include @ISC_OPENSSL_INC@ ${DNS_INCLUDES}
-CDEFINES = @CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+ -I${srcdir}/include ${DNS_PKCS11_INCLUDES}
+CDEFINES = @CRYPTO_PK11@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
CWARNINGS =
# Alphabetically
@@ -110,35 +110,35 @@ version.@O@: version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisc.@SA@: ${OBJS} ${SYMTBLOBJS}
+libisc-pkcs11.@SA@: ${OBJS} ${SYMTBLOBJS}
${AR} ${ARFLAGS} $@ ${OBJS} ${SYMTBLOBJS}
${RANLIB} $@
-libisc-nosymtbl.@SA@: ${OBJS}
+libisc-pkcs11-nosymtbl.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisc.la: ${OBJS} ${SYMTBLOBJS}
+libisc-pkcs11.la: ${OBJS} ${SYMTBLOBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${SYMTBLOBJS} ${LIBS}
-libisc-nosymtbl.la: ${OBJS}
+libisc-pkcs11-nosymtbl.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-pkcs11-nosymtbl.la -rpath ${libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS}
-timestamp: libisc.@A@ libisc-nosymtbl.@A@
+timestamp: libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-pkcs11.@A@ ${DESTDIR}${libdir}
clean distclean::
- rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
- libisc-nosymtbl.la timestamp
+ rm -f libisc-pkcs11.@A@ libisc-pkcs11-nosymtbl.@A@ libisc-pkcs11.la \
+ libisc-pkcs11-nosymtbl.la timestamp
diff --git a/make/includes.in b/make/includes.in
index f2f1b3f..639477c 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -46,3 +46,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
TEST_INCLUDES = \
-I${top_srcdir}/lib/tests/include
+
+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/isc-pkcs11 \
+ -I${top_srcdir}/lib/isc-pkcs11/include \
+ -I${top_srcdir}/lib/isc-pkcs11/unix/include \
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \
+ -I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include
+
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+ -I${top_srcdir}/lib/dns-pkcs11/include

25320
SOURCES/bind-9.9-native-pkcs11.patch

File diff suppressed because it is too large Load Diff

27
SOURCES/bind-9.9.1-P2-dlz-libdb.patch

@ -0,0 +1,27 @@ @@ -0,0 +1,27 @@
diff -up bind-9.9.4/contrib/dlz/config.dlz.in.libdb bind-9.9.4/contrib/dlz/config.dlz.in
--- bind-9.9.4/contrib/dlz/config.dlz.in.libdb 2014-01-06 13:24:24.669256364 +0100
+++ bind-9.9.4/contrib/dlz/config.dlz.in 2014-01-06 13:26:29.861420493 +0100
@@ -257,7 +257,7 @@ case "$use_dlz_bdb" in
# Check other locations for includes.
# Order is important (sigh).
- bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /db/"
+ bdb_incdirs="/ /db48/ /db47/ /db46/ /db45/ /db44/ /db43/ /db42/ /db41/ /db4/ /libdb/ /db/"
for d in $bdb_incdirs
do
if test -f "$dd/include${d}db.h"
@@ -283,13 +283,7 @@ case "$use_dlz_bdb" in
do
if test -f "$dd/${target_lib}/lib${d}.so"
then
- if test "$dd" != "/usr"
- then
- dlz_bdb_libs="-L${dd}/${target_lib} "
- else
- dlz_bdb_libs=""
- fi
- dlz_bdb_libs="${dlz_bdb_libs}-l${d}"
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
break
fi
done

66
SOURCES/bind-9.9.1-P2-multlib-conflict.patch

@ -0,0 +1,66 @@ @@ -0,0 +1,66 @@
diff -up bind-9.9.3rc2/config.h.in.multlib-conflict bind-9.9.3rc2/config.h.in
--- bind-9.9.3rc2/config.h.in.multlib-conflict 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/config.h.in 2013-05-13 12:10:22.514870894 +0200
@@ -416,7 +416,7 @@ int sigwait(const unsigned int *set, int
#undef PORT_NONBLOCK
/* The size of `void *', as computed by sizeof. */
-#undef SIZEOF_VOID_P
+/* #undef SIZEOF_VOID_P */
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
diff -up bind-9.9.3rc2/configure.in.multlib-conflict bind-9.9.3rc2/configure.in
--- bind-9.9.3rc2/configure.in.multlib-conflict 2013-05-13 12:10:22.481870901 +0200
+++ bind-9.9.3rc2/configure.in 2013-05-13 12:10:22.515870894 +0200
@@ -2251,7 +2251,9 @@ int getnameinfo(const struct sockaddr *,
size_t, char *, size_t, int);],
[ return (0);],
[AC_MSG_RESULT(size_t for buflen; int for flags)
- AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
+ # Changed to solve multilib conflict on Fedora
+ #AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, size_t)
+ AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)],
[AC_MSG_RESULT(not match any subspecies; assume standard definition)
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-config.sh.in
--- bind-9.9.3rc2/isc-config.sh.in.multlib-conflict 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/isc-config.sh.in 2013-05-13 12:26:40.258698745 +0200
@@ -21,7 +21,18 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
includedir=@includedir@
-libdir=@libdir@
+arch=$(uname -m)
+
+case $arch in
+ x86_64 | amd64 | sparc64 | s390x | ppc64)
+ libdir=/usr/lib64
+ sec_libdir=/usr/lib
+ ;;
+ * )
+ libdir=/usr/lib
+ sec_libdir=/usr/lib64
+ ;;
+esac
usage()
{
@@ -133,6 +144,16 @@ if test x"$echo_libs" = x"true"; then
if test x"${exec_prefix_set}" = x"true"; then
includes="-L${exec_prefix}/lib"
else
+ if [ ! -x $libdir/libisc.so ] ; then
+ if [ ! -x $sec_libdir/libisc.so ] ; then
+ echo "Error: ISC libs not found in $libdir"
+ if [ -d $sec_libdir ] ; then
+ echo "Error: ISC libs not found in $sec_libdir"
+ fi
+ exit 1
+ fi
+ libdir=$sec_libdir
+ fi
libs="-L${libdir}"
fi
if test x"$liblwres" = x"true" ; then

12
SOURCES/bind-9.9.3-include-update-h.patch

@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
diff -up bind-9.9.3/lib/dns/include/dns/Makefile.in.update bind-9.9.3/lib/dns/include/dns/Makefile.in
--- bind-9.9.3/lib/dns/include/dns/Makefile.in.update 2013-06-03 09:29:41.049197873 +0200
+++ bind-9.9.3/lib/dns/include/dns/Makefile.in 2013-06-03 09:30:09.229213170 +0200
@@ -30,7 +30,7 @@ HEADERS = acl.h adb.h byaddr.h cache.h c
rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
rdataslab.h rdatatype.h request.h resolver.h result.h \
rootns.h rpz.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
- tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \
+ tcpmsg.h time.h tkey.h tsig.h ttl.h types.h update.h\
validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h \
forward.h rrl.h

40
SOURCES/bind-95-rh452060.patch

@ -0,0 +1,40 @@ @@ -0,0 +1,40 @@
diff -up bind-9.5.0-P2/bin/dig/dighost.c.rh452060 bind-9.5.0-P2/bin/dig/dighost.c
--- bind-9.5.0-P2/bin/dig/dighost.c.rh452060 2008-12-01 22:30:01.000000000 +0100
+++ bind-9.5.0-P2/bin/dig/dighost.c 2008-12-01 22:30:07.000000000 +0100
@@ -1280,6 +1280,12 @@ clear_query(dig_query_t *query) {
debug("clear_query(%p)", query);
+ if (query->waiting_senddone) {
+ debug("send_done not yet called");
+ query->pending_free = ISC_TRUE;
+ return;
+ }
+
lookup = query->lookup;
if (lookup->current_query == query)
@@ -1301,10 +1307,7 @@ clear_query(dig_query_t *query) {
isc_mempool_put(commctx, query->recvspace);
isc_buffer_invalidate(&query->recvbuf);
isc_buffer_invalidate(&query->lengthbuf);
- if (query->waiting_senddone)
- query->pending_free = ISC_TRUE;
- else
- isc_mem_free(mctx, query);
+ isc_mem_free(mctx, query);
}
/*%
@@ -2175,9 +2178,9 @@ send_done(isc_task_t *_task, isc_event_t
isc_event_free(&event);
if (query->pending_free)
- isc_mem_free(mctx, query);
+ clear_query(query);
- check_if_done();
+ check_next_lookup(l);
UNLOCK_LOOKUP;
}

23
SOURCES/bind-96-old-api.patch

@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
diff -up bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c
--- bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c.old-api 2008-11-24 13:28:13.000000000 +0100
+++ bind-9.6.0b1/contrib/sdb/ldap/ldapdb.c 2008-11-24 13:28:23.000000000 +0100
@@ -25,6 +25,7 @@
/* Using LDAPv3 by default, change this if you want v2 */
#ifndef LDAPDB_LDAP_VERSION
#define LDAPDB_LDAP_VERSION 3
+#define LDAP_DEPRECATED 1
#endif
#include <config.h>
diff -up bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c
--- bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c.old-api 2008-11-24 13:29:05.000000000 +0100
+++ bind-9.6.0b1/contrib/sdb/ldap/zone2ldap.c 2008-11-24 13:29:14.000000000 +0100
@@ -13,6 +13,8 @@
* ditched dNSDomain2 schema support. Version 0.3-ALPHA
*/
+#define LDAP_DEPRECATED 1
+
#include <errno.h>
#include <string.h>
#include <stdlib.h>

13
SOURCES/bind-99-socket-maxevents.patch

@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 05eaeaa..82d0d16 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -214,7 +214,7 @@ typedef enum { poll_idle, poll_active, poll_checking } pollstate_t;
*/
#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
#ifndef ISC_SOCKET_MAXEVENTS
-#define ISC_SOCKET_MAXEVENTS 64
+#define ISC_SOCKET_MAXEVENTS 2048
#endif
#endif

72
SOURCES/bind-nonexec.patch

@ -0,0 +1,72 @@ @@ -0,0 +1,72 @@
diff -up bind-9.7.0rc2/lib/bind9/Makefile.in.nonexec bind-9.7.0rc2/lib/bind9/Makefile.in
--- bind-9.7.0rc2/lib/bind9/Makefile.in.nonexec 2009-12-06 00:31:40.000000000 +0100
+++ bind-9.7.0rc2/lib/bind9/Makefile.in 2010-01-28 12:13:33.406696161 +0100
@@ -78,7 +78,7 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libbind9.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libbind9.@A@ ${DESTDIR}${libdir}
clean distclean::
rm -f libbind9.@A@ timestamp
diff -up bind-9.7.0rc2/lib/dns/Makefile.in.nonexec bind-9.7.0rc2/lib/dns/Makefile.in
--- bind-9.7.0rc2/lib/dns/Makefile.in.nonexec 2009-12-06 00:31:40.000000000 +0100
+++ bind-9.7.0rc2/lib/dns/Makefile.in 2010-01-28 12:13:33.406696161 +0100
@@ -131,7 +131,7 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns.@A@ ${DESTDIR}${libdir}
clean distclean::
rm -f libdns.@A@ timestamp
diff -up bind-9.7.0rc2/lib/isccc/Makefile.in.nonexec bind-9.7.0rc2/lib/isccc/Makefile.in
--- bind-9.7.0rc2/lib/isccc/Makefile.in.nonexec 2009-12-06 00:31:41.000000000 +0100
+++ bind-9.7.0rc2/lib/isccc/Makefile.in 2010-01-28 12:13:33.406696161 +0100
@@ -80,7 +80,7 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccc.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccc.@A@ ${DESTDIR}${libdir}
clean distclean::
rm -f libisccc.@A@ timestamp
diff -up bind-9.7.0rc2/lib/isccfg/Makefile.in.nonexec bind-9.7.0rc2/lib/isccfg/Makefile.in
--- bind-9.7.0rc2/lib/isccfg/Makefile.in.nonexec 2009-12-06 00:31:41.000000000 +0100
+++ bind-9.7.0rc2/lib/isccfg/Makefile.in 2010-01-28 12:13:33.406696161 +0100
@@ -77,7 +77,7 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg.@A@ ${DESTDIR}${libdir}
clean distclean::
rm -f libisccfg.@A@ timestamp
diff -up bind-9.7.0rc2/lib/isc/Makefile.in.nonexec bind-9.7.0rc2/lib/isc/Makefile.in
--- bind-9.7.0rc2/lib/isc/Makefile.in.nonexec 2009-12-18 05:09:55.000000000 +0100
+++ bind-9.7.0rc2/lib/isc/Makefile.in 2010-01-28 12:13:53.566696766 +0100
@@ -121,7 +121,7 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc.@A@ ${DESTDIR}${libdir}
clean distclean::
rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \
diff -up bind-9.7.0rc2/lib/lwres/Makefile.in.nonexec bind-9.7.0rc2/lib/lwres/Makefile.in
--- bind-9.7.0rc2/lib/lwres/Makefile.in.nonexec 2007-06-20 01:47:22.000000000 +0200
+++ bind-9.7.0rc2/lib/lwres/Makefile.in 2010-01-28 12:13:33.406696161 +0100
@@ -78,7 +78,7 @@ installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} liblwres.@A@ ${DESTDIR}${libdir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} liblwres.@A@ ${DESTDIR}${libdir}
clean distclean::
rm -f liblwres.@A@ liblwres.la timestamp

69
SOURCES/bind.keys

@ -0,0 +1,69 @@ @@ -0,0 +1,69 @@
# The bind.keys file is used to override the built-in DNSSEC trust anchors
# which are included as part of BIND 9. As of the current release, the only
# trust anchors it contains are those for the DNS root zone ("."), and for
# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors
# for any other zones MUST be configured elsewhere; if they are configured
# here, they will not be recognized or used by named.
#
# The built-in trust anchors are provided for convenience of configuration.
# They are not activated within named.conf unless specifically switched on.
# To use the built-in root key, set "dnssec-validation auto;" in
# named.conf options. To use the built-in DLV key, set
# "dnssec-lookaside auto;". Without these options being set,
# the keys in this file are ignored.
#
# This file is NOT expected to be user-configured.
#
# These keys are current as of Feburary 2017. If any key fails to
# initialize correctly, it may have expired. In that event you should
# replace this file with a current version. The latest version of
# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.

managed-keys {
# ISC DLV: See https://www.isc.org/solutions/dlv for details.
#
# NOTE: The ISC DLV zone is being phased out as of February 2017;
# the key will remain in place but the zone will be otherwise empty.
# Configuring "dnssec-lookaside auto;" to activate this key is
# harmless, but is no longer useful and is not recommended.
dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
TDN0YUuWrBNh";

# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# These keys are activated by setting "dnssec-validation auto;"
# in named.conf.
#
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
# the root zone.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";

# This key (20326) is to be published in the root zone in 2017.
# Servers which were already using the old key (19036) should
# roll seamlessly to this new one via RFC 5011 rollover. Servers
# being set up for the first time can use the contents of this
# file as initializing keys; thereafter, the keys in the
# managed key database will be trusted and maintained
# automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};

1
SOURCES/bind.tmpfiles.d

@ -0,0 +1 @@ @@ -0,0 +1 @@
d /run/named 0755 named named -

95
SOURCES/bind93-rh490837.patch

@ -0,0 +1,95 @@ @@ -0,0 +1,95 @@
? patch
? lib/isc/lex.c.rh490837
Index: lib/isc/lex.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/lex.c,v
retrieving revision 1.86
diff -p -u -r1.86 lex.c
--- lib/isc/lex.c 17 Sep 2007 09:56:29 -0000 1.86
+++ lib/isc/lex.c 6 Apr 2009 13:24:15 -0000
@@ -425,17 +425,14 @@ isc_lex_gettoken(isc_lex_t *lex, unsigne
if (source->is_file) {
stream = source->input;
-#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
- c = getc_unlocked(stream);
-#else
- c = getc(stream);
-#endif
- if (c == EOF) {
- if (ferror(stream)) {
- source->result = ISC_R_IOERROR;
- result = source->result;
+ result = isc_stdio_fgetc(stream, &c);
+
+ if (result != ISC_R_SUCCESS) {
+ if (result != ISC_R_EOF) {
+ source->result = result;
goto done;
}
+
source->at_eof = ISC_TRUE;
}
} else {
Index: lib/isc/include/isc/stdio.h
===================================================================
RCS file: /var/snap/bind9/lib/isc/include/isc/stdio.h,v
retrieving revision 1.13
diff -p -u -r1.13 stdio.h
--- lib/isc/include/isc/stdio.h 19 Jun 2007 23:47:18 -0000 1.13
+++ lib/isc/include/isc/stdio.h 6 Apr 2009 13:24:15 -0000
@@ -72,6 +72,9 @@ isc_stdio_sync(FILE *f);
* direct counterpart in the stdio library.
*/
+isc_result_t
+isc_stdio_fgetc(FILE *f, int *ret);
+
ISC_LANG_ENDDECLS
#endif /* ISC_STDIO_H */
Index: lib/isc/unix/errno2result.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/unix/errno2result.c,v
retrieving revision 1.17
diff -p -u -r1.17 errno2result.c
--- lib/isc/unix/errno2result.c 19 Jun 2007 23:47:18 -0000 1.17
+++ lib/isc/unix/errno2result.c 6 Apr 2009 13:24:15 -0000
@@ -43,6 +43,7 @@ isc__errno2result(int posixerrno) {
case EINVAL: /* XXX sometimes this is not for files */
case ENAMETOOLONG:
case EBADF:
+ case EISDIR:
return (ISC_R_INVALIDFILE);
case ENOENT:
return (ISC_R_FILENOTFOUND);
Index: lib/isc/unix/stdio.c
===================================================================
RCS file: /var/snap/bind9/lib/isc/unix/stdio.c,v
retrieving revision 1.8
diff -p -u -r1.8 stdio.c
--- lib/isc/unix/stdio.c 19 Jun 2007 23:47:18 -0000 1.8
+++ lib/isc/unix/stdio.c 6 Apr 2009 13:24:15 -0000
@@ -115,3 +115,22 @@ isc_stdio_sync(FILE *f) {
return (isc__errno2result(errno));
}
+isc_result_t
+isc_stdio_fgetc(FILE *f, int *ret) {
+ int r;
+ isc_result_t result = ISC_R_SUCCESS;
+
+#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
+ r = fgetc_unlocked(f);
+#else
+ r = fgets(f);
+#endif
+
+ if (r == EOF)
+ result = ferror(f) ? isc__errno2result(errno) : ISC_R_EOF;
+
+ *ret = r;
+
+ return result;
+}
+

26
SOURCES/bind93-rh726120.patch

@ -0,0 +1,26 @@ @@ -0,0 +1,26 @@
From 23c33ea76e916cc16e354faa218b6a0ca6385d00 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 5 Dec 2017 16:33:08 +0100
Subject: [PATCH] Fix bug #726120

---
bin/dig/dighost.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 42a2fe2..3a066c6 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -3416,7 +3416,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
return;
}
if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
- (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
+ (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 &&
+ msg->rcode != dns_rcode_noerror && l->recurse))
{
dig_query_t *next = ISC_LIST_NEXT(query, link);
if (l->current_query == query)
--
2.9.5

19
SOURCES/bind95-rh461409.patch

@ -0,0 +1,19 @@ @@ -0,0 +1,19 @@
diff -up bind-9.5.1b1/bin/dig/dighost.c.rh461409 bind-9.5.1b1/bin/dig/dighost.c
--- bind-9.5.1b1/bin/dig/dighost.c.rh461409 2008-09-16 14:04:03.000000000 +0200
+++ bind-9.5.1b1/bin/dig/dighost.c 2008-09-16 14:06:06.000000000 +0200
@@ -3665,6 +3665,15 @@ output_filter (isc_buffer_t *buffer, uns
(void) strcpy (tmp1, tmp2);
free (tmp2);
+ tmp2 = stringprep_utf8_to_locale (tmp1);
+ if (tmp2 == NULL) {
+ debug ("output_filter: stringprep_utf8_to_locale failed");
+ return ISC_R_SUCCESS;
+ }
+
+ (void) strcpy (tmp1, tmp2);
+ free (tmp2);
+
tolen = strlen (tmp1);
if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
tolen--;

226
SOURCES/bind97-exportlib.patch

@ -0,0 +1,226 @@ @@ -0,0 +1,226 @@
diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in
diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in
--- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/dns/Makefile.in 2013-05-13 10:45:22.574089729 +0200
@@ -35,9 +35,9 @@ CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_
CWARNINGS =
-ISCLIBS = ../isc/libisc.@A@
+ISCLIBS = ../isc/libisc-export.@A@
-ISCDEPLIBS = ../isc/libisc.@A@
+ISCDEPLIBS = ../isc/libisc-export.@A@
LIBS = @LIBS@
@@ -116,29 +116,29 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libdns.@SA@: ${OBJS}
+libdns-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libdns.la: ${OBJS}
+libdns-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
-timestamp: libdns.@A@
+timestamp: libdns-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libdns-export.@A@ \
${DESTDIR}${export_libdir}/
clean distclean::
- rm -f libdns.@A@ timestamp
+ rm -f libdns-export.@A@ timestamp
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in
--- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/irs/Makefile.in 2013-05-13 10:45:22.575089729 +0200
@@ -43,9 +43,9 @@ SRCS = context.c \
gai_sterror.c getaddrinfo.c getnameinfo.c \
resconf.c
-ISCLIBS = ../isc/libisc.@A@
-DNSLIBS = ../dns/libdns.@A@
-ISCCFGLIBS = ../isccfg/libisccfg.@A@
+ISCLIBS = ../isc/libisc-export.@A@
+DNSLIBS = ../dns/libdns-export.@A@
+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@
LIBS = @LIBS@
@@ -62,26 +62,26 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libirs.@SA@: ${OBJS} version.@O@
+libirs-export.@SA@: ${OBJS} version.@O@
${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
${RANLIB} $@
-libirs.la: ${OBJS} version.@O@
+libirs-export.la: ${OBJS} version.@O@
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libirs-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} version.@O@ ${LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS}
-timestamp: libirs.@A@
+timestamp: libirs-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libirs.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libirs-export.@A@ \
${DESTDIR}${export_libdir}/
clean distclean::
- rm -f libirs.@A@ libirs.la timestamp
+ rm -f libirs-export.@A@ libirs-export.la timestamp
diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in
--- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in 2013-05-13 10:45:22.576089729 +0200
@@ -30,11 +30,11 @@ CINCLUDES = -I. ${DNS_INCLUDES} -I${expo
CDEFINES =
CWARNINGS =
-ISCLIBS = ../isc/libisc.@A@
-DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../isc/libisc-export.@A@
+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS = libisccfg.@A@
+ISCCFGDEPLIBS = libisccfg-export.@A@
LIBS = @LIBS@
@@ -58,26 +58,26 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisccfg.@SA@: ${OBJS}
+libisccfg-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisccfg.la: ${OBJS}
+libisccfg-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS} ${DNSLIBS} ${ISCLIBS}
-timestamp: libisccfg.@A@
+timestamp: libisccfg-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisccfg-export.@A@ \
${DESTDIR}${export_libdir}/
clean distclean::
- rm -f libisccfg.@A@ timestamp
+ rm -f libisccfg-export.@A@ timestamp
diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in
--- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/isc/Makefile.in 2013-05-13 10:45:22.576089729 +0200
@@ -100,6 +100,10 @@ SRCS = @ISC_EXTRA_SRCS@ \
LIBS = @LIBS@
+# Note: the order of SUBDIRS is important.
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
SUBDIRS = include unix nls @ISC_THREAD_DIR@
TARGETS = timestamp
@@ -113,26 +117,26 @@ version.@O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
-libisc.@SA@: ${OBJS}
+libisc-export.@SA@: ${OBJS}
${AR} ${ARFLAGS} $@ ${OBJS}
${RANLIB} $@
-libisc.la: ${OBJS}
+libisc-export.la: ${OBJS}
${LIBTOOL_MODE_LINK} \
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la \
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-export.la \
-rpath ${export_libdir} \
-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
${OBJS} ${LIBS}
-timestamp: libisc.@A@
+timestamp: libisc-export.@A@
touch timestamp
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${export_libdir}
install:: timestamp installdirs
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ \
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} libisc-export.@A@ \
${DESTDIR}${export_libdir}
clean distclean::
- rm -f libisc.@A@ libisc.la timestamp
+ rm -f libisc-export.@A@ libisc-export.la timestamp
diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in
--- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
+++ bind-9.9.3rc2/lib/export/samples/Makefile.in 2013-05-13 10:45:22.577089729 +0200
@@ -31,15 +31,15 @@ CINCLUDES = -I${srcdir}/include -I../dns
CDEFINES =
CWARNINGS =
-DNSLIBS = ../dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS = ../isc/libisc.@A@
-ISCCFGLIBS = ../isccfg/libisccfg.@A@
-IRSLIBS = ../irs/libirs.@A@
+DNSLIBS = ../dns/libdns-export.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../isc/libisc-export.@A@
+ISCCFGLIBS = ../isccfg/libisccfg-export.@A@
+IRSLIBS = ../irs/libirs-export.@A@
-DNSDEPLIBS = ../dns/libdns.@A@
-ISCDEPLIBS = ../isc/libisc.@A@
-ISCCFGDEPLIBS = ../isccfg/libisccfg.@A@
-IRSDEPLIBS = ../irs/libirs.@A@
+DNSDEPLIBS = ../dns/libdns-export.@A@
+ISCDEPLIBS = ../isc/libisc-export.@A@
+ISCCFGDEPLIBS = ../isccfg/libisccfg-export.@A@
+IRSDEPLIBS = ../irs/libirs-export.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}

30
SOURCES/bind97-rh478718.patch

@ -0,0 +1,30 @@ @@ -0,0 +1,30 @@
diff -up bind-9.7.0/configure.in.rh478718 bind-9.7.0/configure.in
--- bind-9.7.0/configure.in.rh478718 2010-03-01 14:50:02.331207076 +0100
+++ bind-9.7.0/configure.in 2010-03-01 14:50:21.501207488 +0100
@@ -2540,6 +2540,10 @@ main() {
AC_MSG_RESULT($arch)
fi
+if test ! "$arch" = "x86_64" -a "$have_xaddq" = "yes"; then
+ AC_MSG_ERROR([XADDQ present but disabled by Fedora patch!])
+fi
+
if test "$have_atomic" = "yes"; then
AC_MSG_CHECKING([compiler support for inline assembly code])
diff -up bind-9.7.0/lib/isc/include/isc/platform.h.in.rh478718 bind-9.7.0/lib/isc/include/isc/platform.h.in
--- bind-9.7.0/lib/isc/include/isc/platform.h.in.rh478718 2010-03-01 14:50:31.421207522 +0100
+++ bind-9.7.0/lib/isc/include/isc/platform.h.in 2010-03-01 14:50:40.313707286 +0100
@@ -255,7 +255,11 @@
* If the "xaddq" operation (64bit xadd) is available on this architecture,
* ISC_PLATFORM_HAVEXADDQ will be defined.
*/
-@ISC_PLATFORM_HAVEXADDQ@
+#ifdef __x86_64__
+#define ISC_PLATFORM_HAVEXADDQ 1
+#else
+#undef ISC_PLATFORM_HAVEXADDQ
+#endif
/*
* If the "atomic swap" operation is available on this architecture,

153
SOURCES/bind97-rh570851.patch

@ -0,0 +1,153 @@ @@ -0,0 +1,153 @@
diff -up bind-9.7.2b1/bin/dig/dighost.c.rh570851 bind-9.7.2b1/bin/dig/dighost.c
--- bind-9.7.2b1/bin/dig/dighost.c.rh570851 2010-08-10 12:55:14.219403986 +0200
+++ bind-9.7.2b1/bin/dig/dighost.c 2010-08-10 12:56:40.716015777 +0200
@@ -126,7 +126,8 @@ isc_boolean_t
usesearch = ISC_FALSE,
showsearch = ISC_FALSE,
qr = ISC_FALSE,
- is_dst_up = ISC_FALSE;
+ is_dst_up = ISC_FALSE,
+ verbose = ISC_FALSE;
in_port_t port = 53;
unsigned int timeout = 0;
unsigned int extrabytes;
@@ -1240,10 +1241,24 @@ setup_system(void) {
}
}
+ if (lwconf->resdebug) {
+ verbose = ISC_TRUE;
+ debug("verbose is on");
+ }
if (ndots == -1) {
ndots = lwconf->ndots;
debug("ndots is %d.", ndots);
}
+ if (lwconf->attempts) {
+ tries = lwconf->attempts + 1;
+ if (tries < 2)
+ tries = 2;
+ debug("tries is %d.", tries);
+ }
+ if (lwconf->timeout) {
+ timeout = lwconf->timeout;
+ debug("timeout is %d.", timeout);
+ }
/* If user doesn't specify server use nameservers from resolv.conf. */
if (ISC_LIST_EMPTY(server_list))
diff -up bind-9.7.2b1/bin/dig/host.c.rh570851 bind-9.7.2b1/bin/dig/host.c
--- bind-9.7.2b1/bin/dig/host.c.rh570851 2010-08-10 12:57:16.032758098 +0200
+++ bind-9.7.2b1/bin/dig/host.c 2010-08-10 13:02:12.848559845 +0200
@@ -659,6 +659,7 @@ parse_args(isc_boolean_t is_batchfile, i
lookup->servfail_stops = ISC_FALSE;
lookup->comments = ISC_FALSE;
+ short_form = !verbose;
while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
switch (c) {
@@ -869,8 +870,8 @@ main(int argc, char **argv) {
result = isc_app_start();
check_result(result, "isc_app_start");
setup_libs();
- parse_args(ISC_FALSE, argc, argv);
setup_system();
+ parse_args(ISC_FALSE, argc, argv);
result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
check_result(result, "isc_app_onrun");
isc_app_run();
diff -up bind-9.7.2b1/bin/dig/include/dig/dig.h.rh570851 bind-9.7.2b1/bin/dig/include/dig/dig.h
--- bind-9.7.2b1/bin/dig/include/dig/dig.h.rh570851 2010-08-10 13:02:32.722244088 +0200
+++ bind-9.7.2b1/bin/dig/include/dig/dig.h 2010-08-10 13:02:48.465158159 +0200
@@ -278,6 +278,7 @@ extern isc_boolean_t debugging, memdebug
extern char *progname;
extern int tries;
extern int fatalexit;
+extern isc_boolean_t verbose;
#ifdef WITH_IDN
extern int idnoptions;
#endif
diff -up bind-9.7.2b1/lib/lwres/include/lwres/lwres.h.rh570851 bind-9.7.2b1/lib/lwres/include/lwres/lwres.h
--- bind-9.7.2b1/lib/lwres/include/lwres/lwres.h.rh570851 2010-08-10 13:04:40.465780506 +0200
+++ bind-9.7.2b1/lib/lwres/include/lwres/lwres.h 2010-08-10 13:05:57.559867830 +0200
@@ -243,6 +243,8 @@ typedef struct {
lwres_uint8_t resdebug; /*%< non-zero if 'options debug' set */
lwres_uint8_t ndots; /*%< set to n in 'options ndots:n' */
lwres_uint8_t no_tld_query; /*%< non-zero if 'options no_tld_query' */
+ lwres_int32_t attempts; /*%< set to n in 'options attempts:n' */
+ lwres_int32_t timeout; /*%< set to n in 'options timeout:n' */
} lwres_conf_t;
#define LWRES_ADDRTYPE_V4 0x00000001U /*%< ipv4 */
diff -up bind-9.7.2b1/lib/lwres/lwconfig.c.rh570851 bind-9.7.2b1/lib/lwres/lwconfig.c
--- bind-9.7.2b1/lib/lwres/lwconfig.c.rh570851 2010-08-10 13:06:08.051778429 +0200
+++ bind-9.7.2b1/lib/lwres/lwconfig.c 2010-08-10 13:09:53.972555776 +0200
@@ -237,6 +237,8 @@ lwres_conf_init(lwres_context_t *ctx) {
confdata->resdebug = 0;
confdata->ndots = 1;
confdata->no_tld_query = 0;
+ confdata->attempts = 0;
+ confdata->timeout = 0;
for (i = 0; i < LWRES_CONFMAXNAMESERVERS; i++)
lwres_resetaddr(&confdata->nameservers[i]);
@@ -289,6 +291,8 @@ lwres_conf_clear(lwres_context_t *ctx) {
confdata->resdebug = 0;
confdata->ndots = 1;
confdata->no_tld_query = 0;
+ confdata->attempts = 0;
+ confdata->timeout = 0;
}
static lwres_result_t
@@ -530,6 +534,8 @@ static lwres_result_t
lwres_conf_parseoption(lwres_context_t *ctx, FILE *fp) {
int delim;
long ndots;
+ long attempts;
+ long timeout;
char *p;
char word[LWRES_CONFMAXLINELEN];
lwres_conf_t *confdata;
@@ -546,6 +552,8 @@ lwres_conf_parseoption(lwres_context_t *
confdata->resdebug = 1;
} else if (strcmp("no_tld_query", word) == 0) {
confdata->no_tld_query = 1;
+ } else if (strcmp("debug", word) == 0) {
+ confdata->resdebug = 1;
} else if (strncmp("ndots:", word, 6) == 0) {
ndots = strtol(word + 6, &p, 10);
if (*p != '\0') /* Bad string. */
@@ -553,6 +561,18 @@ lwres_conf_parseoption(lwres_context_t *
if (ndots < 0 || ndots > 0xff) /* Out of range. */
return (LWRES_R_FAILURE);
confdata->ndots = (lwres_uint8_t)ndots;
+ } else if (strncmp("timeout:", word, 8) == 0) {
+ timeout = strtol(word + 8, &p, 10);
+ if (*p != '\0') /* Bad string. */
+ return (LWRES_R_FAILURE);
+ confdata->timeout = (lwres_int32_t)timeout;
+ } else if (strncmp("attempts:", word, 9) == 0) {
+ attempts = strtol(word + 9, &p, 10);
+ if (*p != '\0') /* Bad string. */
+ return (LWRES_R_FAILURE);
+ if (attempts < 0) /* Out of range. */
+ return (LWRES_R_FAILURE);
+ confdata->attempts = (lwres_int32_t)attempts;
}
if (delim == EOF || delim == '\n')
@@ -716,6 +736,12 @@ lwres_conf_print(lwres_context_t *ctx, F
if (confdata->no_tld_query)
fprintf(fp, "options no_tld_query\n");
+ if (confdata->attempts)
+ fprintf(fp, "options attempts:%d\n", confdata->attempts);
+
+ if (confdata->timeout)
+ fprintf(fp, "options timeout:%d\n", confdata->timeout);
+
return (LWRES_R_SUCCESS);
}

30
SOURCES/bind97-rh645544.patch

@ -0,0 +1,30 @@ @@ -0,0 +1,30 @@
diff -up bind-9.9.4rc2/lib/dns/resolver.c.rh645544 bind-9.9.4rc2/lib/dns/resolver.c
--- bind-9.9.4rc2/lib/dns/resolver.c.rh645544 2013-08-19 10:30:52.000000000 +0200
+++ bind-9.9.4rc2/lib/dns/resolver.c 2013-09-06 17:58:03.864165823 +0200
@@ -1138,7 +1138,7 @@ log_edns(fetchctx_t *fctx) {
*/
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"success resolving '%s' (in '%s'?) after %s",
fctx->info, domainbuf, fctx->reason);
@@ -3804,7 +3804,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrin
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"lame server resolving '%s' (in '%s'?): %s",
namebuf, domainbuf, addrbuf);
}
@@ -3831,7 +3831,7 @@ log_formerr(fetchctx_t *fctx, const char
}
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
"DNS format error from %s resolving %s%s%s: %s",
nsbuf, fctx->info, clmsg, clbuf, msgbuf);
}

14
SOURCES/bind97-rh669163.patch

@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
diff -up bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 bind-9.7.2-P3/lib/lwres/lwconfig.c
--- bind-9.7.2-P3/lib/lwres/lwconfig.c.rh669163 2011-01-28 14:48:38.934472578 +0100
+++ bind-9.7.2-P3/lib/lwres/lwconfig.c 2011-01-28 14:49:50.421326035 +0100
@@ -612,6 +612,10 @@ lwres_conf_parse(lwres_context_t *ctx, c
break;
}
+ /* Ignore options with no parameters */
+ if (stopchar == '\n')
+ continue;
+
if (strlen(word) == 0U)
rval = LWRES_R_SUCCESS;
else if (strcmp(word, "nameserver") == 0)

35
SOURCES/bind97-rh693982.patch

@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
diff -up bind-9.7.3-P3/bin/named/server.c.rh693982 bind-9.7.3-P3/bin/named/server.c
--- bind-9.7.3-P3/bin/named/server.c.rh693982 2011-08-12 17:18:55.611978110 +0200
+++ bind-9.7.3-P3/bin/named/server.c 2011-08-12 17:19:36.009975303 +0200
@@ -4444,15 +4444,6 @@ load_configuration(const char *filename,
ns_os_changeuser();
/*
- * Check that the working directory is writable.
- */
- if (access(".", W_OK) != 0) {
- isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
- NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
- "the working directory is not writable");
- }
-
- /*
* Configure the logging system.
*
* Do this after changing UID to make sure that any log
@@ -4498,6 +4489,15 @@ load_configuration(const char *filename,
}
/*
+ * Check that the working directory is writable.
+ */
+ if (access(".", W_OK) != 0) {
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+ "the working directory is not writable");
+ }
+
+ /*
* Set the default value of the query logging flag depending
* whether a "queries" category has been defined. This is
* a disgusting hack, but we need to do this for BIND 8

40
SOURCES/bind98-rh735103.patch

@ -0,0 +1,40 @@ @@ -0,0 +1,40 @@
diff -up bind-9.8.1rc1/lib/isc/unix/socket.c.rh735103 bind-9.8.1rc1/lib/isc/unix/socket.c
--- bind-9.8.1rc1/lib/isc/unix/socket.c.rh735103 2011-07-29 04:19:20.000000000 +0200
+++ bind-9.8.1rc1/lib/isc/unix/socket.c 2011-09-07 18:49:54.100215897 +0200
@@ -57,6 +57,20 @@
#include <isc/util.h>
#include <isc/xml.h>
+/* See task.c about the following definition: */
+#ifdef BIND9
+#ifdef ISC_PLATFORM_USETHREADS
+#define USE_WATCHER_THREAD
+#else
+#define USE_SHARED_MANAGER
+#endif /* ISC_PLATFORM_USETHREADS */
+#else /* BIND9 */
+#undef ISC_PLATFORM_HAVESYSUNH
+#undef ISC_PLATFORM_HAVEKQUEUE
+#undef ISC_PLATFORM_HAVEEPOLL
+#undef ISC_PLATFORM_HAVEDEVPOLL
+#endif /* BIND9 */
+
#ifdef ISC_PLATFORM_HAVESYSUNH
#include <sys/un.h>
#endif
@@ -76,15 +90,6 @@
#include "errno2result.h"
-/* See task.c about the following definition: */
-#ifdef BIND9
-#ifdef ISC_PLATFORM_USETHREADS
-#define USE_WATCHER_THREAD
-#else
-#define USE_SHARED_MANAGER
-#endif /* ISC_PLATFORM_USETHREADS */
-#endif /* BIND9 */
-
#ifndef USE_WATCHER_THREAD
#include "socket_p.h"
#include "../task_p.h"

53
SOURCES/bind99-CVE-2014-0591.patch

@ -0,0 +1,53 @@ @@ -0,0 +1,53 @@
diff -pruN bind-9.9.4-P1/bin/named/query.c bind-9.9.4-P2/bin/named/query.c
--- bind-9.9.4-P1/bin/named/query.c 2013-10-16 01:04:32.000000000 +0200
+++ bind-9.9.4-P2/bin/named/query.c 2013-12-20 01:28:28.000000000 +0100
@@ -5260,8 +5260,7 @@ query_findclosestnsec3(dns_name_t *qname
dns_fixedname_t fixed;
dns_hash_t hash;
dns_name_t name;
- int order;
- unsigned int count;
+ unsigned int skip = 0, labels;
dns_rdata_nsec3_t nsec3;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_boolean_t optout;
@@ -5276,6 +5275,7 @@ query_findclosestnsec3(dns_name_t *qname
dns_name_init(&name, NULL);
dns_name_clone(qname, &name);
+ labels = dns_name_countlabels(&name);
dns_clientinfomethods_init(&cm, ns_client_sourceip);
dns_clientinfo_init(&ci, client);
@@ -5309,13 +5309,14 @@ query_findclosestnsec3(dns_name_t *qname
dns_rdata_reset(&rdata);
optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
if (found != NULL && optout &&
- dns_name_fullcompare(&name, dns_db_origin(db), &order,
- &count) == dns_namereln_subdomain) {
+ dns_name_issubdomain(&name, dns_db_origin(db)))
+ {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
- count = dns_name_countlabels(&name) - 1;
- dns_name_getlabelsequence(&name, 1, count, &name);
+ skip++;
+ dns_name_getlabelsequence(qname, skip, labels - skip,
+ &name);
ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
"looking for closest provable encloser");
@@ -5333,7 +5334,11 @@ query_findclosestnsec3(dns_name_t *qname
ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
"expected covering NSEC3, got an exact match");
- if (found != NULL)
+ if (found == qname) {
+ if (skip != 0U)
+ dns_name_getlabelsequence(qname, skip, labels - skip,
+ found);
+ } else if (found != NULL)
dns_name_copy(&name, found, NULL);
return;
}

924
SOURCES/bind99-CVE-2014-8500.patch

@ -0,0 +1,924 @@ @@ -0,0 +1,924 @@
diff -up bind-9.9.4/bin/named/config.c.CVE-2014-8500 bind-9.9.4/bin/named/config.c
--- bind-9.9.4/bin/named/config.c.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200
+++ bind-9.9.4/bin/named/config.c 2014-12-10 14:56:24.959552559 +0100
@@ -160,6 +160,8 @@ options {\n\
dnssec-accept-expired no;\n\
clients-per-query 10;\n\
max-clients-per-query 100;\n\
+ max-recursion-depth 7;\n\
+ max-recursion-queries 50;\n\
zero-no-soa-ttl-cache no;\n\
nsec3-test-zone no;\n\
allow-new-zones no;\n\
diff -up bind-9.9.4/bin/named/query.c.CVE-2014-8500 bind-9.9.4/bin/named/query.c
--- bind-9.9.4/bin/named/query.c.CVE-2014-8500 2014-12-10 14:56:24.945552543 +0100
+++ bind-9.9.4/bin/named/query.c 2014-12-10 14:56:24.960552560 +0100
@@ -3872,12 +3872,11 @@ query_recurse(ns_client_t *client, dns_r
peeraddr = &client->peeraddr;
else
peeraddr = NULL;
- result = dns_resolver_createfetch2(client->view->resolver,
+ result = dns_resolver_createfetch3(client->view->resolver,
qname, qtype, qdomain, nameservers,
NULL, peeraddr, client->message->id,
- client->query.fetchoptions,
- client->task,
- query_resume, client,
+ client->query.fetchoptions, 0, NULL,
+ client->task, query_resume, client,
rdataset, sigrdataset,
&client->query.fetch);
diff -up bind-9.9.4/bin/named/server.c.CVE-2014-8500 bind-9.9.4/bin/named/server.c
--- bind-9.9.4/bin/named/server.c.CVE-2014-8500 2014-12-10 14:56:24.913552507 +0100
+++ bind-9.9.4/bin/named/server.c 2014-12-10 14:56:24.961552561 +0100
@@ -3205,6 +3205,16 @@ configure_view(dns_view_t *view, cfg_obj
cfg_obj_asuint32(obj),
max_clients_per_query);
+ obj = NULL;
+ result = ns_config_get(maps, "max-recursion-depth", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj));
+
+ obj = NULL;
+ result = ns_config_get(maps, "max-recursion-queries", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj));
+
#ifdef ALLOW_FILTER_AAAA_ON_V4
obj = NULL;
result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
diff -up bind-9.9.4/doc/arm/Bv9ARM-book.xml.CVE-2014-8500 bind-9.9.4/doc/arm/Bv9ARM-book.xml
--- bind-9.9.4/doc/arm/Bv9ARM-book.xml.CVE-2014-8500 2014-12-10 14:56:24.957552556 +0100
+++ bind-9.9.4/doc/arm/Bv9ARM-book.xml 2014-12-10 15:00:53.108931629 +0100
@@ -4874,6 +4874,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
<optional> clients-per-query <replaceable>number</replaceable> ; </optional>
<optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
+ <optional> max-recursion-depth <replaceable>number</replaceable> ; </optional>
+ <optional> max-recursion-queries <replaceable>number</replaceable> ; </optional>
<optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
<optional> empty-server <replaceable>name</replaceable> ; </optional>
<optional> empty-contact <replaceable>name</replaceable> ; </optional>
@@ -8623,6 +8625,35 @@ avoid-v6-udp-ports { 40000; range 50000
</para>
</listitem>
</varlistentry>
+
+ <varlistentry id="max-recursion-depth">
+ <term><command>max-recursion-depth</command></term>
+ <listitem>
+ <para>
+ Sets the maximum number of levels of recursion
+ that are permitted at any one time while servicing
+ a recursive query. Resolving a name may require
+ looking up a name server address, which in turn
+ requires resolving another name, etc; if the number
+ of indirections exceeds this value, the recursive
+ query is terminated and returns SERVFAIL. The
+ default is 7.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry id="max-recursion-queries">
+ <term><command>max-recursion-queries</command></term>
+ <listitem>
+ <para>
+ Sets the maximum number of iterative queries that
+ may be sent while servicing a recursive query.
+ If more queries are sent, the recursive query
+ is terminated and returns SERVFAIL. The default
+ is 50.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><command>notify-delay</command></term>
diff -up bind-9.9.4/doc/misc/options.CVE-2014-8500 bind-9.9.4/doc/misc/options
--- bind-9.9.4/doc/misc/options.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200
+++ bind-9.9.4/doc/misc/options 2014-12-10 14:56:24.964552564 +0100
@@ -162,6 +162,8 @@ options {
max-ixfr-log-size <size>; // obsolete
max-journal-size <size_no_default>;
max-ncache-ttl <integer>;
+ max-recursion-depth <integer>;
+ max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-rsa-exponent-size <integer>;
@@ -385,6 +387,8 @@ view <string> <optional_class> {
max-ixfr-log-size <size>; // obsolete
max-journal-size <size_no_default>;
max-ncache-ttl <integer>;
+ max-recursion-depth <integer>;
+ max-recursion-queries <integer>;
max-refresh-time <integer>;
max-retry-time <integer>;
max-transfer-idle-in <integer>;
diff -up bind-9.9.4/lib/dns/adb.c.CVE-2014-8500 bind-9.9.4/lib/dns/adb.c
--- bind-9.9.4/lib/dns/adb.c.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200
+++ bind-9.9.4/lib/dns/adb.c 2014-12-10 14:56:24.965552566 +0100
@@ -201,6 +201,7 @@ struct dns_adbfetch {
unsigned int magic;
dns_fetch_t *fetch;
dns_rdataset_t rdataset;
+ unsigned int depth;
};
/*%
@@ -300,8 +301,7 @@ static inline isc_boolean_t dec_entry_re
static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
static void clean_target(dns_adb_t *, dns_name_t *);
-static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
- unsigned int);
+static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t, unsigned int);
static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **,
isc_stdtime_t);
@@ -309,6 +309,7 @@ static void cancel_fetches_at_name(dns_a
static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
dns_rdatatype_t);
static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
+ unsigned int, isc_counter_t *qc,
dns_rdatatype_t);
static inline void check_exit(dns_adb_t *);
static void destroy(dns_adb_t *);
@@ -2770,6 +2771,19 @@ dns_adb_createfind(dns_adb_t *adb, isc_t
isc_stdtime_t now, dns_name_t *target,
in_port_t port, dns_adbfind_t **findp)
{
+ return (dns_adb_createfind2(adb, task, action, arg, name,
+ qname, qtype, options, now,
+ target, port, 0, NULL, findp));
+}
+
+isc_result_t
+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ void *arg, dns_name_t *name, dns_name_t *qname,
+ dns_rdatatype_t qtype, unsigned int options,
+ isc_stdtime_t now, dns_name_t *target,
+ in_port_t port, unsigned int depth, isc_counter_t *qc,
+ dns_adbfind_t **findp)
+{
dns_adbfind_t *find;
dns_adbname_t *adbname;
int bucket;
@@ -3000,7 +3014,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_t
* Start V4.
*/
if (WANT_INET(wanted_fetches) &&
- fetch_name(adbname, start_at_zone,
+ fetch_name(adbname, start_at_zone, depth, qc,
dns_rdatatype_a) == ISC_R_SUCCESS) {
DP(DEF_LEVEL,
"dns_adb_createfind: started A fetch for name %p",
@@ -3011,7 +3025,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_t
* Start V6.
*/
if (WANT_INET6(wanted_fetches) &&
- fetch_name(adbname, start_at_zone,
+ fetch_name(adbname, start_at_zone, depth, qc,
dns_rdatatype_aaaa) == ISC_R_SUCCESS) {
DP(DEF_LEVEL,
"dns_adb_createfind: "
@@ -3754,6 +3768,12 @@ fetch_callback(isc_task_t *task, isc_eve
DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s",
buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
dns_result_totext(dev->result));
+ /*
+ * Don't record a failure unless this is the initial
+ * fetch of a chain.
+ */
+ if (fetch->depth > 1)
+ goto out;
/* XXXMLG Don't pound on bad servers. */
if (address_type == DNS_ADBFIND_INET) {
name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
@@ -3791,9 +3811,8 @@ fetch_callback(isc_task_t *task, isc_eve
}
static isc_result_t
-fetch_name(dns_adbname_t *adbname,
- isc_boolean_t start_at_zone,
- dns_rdatatype_t type)
+fetch_name(dns_adbname_t *adbname, isc_boolean_t start_at_zone,
+ unsigned int depth, isc_counter_t *qc, dns_rdatatype_t type)
{
isc_result_t result;
dns_adbfetch_t *fetch = NULL;
@@ -3838,12 +3857,14 @@ fetch_name(dns_adbname_t *adbname,
result = ISC_R_NOMEMORY;
goto cleanup;
}
+ fetch->depth = depth;
- result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
- type, name, nameservers, NULL,
- options, adb->task, fetch_callback,
- adbname, &fetch->rdataset, NULL,
- &fetch->fetch);
+ result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name,
+ type, name, nameservers, NULL,
+ NULL, 0, options, depth, qc,
+ adb->task, fetch_callback, adbname,
+ &fetch->rdataset, NULL,
+ &fetch->fetch);
if (result != ISC_R_SUCCESS)
goto cleanup;
diff -up bind-9.9.4/lib/dns/include/dns/adb.h.CVE-2014-8500 bind-9.9.4/lib/dns/include/dns/adb.h
--- bind-9.9.4/lib/dns/include/dns/adb.h.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200
+++ bind-9.9.4/lib/dns/include/dns/adb.h 2014-12-10 14:56:24.965552566 +0100
@@ -334,6 +334,13 @@ dns_adb_createfind(dns_adb_t *adb, isc_t
dns_rdatatype_t qtype, unsigned int options,
isc_stdtime_t now, dns_name_t *target,
in_port_t port, dns_adbfind_t **find);
+isc_result_t
+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+ void *arg, dns_name_t *name, dns_name_t *qname,
+ dns_rdatatype_t qtype, unsigned int options,
+ isc_stdtime_t now, dns_name_t *target, in_port_t port,
+ unsigned int depth, isc_counter_t *qc,
+ dns_adbfind_t **find);
/*%<
* Main interface for clients. The adb will look up the name given in
* "name" and will build up a list of found addresses, and perhaps start
diff -up bind-9.9.4/lib/dns/include/dns/resolver.h.CVE-2014-8500 bind-9.9.4/lib/dns/include/dns/resolver.h
--- bind-9.9.4/lib/dns/include/dns/resolver.h.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200
+++ bind-9.9.4/lib/dns/include/dns/resolver.h 2014-12-10 14:56:24.965552566 +0100
@@ -274,6 +274,18 @@ dns_resolver_createfetch2(dns_resolver_t
dns_rdataset_t *rdataset,
dns_rdataset_t *sigrdataset,
dns_fetch_t **fetchp);
+isc_result_t
+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
+ dns_rdatatype_t type,
+ dns_name_t *domain, dns_rdataset_t *nameservers,
+ dns_forwarders_t *forwarders,
+ isc_sockaddr_t *client, isc_uint16_t id,
+ unsigned int options, unsigned int depth,
+ isc_counter_t *qc, isc_task_t *task,
+ isc_taskaction_t action, void *arg,
+ dns_rdataset_t *rdataset,
+ dns_rdataset_t *sigrdataset,
+ dns_fetch_t **fetchp);
/*%<
* Recurse to answer a question.
*
@@ -573,6 +585,30 @@ dns_resolver_printbadcache(dns_resolver_
*
* Requires:
* \li resolver to be valid.
+ */
+
+void
+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth);
+unsigned int
+dns_resolver_getmaxdepth(dns_resolver_t *resolver);
+/*%
+ * Get and set how many NS indirections will be followed when looking for
+ * nameserver addresses.
+ *
+ * Requires:
+ * \li resolver to be valid.
+ */
+
+void
+dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries);
+unsigned int
+dns_resolver_getmaxqueries(dns_resolver_t *resolver);
+/*%
+ * Get and set how many iterative queries will be allowed before
+ * terminating a recursive query.
+ *
+ * Requires:
+ * \li resolver to be valid.
*/
ISC_LANG_ENDDECLS
diff -up bind-9.9.4/lib/dns/resolver.c.CVE-2014-8500 bind-9.9.4/lib/dns/resolver.c
--- bind-9.9.4/lib/dns/resolver.c.CVE-2014-8500 2014-12-10 14:56:24.952552551 +0100
+++ bind-9.9.4/lib/dns/resolver.c 2014-12-10 15:01:56.855970646 +0100
@@ -21,6 +21,7 @@
#include <config.h>
+#include <isc/counter.h>
#include <isc/log.h>
#include <isc/platform.h>
#include <isc/print.h>
@@ -130,6 +131,16 @@
#define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */
#endif
+/* The default maximum number of recursions to follow before giving up. */
+#ifndef DEFAULT_RECURSION_DEPTH
+#define DEFAULT_RECURSION_DEPTH 7
+#endif
+
+/* The default maximum number of iterative queries to allow before giving up. */
+#ifndef DEFAULT_MAX_QUERIES
+#define DEFAULT_MAX_QUERIES 50
+#endif
+
/*%
* Maximum EDNS0 input packet size.
*/
@@ -233,12 +244,13 @@ struct fetchctx {
isc_sockaddrlist_t edns;
isc_sockaddrlist_t edns512;
isc_sockaddrlist_t bad_edns;
- dns_validator_t *validator;
+ dns_validator_t * validator;
ISC_LIST(dns_validator_t) validators;
dns_db_t * cache;
dns_adb_t * adb;
isc_boolean_t ns_ttl_ok;
isc_uint32_t ns_ttl;
+ isc_counter_t * qc;
/*%
* The number of events we're waiting for.
@@ -306,6 +318,7 @@ struct fetchctx {
isc_boolean_t timeout;
dns_adbaddrinfo_t *addrinfo;
isc_sockaddr_t *client;
+ unsigned int depth;
};
#define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!')
@@ -418,6 +431,8 @@ struct dns_resolver {
isc_timer_t * spillattimer;
isc_boolean_t zero_no_soa_ttl;
unsigned int query_timeout;
+ unsigned int maxdepth;
+ unsigned int maxqueries;
/* Locked by lock. */
unsigned int references;
@@ -1533,6 +1548,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddr
if (result != ISC_R_SUCCESS)
goto cleanup_dispatch;
}
+
fctx->querysent++;
ISC_LIST_APPEND(fctx->queries, query, link);
@@ -2186,9 +2202,9 @@ fctx_finddone(isc_task_t *task, isc_even
*/
INSIST(!SHUTTINGDOWN(fctx));
fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
- if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
+ if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) {
want_try = ISC_TRUE;
- else {
+ } else {
fctx->findfail++;
if (fctx->pending == 0) {
/*
@@ -2471,12 +2487,13 @@ findname(fetchctx_t *fctx, dns_name_t *n
* See what we know about this address.
*/
find = NULL;
- result = dns_adb_createfind(fctx->adb,
- res->buckets[fctx->bucketnum].task,
- fctx_finddone, fctx, name,
- &fctx->name, fctx->type,
- options, now, NULL,
- res->view->dstport, &find);
+ result = dns_adb_createfind2(fctx->adb,
+ res->buckets[fctx->bucketnum].task,
+ fctx_finddone, fctx, name,
+ &fctx->name, fctx->type,
+ options, now, NULL,
+ res->view->dstport,
+ fctx->depth + 1, fctx->qc, &find);
if (result != ISC_R_SUCCESS) {
if (result == DNS_R_ALIAS) {
/*
@@ -2584,6 +2601,14 @@ fctx_getaddresses(fetchctx_t *fctx, isc_
res = fctx->res;
+ if (fctx->depth > res->maxdepth) {
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+ "too much NS indirection resolving '%s'",
+ fctx->info);
+ return (DNS_R_SERVFAIL);
+ }
+
/*
* Forwarders.
*/
@@ -3059,6 +3084,16 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t
}
}
+ result = isc_counter_increment(fctx->qc);
+ if (result != ISC_R_SUCCESS) {
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
+ "exceeded max queries resolving '%s'",
+ fctx->info);
+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
+ return;
+ }
+
result = fctx_query(fctx, addrinfo, fctx->options);
if (result != ISC_R_SUCCESS)
fctx_done(fctx, result, __LINE__);
@@ -3157,6 +3192,7 @@ fctx_destroy(fetchctx_t *fctx) {
isc_mem_put(fctx->mctx, sa, sizeof(*sa));
}
+ isc_counter_detach(&fctx->qc);
isc_timer_detach(&fctx->timer);
dns_message_destroy(&fctx->rmessage);
dns_message_destroy(&fctx->qmessage);
@@ -3485,7 +3521,8 @@ log_ns_ttl(fetchctx_t *fctx, const char
static isc_result_t
fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
dns_name_t *domain, dns_rdataset_t *nameservers,
- unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp)
+ unsigned int options, unsigned int bucketnum, unsigned int depth,
+ isc_counter_t *qc, fetchctx_t **fctxp)
{
fetchctx_t *fctx;
isc_result_t result;
@@ -3507,6 +3544,21 @@ fctx_create(dns_resolver_t *res, dns_nam
fctx = isc_mem_get(mctx, sizeof(*fctx));
if (fctx == NULL)
return (ISC_R_NOMEMORY);
+
+ fctx->qc = NULL;
+ if (qc != NULL) {
+ isc_counter_attach(qc, &fctx->qc);
+ } else {
+ result = isc_counter_create(res->mctx,
+ res->maxqueries, &fctx->qc);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup_fetch;
+ }
+
+ /*
+ * Make fctx->info point to a copy of a formatted string
+ * "name/type".
+ */
dns_name_format(name, buf, sizeof(buf));
dns_rdatatype_format(type, typebuf, sizeof(typebuf));
strcat(buf, "/"); /* checked */
@@ -3514,7 +3566,7 @@ fctx_create(dns_resolver_t *res, dns_nam
fctx->info = isc_mem_strdup(mctx, buf);
if (fctx->info == NULL) {
result = ISC_R_NOMEMORY;
- goto cleanup_fetch;
+ goto cleanup_counter;
}
FCTXTRACE("create");
dns_name_init(&fctx->name, NULL);
@@ -3537,6 +3589,7 @@ fctx_create(dns_resolver_t *res, dns_nam
fctx->state = fetchstate_init;
fctx->want_shutdown = ISC_FALSE;
fctx->cloned = ISC_FALSE;
+ fctx->depth = depth;
ISC_LIST_INIT(fctx->queries);
ISC_LIST_INIT(fctx->finds);
ISC_LIST_INIT(fctx->altfinds);
@@ -3742,6 +3795,9 @@ fctx_create(dns_resolver_t *res, dns_nam
cleanup_info:
isc_mem_free(mctx, fctx->info);
+ cleanup_counter:
+ isc_counter_detach(&fctx->qc);
+
cleanup_fetch:
isc_mem_put(mctx, fctx, sizeof(*fctx));
@@ -5655,7 +5711,7 @@ noanswer_response(fetchctx_t *fctx, dns_
char qbuf[DNS_NAME_FORMATSIZE];
char nbuf[DNS_NAME_FORMATSIZE];
char tbuf[DNS_RDATATYPE_FORMATSIZE];
- dns_rdatatype_format(fctx->type, tbuf,
+ dns_rdatatype_format(type, tbuf,
sizeof(tbuf));
dns_name_format(name, nbuf,
sizeof(nbuf));
@@ -5664,7 +5720,7 @@ noanswer_response(fetchctx_t *fctx, dns_
log_formerr(fctx,
"unrelated %s %s in "
"%s authority section",
- tbuf, qbuf, nbuf);
+ tbuf, nbuf, qbuf);
return (DNS_R_FORMERR);
}
if (type == dns_rdatatype_ns) {
@@ -7725,6 +7781,8 @@ dns_resolver_create(dns_view_t *view,
res->spillattimer = NULL;
res->zero_no_soa_ttl = ISC_FALSE;
res->query_timeout = DEFAULT_QUERY_TIMEOUT;
+ res->maxdepth = DEFAULT_RECURSION_DEPTH;
+ res->maxqueries = DEFAULT_MAX_QUERIES;
res->nbuckets = ntasks;
res->activebuckets = ntasks;
res->buckets = isc_mem_get(view->mctx,
@@ -8163,9 +8221,9 @@ dns_resolver_createfetch(dns_resolver_t
dns_rdataset_t *sigrdataset,
dns_fetch_t **fetchp)
{
- return (dns_resolver_createfetch2(res, name, type, domain,
+ return (dns_resolver_createfetch3(res, name, type, domain,
nameservers, forwarders, NULL, 0,
- options, task, action, arg,
+ options, 0, NULL, task, action, arg,
rdataset, sigrdataset, fetchp));
}
@@ -8181,6 +8239,25 @@ dns_resolver_createfetch2(dns_resolver_t
dns_rdataset_t *sigrdataset,
dns_fetch_t **fetchp)
{
+ return (dns_resolver_createfetch3(res, name, type, domain,
+ nameservers, forwarders, client, id,
+ options, 0, NULL, task, action, arg,
+ rdataset, sigrdataset, fetchp));
+}
+
+isc_result_t
+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
+ dns_rdatatype_t type,
+ dns_name_t *domain, dns_rdataset_t *nameservers,
+ dns_forwarders_t *forwarders,
+ isc_sockaddr_t *client, dns_messageid_t id,
+ unsigned int options, unsigned int depth,
+ isc_counter_t *qc, isc_task_t *task,
+ isc_taskaction_t action, void *arg,
+ dns_rdataset_t *rdataset,
+ dns_rdataset_t *sigrdataset,
+ dns_fetch_t **fetchp)
+{
dns_fetch_t *fetch;
fetchctx_t *fctx = NULL;
isc_result_t result = ISC_R_SUCCESS;
@@ -8269,11 +8346,12 @@ dns_resolver_createfetch2(dns_resolver_t
if (fctx == NULL) {
result = fctx_create(res, name, type, domain, nameservers,
- options, bucketnum, &fctx);
+ options, bucketnum, depth, qc, &fctx);
if (result != ISC_R_SUCCESS)
goto unlock;
new_fctx = ISC_TRUE;
- }
+ } else if (fctx->depth > depth)
+ fctx->depth = depth;
result = fctx_join(fctx, task, client, id, action, arg,
rdataset, sigrdataset, fetch);
@@ -9045,3 +9123,27 @@ dns_resolver_settimeout(dns_resolver_t *
resolver->query_timeout = seconds;
}
+
+void
+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) {
+ REQUIRE(VALID_RESOLVER(resolver));
+ resolver->maxdepth = maxdepth;
+}
+
+unsigned int
+dns_resolver_getmaxdepth(dns_resolver_t *resolver) {
+ REQUIRE(VALID_RESOLVER(resolver));
+ return (resolver->maxdepth);
+}
+
+void
+dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries) {
+ REQUIRE(VALID_RESOLVER(resolver));
+ resolver->maxqueries = queries;
+}
+
+unsigned int
+dns_resolver_getmaxqueries(dns_resolver_t *resolver) {
+ REQUIRE(VALID_RESOLVER(resolver));
+ return (resolver->maxqueries);
+}
diff -up bind-9.9.4/lib/export/isc/Makefile.in.CVE-2014-8500 bind-9.9.4/lib/export/isc/Makefile.in
--- bind-9.9.4/lib/export/isc/Makefile.in.CVE-2014-8500 2014-12-10 14:56:24.907552500 +0100
+++ bind-9.9.4/lib/export/isc/Makefile.in 2014-12-10 14:56:24.967552568 +0100
@@ -63,7 +63,7 @@ WIN32OBJS = win32/condition.@O@ win32/d
# Alphabetically
OBJS = @ISC_EXTRA_OBJS@ \
assertions.@O@ backtrace.@O@ backtrace-emptytbl.@O@ base32.@O@ \
- base64.@O@ buffer.@O@ bufferlist.@O@ \
+ base64.@O@ buffer.@O@ bufferlist.@O@ counter.@O@ \
error.@O@ event.@O@ \
hash.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
inet_aton.@O@ iterated_hash.@O@ lex.@O@ lfsr.@O@ log.@O@ \
@@ -85,7 +85,7 @@ ISCDRIVERSRCS = mem.c task.c lib.c timer
SRCS = @ISC_EXTRA_SRCS@ \
assertions.c backtrace.c backtrace-emptytbl.c base32.c \
- base64.c buffer.c bufferlist.c \
+ base64.c buffer.c bufferlist.c counter.c \
error.c event.c \
hash.c hex.c hmacmd5.c hmacsha.c \
inet_aton.c iterated_hash.c lex.c log.c lfsr.c \
diff -up bind-9.9.4/lib/isccfg/namedconf.c.CVE-2014-8500 bind-9.9.4/lib/isccfg/namedconf.c
--- bind-9.9.4/lib/isccfg/namedconf.c.CVE-2014-8500 2014-12-10 14:56:24.969552570 +0100
+++ bind-9.9.4/lib/isccfg/namedconf.c 2014-12-10 15:04:14.636091707 +0100
@@ -1421,6 +1421,8 @@ view_clauses[] = {
{ "max-cache-ttl", &cfg_type_uint32, 0 },
{ "max-clients-per-query", &cfg_type_uint32, 0 },
{ "max-ncache-ttl", &cfg_type_uint32, 0 },
+ { "max-recursion-depth", &cfg_type_uint32, 0 },
+ { "max-recursion-queries", &cfg_type_uint32, 0 },
{ "max-udp-size", &cfg_type_uint32, 0 },
{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
{ "minimal-responses", &cfg_type_boolean, 0 },
diff -up bind-9.9.4/lib/isc/counter.c.CVE-2014-8500 bind-9.9.4/lib/isc/counter.c
--- bind-9.9.4/lib/isc/counter.c.CVE-2014-8500 2014-12-10 14:56:24.968552569 +0100
+++ bind-9.9.4/lib/isc/counter.c 2014-12-10 14:56:24.968552569 +0100
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/counter.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#define COUNTER_MAGIC ISC_MAGIC('C', 'n', 't', 'r')
+#define VALID_COUNTER(r) ISC_MAGIC_VALID(r, COUNTER_MAGIC)
+
+struct isc_counter {
+ unsigned int magic;
+ isc_mem_t *mctx;
+ isc_mutex_t lock;
+ unsigned int references;
+ unsigned int limit;
+ unsigned int used;
+};
+
+isc_result_t
+isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp) {
+ isc_result_t result;
+ isc_counter_t *counter;
+
+ REQUIRE(counterp != NULL && *counterp == NULL);
+
+ counter = isc_mem_get(mctx, sizeof(*counter));
+ if (counter == NULL)
+ return (ISC_R_NOMEMORY);
+
+ result = isc_mutex_init(&counter->lock);
+ if (result != ISC_R_SUCCESS) {
+ isc_mem_put(mctx, counter, sizeof(*counter));
+ return (result);
+ }
+
+ counter->mctx = NULL;
+ isc_mem_attach(mctx, &counter->mctx);
+
+ counter->references = 1;
+ counter->limit = limit;
+ counter->used = 0;
+
+ counter->magic = COUNTER_MAGIC;
+ *counterp = counter;
+ return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_counter_increment(isc_counter_t *counter) {
+ isc_result_t result = ISC_R_SUCCESS;
+
+ LOCK(&counter->lock);
+ counter->used++;
+ if (counter->limit != 0 && counter->used >= counter->limit)
+ result = ISC_R_QUOTA;
+ UNLOCK(&counter->lock);
+
+ return (result);
+}
+
+unsigned int
+isc_counter_used(isc_counter_t *counter) {
+ REQUIRE(VALID_COUNTER(counter));
+
+ return (counter->used);
+}
+
+void
+isc_counter_setlimit(isc_counter_t *counter, int limit) {
+ REQUIRE(VALID_COUNTER(counter));
+
+ LOCK(&counter->lock);
+ counter->limit = limit;
+ UNLOCK(&counter->lock);
+}
+
+void
+isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp) {
+ REQUIRE(VALID_COUNTER(source));
+ REQUIRE(targetp != NULL && *targetp == NULL);
+
+ LOCK(&source->lock);
+ source->references++;
+ INSIST(source->references > 0);
+ UNLOCK(&source->lock);
+
+ *targetp = source;
+}
+
+static void
+destroy(isc_counter_t *counter) {
+ counter->magic = 0;
+ isc_mutex_destroy(&counter->lock);
+ isc_mem_putanddetach(&counter->mctx, counter, sizeof(*counter));
+}
+
+void
+isc_counter_detach(isc_counter_t **counterp) {
+ isc_counter_t *counter;
+ isc_boolean_t want_destroy = ISC_FALSE;
+
+ REQUIRE(counterp != NULL && *counterp != NULL);
+ counter = *counterp;
+ REQUIRE(VALID_COUNTER(counter));
+
+ *counterp = NULL;
+
+ LOCK(&counter->lock);
+ INSIST(counter->references > 0);
+ counter->references--;
+ if (counter->references == 0)
+ want_destroy = ISC_TRUE;
+ UNLOCK(&counter->lock);
+
+ if (want_destroy)
+ destroy(counter);
+}
diff -up bind-9.9.4/lib/isc/include/isc/counter.h.CVE-2014-8500 bind-9.9.4/lib/isc/include/isc/counter.h
--- bind-9.9.4/lib/isc/include/isc/counter.h.CVE-2014-8500 2014-12-10 14:56:24.968552569 +0100
+++ bind-9.9.4/lib/isc/include/isc/counter.h 2014-12-10 14:56:24.968552569 +0100
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISC_COUNTER_H
+#define ISC_COUNTER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*! \file isc/counter.h
+ *
+ * \brief The isc_counter_t object is a simplified version of the
+ * isc_quota_t object; it tracks the consumption of limited
+ * resources, returning an error condition when the quota is
+ * exceeded. However, unlike isc_quota_t, attaching and detaching
+ * from a counter object does not increment or decrement the counter.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/types.h>
+
+/*****
+ ***** Types.
+ *****/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp);
+/*%<
+ * Allocate and initialize a counter object.
+ */
+
+isc_result_t
+isc_counter_increment(isc_counter_t *counter);
+/*%<
+ * Increment the counter.
+ *
+ * If the counter limit is nonzero and has been reached, then
+ * return ISC_R_QUOTA, otherwise ISC_R_SUCCESS. (The counter is
+ * incremented regardless of return value.)
+ */
+
+unsigned int
+isc_counter_used(isc_counter_t *counter);
+/*%<
+ * Return the current counter value.
+ */
+
+void
+isc_counter_setlimit(isc_counter_t *counter, int limit);
+/*%<
+ * Set the counter limit.
+ */
+
+void
+isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp);
+/*%<
+ * Attach to a counter object, increasing its reference counter.
+ */
+
+void
+isc_counter_detach(isc_counter_t **counterp);
+/*%<
+ * Detach (and destroy if reference counter has dropped to zero)
+ * a counter object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_COUNTER_H */
diff -up bind-9.9.4/lib/isc/include/isc/Makefile.in.CVE-2014-8500 bind-9.9.4/lib/isc/include/isc/Makefile.in
--- bind-9.9.4/lib/isc/include/isc/Makefile.in.CVE-2014-8500 2014-12-10 15:02:34.811005903 +0100
+++ bind-9.9.4/lib/isc/include/isc/Makefile.in 2014-12-10 15:03:01.099030322 +0100
@@ -27,7 +27,7 @@ top_srcdir = @top_srcdir@
# install target below.
#
HEADERS = app.h assertions.h base64.h bind9.h bitstring.h boolean.h \
- buffer.h bufferlist.h commandline.h entropy.h error.h event.h \
+ buffer.h bufferlist.h commandline.h counter.h entropy.h error.h event.h \
eventclass.h file.h formatcheck.h fsaccess.h \
hash.h heap.h hex.h hmacmd5.h hmacsha.h \
httpd.h \
diff -up bind-9.9.4/lib/isc/include/isc/types.h.CVE-2014-8500 bind-9.9.4/lib/isc/include/isc/types.h
--- bind-9.9.4/lib/isc/include/isc/types.h.CVE-2014-8500 2013-09-05 07:09:08.000000000 +0200
+++ bind-9.9.4/lib/isc/include/isc/types.h 2014-12-10 14:56:24.968552569 +0100
@@ -50,6 +50,7 @@ typedef struct isc_buffer isc_buffer_t;
typedef ISC_LIST(isc_buffer_t) isc_bufferlist_t; /*%< Buffer List */
typedef struct isc_constregion isc_constregion_t; /*%< Const region */
typedef struct isc_consttextregion isc_consttextregion_t; /*%< Const Text Region */
+typedef struct isc_counter isc_counter_t; /*%< Counter */
typedef struct isc_entropy isc_entropy_t; /*%< Entropy */
typedef struct isc_entropysource isc_entropysource_t; /*%< Entropy Source */
typedef struct isc_event isc_event_t; /*%< Event */
diff -up bind-9.9.4/lib/isc/Makefile.in.CVE-2014-8500 bind-9.9.4/lib/isc/Makefile.in
--- bind-9.9.4/lib/isc/Makefile.in.CVE-2014-8500 2014-12-10 14:56:24.860552447 +0100
+++ bind-9.9.4/lib/isc/Makefile.in 2014-12-10 14:56:24.968552569 +0100
@@ -53,7 +53,7 @@ WIN32OBJS = win32/condition.@O@ win32/d
OBJS = @ISC_EXTRA_OBJS@ \
assertions.@O@ backtrace.@O@ base32.@O@ base64.@O@ \
bitstring.@O@ buffer.@O@ bufferlist.@O@ commandline.@O@ \
- error.@O@ event.@O@ \
+ counter.@O@ error.@O@ event.@O@ \
hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
httpd.@O@ inet_aton.@O@ iterated_hash.@O@ \
lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \
@@ -70,8 +70,8 @@ SYMTBLOBJS = backtrace-emptytbl.@O@
# Alphabetically
SRCS = @ISC_EXTRA_SRCS@ \
assertions.c backtrace.c base32.c base64.c bitstring.c \
- buffer.c bufferlist.c commandline.c error.c event.c \
- heap.c hex.c hmacmd5.c hmacsha.c \
+ buffer.c bufferlist.c commandline.c counter.c \
+ error.c event.c heap.c hex.c hmacmd5.c hmacsha.c \
httpd.c inet_aton.c iterated_hash.c \
lex.c lfsr.c lib.c log.c \
md5.c mem.c mutexblock.c \

25
SOURCES/bind99-CVE-2015-1349.patch

@ -0,0 +1,25 @@ @@ -0,0 +1,25 @@
diff -up bind-9.9.4/lib/dns/zone.c.CVE-2015-1349 bind-9.9.4/lib/dns/zone.c
--- bind-9.9.4/lib/dns/zone.c.CVE-2015-1349 2015-03-02 11:18:36.138872044 +0100
+++ bind-9.9.4/lib/dns/zone.c 2015-03-02 11:20:15.941032102 +0100
@@ -8456,6 +8456,12 @@ keyfetch_done(isc_task_t *task, isc_even
namebuf, tag);
trustkey = ISC_TRUE;
}
+ } else {
+ /*
+ * No previously known key, and the key is not
+ * secure, so skip it.
+ */
+ continue;
}
/* Delete old version */
@@ -8504,7 +8510,7 @@ keyfetch_done(isc_task_t *task, isc_even
trust_key(zone, keyname, &dnskey, mctx);
}
- if (!deletekey)
+ if (secure && !deletekey)
set_refreshkeytimer(zone, &keydata, now);
}

21
SOURCES/bind99-CVE-2015-4620.patch

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1422,7 +1422,6 @@ compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
*/
static isc_boolean_t
isselfsigned(dns_validator_t *val) {
- dns_fixedname_t fixed;
dns_rdataset_t *rdataset, *sigrdataset;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
@@ -1478,8 +1477,7 @@ isselfsigned(dns_validator_t *val) {
result = dns_dnssec_verify3(name, rdataset, dstkey,
ISC_TRUE,
val->view->maxbits,
- mctx, &sigrdata,
- dns_fixedname_name(&fixed));
+ mctx, &sigrdata, NULL);
dst_key_free(&dstkey);
if (result != ISC_R_SUCCESS)
continue;

11
SOURCES/bind99-CVE-2015-5477.patch

@ -0,0 +1,11 @@ @@ -0,0 +1,11 @@
diff -up bind-9.9.4/lib/dns/tkey.c.CVE-2015-5477 bind-9.9.4/lib/dns/tkey.c
--- bind-9.9.4/lib/dns/tkey.c.CVE-2015-5477 2015-07-27 22:36:02.318505839 +0200
+++ bind-9.9.4/lib/dns/tkey.c 2015-07-27 22:36:39.764698712 +0200
@@ -650,6 +650,7 @@ dns_tkey_processquery(dns_message_t *msg
* Try the answer section, since that's where Win2000
* puts it.
*/
+ name = NULL;
if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
dns_rdatatype_tkey, 0, &name,
&tkeyset) != ISC_R_SUCCESS) {

449
SOURCES/bind99-CVE-2015-5722.patch

@ -0,0 +1,449 @@ @@ -0,0 +1,449 @@
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index 7a56c79..3ac01a8 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -76,7 +76,7 @@ hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
if (hmacmd5ctx == NULL)
return (ISC_R_NOMEMORY);
- isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_SHA1_BLOCK_LENGTH);
+ isc_hmacmd5_init(hmacmd5ctx, hkey->key, ISC_MD5_BLOCK_LENGTH);
dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
return (ISC_R_SUCCESS);
}
@@ -139,7 +139,7 @@ hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (hkey1 == NULL || hkey2 == NULL)
return (ISC_FALSE);
- if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_SHA1_BLOCK_LENGTH))
+ if (isc_safe_memcmp(hkey1->key, hkey2->key, ISC_MD5_BLOCK_LENGTH))
return (ISC_TRUE);
else
return (ISC_FALSE);
@@ -150,17 +150,17 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_t b;
isc_result_t ret;
unsigned int bytes;
- unsigned char data[ISC_SHA1_BLOCK_LENGTH];
+ unsigned char data[ISC_MD5_BLOCK_LENGTH];
UNUSED(callback);
bytes = (key->key_size + 7) / 8;
- if (bytes > ISC_SHA1_BLOCK_LENGTH) {
- bytes = ISC_SHA1_BLOCK_LENGTH;
- key->key_size = ISC_SHA1_BLOCK_LENGTH * 8;
+ if (bytes > ISC_MD5_BLOCK_LENGTH) {
+ bytes = ISC_MD5_BLOCK_LENGTH;
+ key->key_size = ISC_MD5_BLOCK_LENGTH * 8;
}
- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
if (ret != ISC_R_SUCCESS)
@@ -169,7 +169,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
isc_buffer_init(&b, data, bytes);
isc_buffer_add(&b, bytes);
ret = hmacmd5_fromdns(key, &b);
- memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+ memset(data, 0, ISC_MD5_BLOCK_LENGTH);
return (ret);
}
@@ -223,7 +223,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
memset(hkey->key, 0, sizeof(hkey->key));
- if (r.length > ISC_SHA1_BLOCK_LENGTH) {
+ if (r.length > ISC_MD5_BLOCK_LENGTH) {
isc_md5_init(&md5ctx);
isc_md5_update(&md5ctx, r.base, r.length);
isc_md5_final(&md5ctx, hkey->key);
@@ -237,6 +237,8 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacmd5 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
@@ -518,6 +520,8 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacsha1 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
@@ -804,6 +808,8 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacsha224 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
@@ -1090,6 +1096,8 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacsha256 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
@@ -1376,6 +1384,8 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacsha384 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
@@ -1662,6 +1672,8 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
key->key_size = keylen * 8;
key->keydata.hmacsha512 = hkey;
+ isc_buffer_forward(data, r.length);
+
return (ISC_R_SUCCESS);
}
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index bdbd269..37853aa 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -69,6 +69,7 @@ typedef struct dst_context dst_context_t;
#define DST_ALG_HMACSHA256 163 /* XXXMPA */
#define DST_ALG_HMACSHA384 164 /* XXXMPA */
#define DST_ALG_HMACSHA512 165 /* XXXMPA */
+#define DST_ALG_INDIRECT 252
#define DST_ALG_PRIVATE 254
#define DST_ALG_EXPAND 255
#define DST_MAX_ALGS 255
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index bcb3d05..3114954 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -614,13 +614,11 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
dns_name_fromregion(&tname, &remaining);
INSIST(remaining.length >= tname.length);
isc_buffer_forward(&source, tname.length);
- remaining.length -= tname.length;
- remaining.base += tname.length;
+ isc_region_consume(&remaining, tname.length);
INSIST(remaining.length >= 2);
type = isc_buffer_getuint16(&source);
- remaining.length -= 2;
- remaining.base += 2;
+ isc_region_consume(&remaining, 2);
if (type != dns_rdatatype_rrsig ||
!dns_name_equal(&tname, name)) {
@@ -632,8 +630,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
INSIST(remaining.length >= 1);
trust = isc_buffer_getuint8(&source);
INSIST(trust <= dns_trust_ultimate);
- remaining.length -= 1;
- remaining.base += 1;
+ isc_region_consume(&remaining, 1);
raw = remaining.base;
count = raw[0] * 256 + raw[1];
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 55752da..f0cee8d 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -266,8 +266,10 @@ openssldh_destroy(dst_key_t *key) {
static void
uint16_toregion(isc_uint16_t val, isc_region_t *region) {
- *region->base++ = (val & 0xff00) >> 8;
- *region->base++ = (val & 0x00ff);
+ *region->base = (val & 0xff00) >> 8;
+ isc_region_consume(region, 1);
+ *region->base = (val & 0x00ff);
+ isc_region_consume(region, 1);
}
static isc_uint16_t
@@ -278,7 +280,8 @@ uint16_fromregion(isc_region_t *region) {
val = ((unsigned int)(cp[0])) << 8;
val |= ((unsigned int)(cp[1]));
- region->base += 2;
+ isc_region_consume(region, 2);
+
return (val);
}
@@ -319,16 +322,16 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
}
else
BN_bn2bin(dh->p, r.base);
- r.base += plen;
+ isc_region_consume(&r, plen);
uint16_toregion(glen, &r);
if (glen > 0)
BN_bn2bin(dh->g, r.base);
- r.base += glen;
+ isc_region_consume(&r, glen);
uint16_toregion(publen, &r);
BN_bn2bin(dh->pub_key, r.base);
- r.base += publen;
+ isc_region_consume(&r, publen);
isc_buffer_add(data, dnslen);
@@ -369,10 +372,12 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
return (DST_R_INVALIDPUBLICKEY);
}
if (plen == 1 || plen == 2) {
- if (plen == 1)
- special = *r.base++;
- else
+ if (plen == 1) {
+ special = *r.base;
+ isc_region_consume(&r, 1);
+ } else {
special = uint16_fromregion(&r);
+ }
switch (special) {
case 1:
dh->p = &bn768;
@@ -387,10 +392,9 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
DH_free(dh);
return (DST_R_INVALIDPUBLICKEY);
}
- }
- else {
+ } else {
dh->p = BN_bin2bn(r.base, plen, NULL);
- r.base += plen;
+ isc_region_consume(&r, plen);
}
/*
@@ -421,15 +425,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
return (DST_R_INVALIDPUBLICKEY);
}
}
- }
- else {
+ } else {
if (glen == 0) {
DH_free(dh);
return (DST_R_INVALIDPUBLICKEY);
}
dh->g = BN_bin2bn(r.base, glen, NULL);
}
- r.base += glen;
+ isc_region_consume(&r, glen);
if (r.length < 2) {
DH_free(dh);
@@ -441,7 +444,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
return (DST_R_INVALIDPUBLICKEY);
}
dh->pub_key = BN_bin2bn(r.base, publen, NULL);
- r.base += publen;
+ isc_region_consume(&r, publen);
key->key_size = BN_num_bits(dh->p);
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index fd6e91e..8e16557 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -137,6 +135,7 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
DSA *dsa = key->keydata.dsa;
isc_region_t r;
DSA_SIG *dsasig;
+ unsigned int klen;
#if USE_EVP
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey;
@@ -209,11 +209,17 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
"DSA_do_sign",
DST_R_SIGNFAILURE));
#endif
- *r.base++ = (key->key_size - 512)/64;
+
+ klen = (key->key_size - 512)/64;
+ if (klen > 255)
+ return (ISC_R_FAILURE);
+ *r.base = klen;
+ isc_region_consume(&r, 1);
+
BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
- r.base += ISC_SHA1_DIGESTLENGTH;
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
- r.base += ISC_SHA1_DIGESTLENGTH;
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
DSA_SIG_free(dsasig);
isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
@@ -446,15 +452,16 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
if (r.length < (unsigned int) dnslen)
return (ISC_R_NOSPACE);
- *r.base++ = t;
+ *r.base = t;
+ isc_region_consume(&r, 1);
BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
- r.base += ISC_SHA1_DIGESTLENGTH;
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
isc_buffer_add(data, dnslen);
@@ -479,29 +486,30 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
return (ISC_R_NOMEMORY);
dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
- t = (unsigned int) *r.base++;
+ t = (unsigned int) *r.base;
+ isc_region_consume(&r, 1);
if (t > 8) {
DSA_free(dsa);
return (DST_R_INVALIDPUBLICKEY);
}
p_bytes = 64 + 8 * t;
- if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+ if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
DSA_free(dsa);
return (DST_R_INVALIDPUBLICKEY);
}
dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
- r.base += ISC_SHA1_DIGESTLENGTH;
+ isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
- r.base += p_bytes;
+ isc_region_consume(&r, p_bytes);
key->key_size = p_bytes * 8;
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index c64cc55..40c612b 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -159,9 +157,9 @@ opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
"ECDSA_do_sign",
DST_R_SIGNFAILURE));
BN_bn2bin_fixed(ecdsasig->r, r.base, siglen / 2);
- r.base += siglen / 2;
+ isc_region_consume(&r, siglen / 2);
BN_bn2bin_fixed(ecdsasig->s, r.base, siglen / 2);
- r.base += siglen / 2;
+ isc_region_consume(&r, siglen / 2);
ECDSA_SIG_free(ecdsasig);
isc_buffer_add(sig, siglen);
ret = ISC_R_SUCCESS;
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 1edeb8d..53c6d4b 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -965,6 +965,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
RSA *rsa;
isc_region_t r;
unsigned int e_bytes;
+ unsigned int length;
#if USE_EVP
EVP_PKEY *pkey;
#endif
@@ -972,6 +973,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
isc_buffer_remainingregion(data, &r);
if (r.length == 0)
return (ISC_R_SUCCESS);
+ length = r.length;
rsa = RSA_new();
if (rsa == NULL)
@@ -982,17 +984,18 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
RSA_free(rsa);
return (DST_R_INVALIDPUBLICKEY);
}
- e_bytes = *r.base++;
- r.length--;
+ e_bytes = *r.base;
+ isc_region_consume(&r, 1);
if (e_bytes == 0) {
if (r.length < 2) {
RSA_free(rsa);
return (DST_R_INVALIDPUBLICKEY);
}
- e_bytes = ((*r.base++) << 8);
- e_bytes += *r.base++;
- r.length -= 2;
+ e_bytes = (*r.base) << 8;
+ isc_region_consume(&r, 1);
+ e_bytes += *r.base;
+ isc_region_consume(&r, 1);
}
if (r.length < e_bytes) {
@@ -1000,14 +1003,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
return (DST_R_INVALIDPUBLICKEY);
}
rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
- r.base += e_bytes;
- r.length -= e_bytes;
+ isc_region_consume(&r, e_bytes);
rsa->n = BN_bin2bn(r.base, r.length, NULL);
key->key_size = BN_num_bits(rsa->n);
- isc_buffer_forward(data, r.length);
+ isc_buffer_forward(data, length);
#if USE_EVP
pkey = EVP_PKEY_new();
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 2004b0b..c7971b1 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -8959,6 +8959,12 @@ dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
REQUIRE(VALID_RESOLVER(resolver));
+ /*
+ * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
+ */
+ if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
+ return (ISC_FALSE);
+
#if USE_ALGLOCK
RWLOCK(&resolver->alglock, isc_rwlocktype_read);
#endif

179
SOURCES/bind99-CVE-2015-8000.patch

@ -0,0 +1,179 @@ @@ -0,0 +1,179 @@
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index a6862fa..d999e75 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -210,6 +210,8 @@ struct dns_message {
unsigned int verify_attempted : 1;
unsigned int free_query : 1;
unsigned int free_saved : 1;
+ unsigned int tkey : 1;
+ unsigned int rdclass_set : 1;
unsigned int opt_reserved;
unsigned int sig_reserved;
@@ -1374,6 +1376,15 @@ dns_message_buildopt(dns_message_t *msg, dns_rdataset_t **opt,
* \li other.
*/
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
+/*%<
+ * Set the expected class of records in the response.
+ *
+ * Requires:
+ * \li msg be a valid message with parsing intent.
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_MESSAGE_H */
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 53efc5a..73def73 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -436,6 +436,8 @@ msginit(dns_message_t *m) {
m->saved.base = NULL;
m->saved.length = 0;
m->free_saved = 0;
+ m->tkey = 0;
+ m->rdclass_set = 0;
m->querytsig = NULL;
}
@@ -1086,13 +1088,19 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
* If this class is different than the one we already read,
* this is an error.
*/
- if (msg->state == DNS_SECTION_ANY) {
- msg->state = DNS_SECTION_QUESTION;
+ if (msg->rdclass_set == 0) {
msg->rdclass = rdclass;
+ msg->rdclass_set = 1;
} else if (msg->rdclass != rdclass)
DO_FORMERR;
/*
+ * Is this a TKEY query?
+ */
+ if (rdtype == dns_rdatatype_tkey)
+ msg->tkey = 1;
+
+ /*
* Can't ask the same question twice.
*/
result = dns_message_find(name, rdclass, rdtype, 0, NULL);
@@ -1236,12 +1244,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
* If there was no question section, we may not yet have
* established a class. Do so now.
*/
- if (msg->state == DNS_SECTION_ANY &&
+ if (msg->rdclass_set == 0 &&
rdtype != dns_rdatatype_opt && /* class is UDP SIZE */
rdtype != dns_rdatatype_tsig && /* class is ANY */
rdtype != dns_rdatatype_tkey) { /* class is undefined */
msg->rdclass = rdclass;
- msg->state = DNS_SECTION_QUESTION;
+ msg->rdclass_set = 1;
}
/*
@@ -1251,7 +1259,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
if (msg->opcode != dns_opcode_update
&& rdtype != dns_rdatatype_tsig
&& rdtype != dns_rdatatype_opt
- && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
+ && rdtype != dns_rdatatype_key /* in a TKEY query */
&& rdtype != dns_rdatatype_sig /* SIG(0) */
&& rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
&& msg->rdclass != dns_rdataclass_any
@@ -1259,6 +1267,16 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
DO_FORMERR;
/*
+ * If this is not a TKEY query/response then the KEY
+ * record's class needs to match.
+ */
+ if (msg->opcode != dns_opcode_update && !msg->tkey &&
+ rdtype == dns_rdatatype_key &&
+ msg->rdclass != dns_rdataclass_any &&
+ msg->rdclass != rdclass)
+ DO_FORMERR;
+
+ /*
* Special type handling for TSIG, OPT, and TKEY.
*/
if (rdtype == dns_rdatatype_tsig) {
@@ -1372,6 +1390,10 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
skip_name_search = ISC_TRUE;
skip_type_search = ISC_TRUE;
issigzero = ISC_TRUE;
+ } else {
+ if (msg->rdclass != dns_rdataclass_any &&
+ msg->rdclass != rdclass)
+ DO_FORMERR;
}
} else
covers = 0;
@@ -1610,6 +1632,7 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
msg->header_ok = 1;
+ msg->state = DNS_SECTION_QUESTION;
/*
* -1 means no EDNS.
@@ -3550,3 +3573,15 @@ dns_message_buildopt(dns_message_t *message, dns_rdataset_t **rdatasetp,
dns_message_puttemprdatalist(message, &rdatalist);
return (result);
}
+
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
+
+ REQUIRE(DNS_MESSAGE_VALID(msg));
+ REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+ REQUIRE(msg->state == DNS_SECTION_ANY);
+ REQUIRE(msg->rdclass_set == 0);
+
+ msg->rdclass = rdclass;
+ msg->rdclass_set = 1;
+}
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index aa23b11..d220986 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6964,6 +6964,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
goto done;
}
+ dns_message_setclass(message, fctx->res->rdclass);
+
result = dns_message_parse(message, &devent->buffer, 0);
if (result != ISC_R_SUCCESS) {
switch (result) {
@@ -7036,6 +7038,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
*/
log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
+ if (message->rdclass != fctx->res->rdclass) {
+ resend = ISC_TRUE;
+ FCTXTRACE("bad class");
+ goto done;
+ }
+
/*
* Process receive opt record.
*/
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 9ad8960..938373a 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -1241,6 +1241,8 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
msg->tsigctx = xfr->tsigctx;
xfr->tsigctx = NULL;
+ dns_message_setclass(msg, xfr->rdclass);
+
if (xfr->nmsg > 0)
msg->tcp_continuation = 1;

22
SOURCES/bind99-CVE-2015-8704.patch

@ -0,0 +1,22 @@ @@ -0,0 +1,22 @@
diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c
index eb927b9..df35025 100644
--- a/lib/dns/rdata/in_1/apl_42.c
+++ b/lib/dns/rdata/in_1/apl_42.c
@@ -116,7 +116,7 @@ totext_in_apl(ARGS_TOTEXT) {
isc_uint8_t len;
isc_boolean_t neg;
unsigned char buf[16];
- char txt[sizeof(" !64000")];
+ char txt[sizeof(" !64000:")];
const char *sep = "";
int n;
@@ -140,7 +140,7 @@ totext_in_apl(ARGS_TOTEXT) {
isc_region_consume(&sr, 1);
INSIST(len <= sr.length);
n = snprintf(txt, sizeof(txt), "%s%s%u:", sep,
- neg ? "!": "", afi);
+ neg ? "!" : "", afi);
INSIST(n < (int)sizeof(txt));
RETERR(str_totext(txt, target));
switch (afi) {

431
SOURCES/bind99-CVE-2016-1285-CVE-2016-1286.patch

@ -0,0 +1,431 @@ @@ -0,0 +1,431 @@
diff --git a/bin/named/control.c b/bin/named/control.c
index fabe442..06eadce 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
#endif
data = isccc_alist_lookup(message, "_data");
- if (data == NULL) {
+ if (!isccc_alist_alistp(data)) {
/*
* No data section.
*/
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index c46a6e1..ef32790 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -396,7 +396,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
* Limit exposure to replay attacks.
*/
_ctrl = isccc_alist_lookup(request, "_ctrl");
- if (_ctrl == NULL) {
+ if (!isccc_alist_alistp(_ctrl)) {
log_invalid(&conn->ccmsg, ISC_R_FAILURE);
goto cleanup_request;
}
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index ba2c3f6..9a007e2 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -252,8 +252,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
data = isccc_alist_lookup(response, "_data");
- if (data == NULL)
- fatal("no data section in response");
+ if (!isccc_alist_alistp(data))
+ fatal("bad or missing data section in response");
result = isccc_cc_lookupstring(data, "err", &errormsg);
if (result == ISC_R_SUCCESS) {
failed = ISC_TRUE;
@@ -316,8 +316,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
_ctrl = isccc_alist_lookup(response, "_ctrl");
- if (_ctrl == NULL)
- fatal("_ctrl section missing");
+ if (!isccc_alist_alistp(_ctrl))
+ fatal("bad or missing ctrl section in response");
nonce = 0;
if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
nonce = 0;
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index d220986..8696b15 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5408,14 +5408,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
}
static inline isc_result_t
-dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
- dns_name_t *oname, dns_fixedname_t *fixeddname)
+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
+ unsigned int nlabels, dns_fixedname_t *fixeddname)
{
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
- unsigned int nlabels;
- int order;
- dns_namereln_t namereln;
dns_rdata_dname_t dname;
dns_fixedname_t prefix;
@@ -5430,21 +5427,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
if (result != ISC_R_SUCCESS)
return (result);
- /*
- * Get the prefix of qname.
- */
- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
- if (namereln != dns_namereln_subdomain) {
- char qbuf[DNS_NAME_FORMATSIZE];
- char obuf[DNS_NAME_FORMATSIZE];
-
- dns_rdata_freestruct(&dname);
- dns_name_format(qname, qbuf, sizeof(qbuf));
- dns_name_format(oname, obuf, sizeof(obuf));
- log_formerr(fctx, "unrelated DNAME in answer: "
- "%s is not in %s", qbuf, obuf);
- return (DNS_R_FORMERR);
- }
dns_fixedname_init(&prefix);
dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
dns_fixedname_init(fixeddname);
@@ -6057,13 +6039,13 @@ static isc_result_t
answer_response(fetchctx_t *fctx) {
isc_result_t result;
dns_message_t *message;
- dns_name_t *name, *qname, tname, *ns_name;
+ dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
dns_rdataset_t *rdataset, *ns_rdataset;
isc_boolean_t done, external, chaining, aa, found, want_chaining;
isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
unsigned int aflag;
dns_rdatatype_t type;
- dns_fixedname_t dname, fqname;
+ dns_fixedname_t fdname, fqname;
dns_view_t *view;
FCTXTRACE("answer_response");
@@ -6091,10 +6073,15 @@ answer_response(fetchctx_t *fctx) {
view = fctx->res->view;
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
while (!done && result == ISC_R_SUCCESS) {
+ dns_namereln_t namereln;
+ int order;
+ unsigned int nlabels;
+
name = NULL;
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
- if (dns_name_equal(name, qname)) {
+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+ if (namereln == dns_namereln_equal) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
@@ -6219,10 +6206,11 @@ answer_response(fetchctx_t *fctx) {
*/
INSIST(!external);
if (aflag ==
- DNS_RDATASETATTR_ANSWER)
+ DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE;
- name->attributes |=
- DNS_NAMEATTR_ANSWER;
+ name->attributes |=
+ DNS_NAMEATTR_ANSWER;
+ }
rdataset->attributes |= aflag;
if (aa)
rdataset->trust =
@@ -6277,6 +6265,8 @@ answer_response(fetchctx_t *fctx) {
if (wanted_chaining)
chaining = ISC_TRUE;
} else {
+ dns_rdataset_t *dnameset = NULL;
+
/*
* Look for a DNAME (or its SIG). Anything else is
* ignored.
@@ -6284,32 +6274,56 @@ answer_response(fetchctx_t *fctx) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
- rdataset = ISC_LIST_NEXT(rdataset, link)) {
- isc_boolean_t found_dname = ISC_FALSE;
- dns_name_t *dname_name;
+ rdataset = ISC_LIST_NEXT(rdataset, link))
+ {
+ /*
+ * Only pass DNAME or RRSIG(DNAME).
+ */
+ if (rdataset->type != dns_rdatatype_dname &&
+ (rdataset->type != dns_rdatatype_rrsig ||
+ rdataset->covers != dns_rdatatype_dname))
+ continue;
+
+ /*
+ * If we're not chaining, then the DNAME and
+ * its signature should not be external.
+ */
+ if (!chaining && external) {
+ char qbuf[DNS_NAME_FORMATSIZE];
+ char obuf[DNS_NAME_FORMATSIZE];
+
+ dns_name_format(name, qbuf,
+ sizeof(qbuf));
+ dns_name_format(&fctx->domain, obuf,
+ sizeof(obuf));
+ log_formerr(fctx, "external DNAME or "
+ "RRSIG covering DNAME "
+ "in answer: %s is "
+ "not in %s", qbuf, obuf);
+ return (DNS_R_FORMERR);
+ }
+
+ if (namereln != dns_namereln_subdomain) {
+ char qbuf[DNS_NAME_FORMATSIZE];
+ char obuf[DNS_NAME_FORMATSIZE];
+
+ dns_name_format(qname, qbuf,
+ sizeof(qbuf));
+ dns_name_format(name, obuf,
+ sizeof(obuf));
+ log_formerr(fctx, "unrelated DNAME "
+ "in answer: %s is "
+ "not in %s", qbuf, obuf);
+ return (DNS_R_FORMERR);
+ }
- found = ISC_FALSE;
aflag = 0;
if (rdataset->type == dns_rdatatype_dname) {
- /*
- * We're looking for something else,
- * but we found a DNAME.
- *
- * If we're not chaining, then the
- * DNAME should not be external.
- */
- if (!chaining && external) {
- log_formerr(fctx,
- "external DNAME");
- return (DNS_R_FORMERR);
- }
- found = ISC_TRUE;
want_chaining = ISC_TRUE;
POST(want_chaining);
aflag = DNS_RDATASETATTR_ANSWER;
- result = dname_target(fctx, rdataset,
- qname, name,
- &dname);
+ result = dname_target(rdataset, qname,
+ nlabels, &fdname);
if (result == ISC_R_NOSPACE) {
/*
* We can't construct the
@@ -6321,90 +6335,73 @@ answer_response(fetchctx_t *fctx) {
} else if (result != ISC_R_SUCCESS)
return (result);
else
- found_dname = ISC_TRUE;
+ dnameset = rdataset;
- dname_name = dns_fixedname_name(&dname);
+ dname = dns_fixedname_name(&fdname);
if (!is_answertarget_allowed(view,
- qname,
- rdataset->type,
- dname_name,
- &fctx->domain)) {
+ qname, rdataset->type,
+ dname, &fctx->domain)) {
return (DNS_R_SERVFAIL);
}
- } else if (rdataset->type == dns_rdatatype_rrsig
- && rdataset->covers ==
- dns_rdatatype_dname) {
+ } else {
/*
* We've found a signature that
* covers the DNAME.
*/
- found = ISC_TRUE;
aflag = DNS_RDATASETATTR_ANSWERSIG;
}
- if (found) {
+ /*
+ * We've found an answer to our
+ * question.
+ */
+ name->attributes |= DNS_NAMEATTR_CACHE;
+ rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+ rdataset->trust = dns_trust_answer;
+ if (!chaining) {
/*
- * We've found an answer to our
- * question.
+ * This data is "the" answer to
+ * our question only if we're
+ * not chaining.
*/
- name->attributes |=
- DNS_NAMEATTR_CACHE;
- rdataset->attributes |=
- DNS_RDATASETATTR_CACHE;
- rdataset->trust = dns_trust_answer;
- if (!chaining) {
- /*
- * This data is "the" answer
- * to our question only if
- * we're not chaining.
- */
- INSIST(!external);
- if (aflag ==
- DNS_RDATASETATTR_ANSWER)
- have_answer = ISC_TRUE;
+ INSIST(!external);
+ if (aflag == DNS_RDATASETATTR_ANSWER) {
+ have_answer = ISC_TRUE;
name->attributes |=
DNS_NAMEATTR_ANSWER;
- rdataset->attributes |= aflag;
- if (aa)
- rdataset->trust =
- dns_trust_authanswer;
- } else if (external) {
- rdataset->attributes |=
- DNS_RDATASETATTR_EXTERNAL;
- }
-
- /*
- * DNAME chaining.
- */
- if (found_dname) {
- /*
- * Copy the dname into the
- * qname fixed name.
- *
- * Although we check for
- * failure of the copy
- * operation, in practice it
- * should never fail since
- * we already know that the
- * result fits in a fixedname.
- */
- dns_fixedname_init(&fqname);
- result = dns_name_copy(
- dns_fixedname_name(&dname),
- dns_fixedname_name(&fqname),
- NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
- wanted_chaining = ISC_TRUE;
- name->attributes |=
- DNS_NAMEATTR_CHAINING;
- rdataset->attributes |=
- DNS_RDATASETATTR_CHAINING;
- qname = dns_fixedname_name(
- &fqname);
}
+ rdataset->attributes |= aflag;
+ if (aa)
+ rdataset->trust =
+ dns_trust_authanswer;
+ } else if (external) {
+ rdataset->attributes |=
+ DNS_RDATASETATTR_EXTERNAL;
}
}
+
+ /*
+ * DNAME chaining.
+ */
+ if (dnameset != NULL) {
+ /*
+ * Copy the dname into the qname fixed name.
+ *
+ * Although we check for failure of the copy
+ * operation, in practice it should never fail
+ * since we already know that the result fits
+ * in a fixedname.
+ */
+ dns_fixedname_init(&fqname);
+ qname = dns_fixedname_name(&fqname);
+ result = dns_name_copy(dname, qname, NULL);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ wanted_chaining = ISC_TRUE;
+ name->attributes |= DNS_NAMEATTR_CHAINING;
+ dnameset->attributes |=
+ DNS_RDATASETATTR_CHAINING;
+ }
if (wanted_chaining)
chaining = ISC_TRUE;
}
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index ae5391a..10e5dc9 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -286,10 +286,10 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
* Extract digest.
*/
_auth = isccc_alist_lookup(alist, "_auth");
- if (_auth == NULL)
+ if (!isccc_alist_alistp(_auth))
return (ISC_R_FAILURE);
hmd5 = isccc_alist_lookup(_auth, "hmd5");
- if (hmd5 == NULL)
+ if (!isccc_sexpr_binaryp(hmd5))
return (ISC_R_FAILURE);
/*
* Compute digest.
@@ -543,7 +543,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
REQUIRE(ackp != NULL && *ackp == NULL);
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL ||
+ if (!isccc_alist_alistp(_ctrl) ||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
@@ -588,7 +588,7 @@ isccc_cc_isack(isccc_sexpr_t *message)
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL)
+ if (!isccc_alist_alistp(_ctrl))
return (ISC_FALSE);
if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
return (ISC_TRUE);
@@ -601,7 +601,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL)
+ if (!isccc_alist_alistp(_ctrl))
return (ISC_FALSE);
if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
return (ISC_TRUE);
@@ -621,7 +621,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
_ctrl = isccc_alist_lookup(message, "_ctrl");
_data = isccc_alist_lookup(message, "_data");
- if (_ctrl == NULL || _data == NULL ||
+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
@@ -810,7 +810,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL ||
+ if (!isccc_alist_alistp(_ctrl) ||
isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);

66
SOURCES/bind99-CVE-2016-2775.patch

@ -0,0 +1,66 @@ @@ -0,0 +1,66 @@
From 062b04898be720ed0855efc192847fcbc667b3e1 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 7 Jul 2016 12:52:47 +1000
Subject: [PATCH] 4406. [bug] getrrsetbyname with a non absolute
name could trigger a infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry the resulting name is
too long. [RT #42694]

(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232)
---
bin/named/lwdgrbn.c | 16 ++++++++++------
bin/tests/system/lwresd/lwtest.c | 8 ++++++++
2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
index 584ab25..37211eb 100644
--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
INSIST(client->lookup == NULL);
dns_fixedname_init(&absname);
- result = ns_lwsearchctx_current(&client->searchctx,
- dns_fixedname_name(&absname));
+
/*
- * This will return failure if relative name + suffix is too long.
- * In this case, just go on to the next entry in the search path.
+ * Perform search across all search domains until success
+ * is returned. Return in case of failure.
*/
- if (result != ISC_R_SUCCESS)
- start_lookup(client);
+ while (ns_lwsearchctx_current(&client->searchctx,
+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+ return;
+ }
+ }
result = dns_lookup_create(cm->mctx,
dns_fixedname_name(&absname),
diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
index 02647cb..c2be95d 100644
--- a/bin/tests/system/lwresd/lwtest.c
+++ b/bin/tests/system/lwresd/lwtest.c
@@ -768,6 +768,14 @@ main(void) {
test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
test_getrrsetbyname("", 1, 1, 0, 0, 0);
+ test_getrrsetbyname("123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789", 1, 1, 0, 0, 0);
+
if (fails == 0)
printf("I:ok\n");
return (fails);
--
2.7.4

89
SOURCES/bind99-CVE-2016-2776.patch

@ -0,0 +1,89 @@ @@ -0,0 +1,89 @@
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 73def73..3d2de4f 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1736,7 +1736,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
if (r.length < DNS_MESSAGE_HEADERLEN)
return (ISC_R_NOSPACE);
- if (r.length < msg->reserved)
+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
return (ISC_R_NOSPACE);
/*
@@ -1863,8 +1863,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options)
return (ISC_TRUE);
}
-
#endif
+
+static isc_result_t
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+ dns_compress_t *cctx, isc_buffer_t *target,
+ unsigned int reserved, unsigned int options, unsigned int *countp)
+{
+ isc_result_t result;
+
+ /*
+ * Shrink the space in the buffer by the reserved amount.
+ */
+ if (target->length - target->used < reserved)
+ return (ISC_R_NOSPACE);
+
+ target->length -= reserved;
+ result = dns_rdataset_towire(rdataset, owner_name,
+ cctx, target, options, countp);
+ target->length += reserved;
+
+ return (result);
+}
+
isc_result_t
dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
unsigned int options)
@@ -1907,6 +1928,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
/*
* Shrink the space in the buffer by the reserved amount.
*/
+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
+ return (ISC_R_NOSPACE);
msg->buffer->length -= msg->reserved;
total = 0;
@@ -2183,9 +2206,8 @@ dns_message_renderend(dns_message_t *msg) {
* Render.
*/
count = 0;
- result = dns_rdataset_towire(msg->opt, dns_rootname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->opt, dns_rootname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
@@ -2201,9 +2223,8 @@ dns_message_renderend(dns_message_t *msg) {
if (result != ISC_R_SUCCESS)
return (result);
count = 0;
- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
@@ -2224,9 +2245,8 @@ dns_message_renderend(dns_message_t *msg) {
* the owner name of a SIG(0) is irrelevant, and will not
* be set in a message being rendered.
*/
- result = dns_rdataset_towire(msg->sig0, dns_rootname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);

174
SOURCES/bind99-CVE-2016-8864.patch

@ -0,0 +1,174 @@ @@ -0,0 +1,174 @@
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 5ef2dd6..1b987dd 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -526,7 +526,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
valarg->addrinfo = addrinfo;
if (!ISC_LIST_EMPTY(fctx->validators))
- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
+ valoptions |= DNS_VALIDATOR_DEFER;
+ else
+ valoptions &= ~DNS_VALIDATOR_DEFER;
result = dns_validator_create(fctx->res->view, name, type, rdataset,
sigrdataset, fctx->rmessage,
@@ -4872,13 +4874,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
rdataset,
sigrdataset,
valoptions, task);
- /*
- * Defer any further validations.
- * This prevents multiple validators
- * from manipulating fctx->rmessage
- * simultaneously.
- */
- valoptions |= DNS_VALIDATOR_DEFER;
}
} else if (CHAINING(rdataset)) {
if (rdataset->type == dns_rdatatype_cname)
@@ -4984,6 +4979,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
eresult == DNS_R_NCACHENXRRSET);
}
event->result = eresult;
+ if (adbp != NULL && *adbp != NULL) {
+ if (anodep != NULL && *anodep != NULL)
+ dns_db_detachnode(*adbp, anodep);
+ dns_db_detach(adbp);
+ }
dns_db_attach(fctx->cache, adbp);
dns_db_transfernode(fctx->cache, &node, anodep);
clone_results(fctx);
@@ -5231,6 +5231,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
fctx->attributes |= FCTX_ATTR_HAVEANSWER;
if (event != NULL) {
event->result = eresult;
+ if (adbp != NULL && *adbp != NULL) {
+ if (anodep != NULL && *anodep != NULL)
+ dns_db_detachnode(*adbp, anodep);
+ dns_db_detach(adbp);
+ }
dns_db_attach(fctx->cache, adbp);
dns_db_transfernode(fctx->cache, &node, anodep);
clone_results(fctx);
@@ -6039,13 +6044,15 @@ static isc_result_t
answer_response(fetchctx_t *fctx) {
isc_result_t result;
dns_message_t *message;
- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
+ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+ dns_name_t *cname = NULL;
dns_rdataset_t *rdataset, *ns_rdataset;
isc_boolean_t done, external, chaining, aa, found, want_chaining;
- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+ isc_boolean_t have_answer, found_cname, found_dname, found_type;
+ isc_boolean_t wanted_chaining;
unsigned int aflag;
dns_rdatatype_t type;
- dns_fixedname_t fdname, fqname;
+ dns_fixedname_t fdname, fqname, fqdname;
dns_view_t *view;
FCTXTRACE("answer_response");
@@ -6059,6 +6066,7 @@ answer_response(fetchctx_t *fctx) {
done = ISC_FALSE;
found_cname = ISC_FALSE;
+ found_dname = ISC_FALSE;
found_type = ISC_FALSE;
chaining = ISC_FALSE;
have_answer = ISC_FALSE;
@@ -6068,12 +6076,13 @@ answer_response(fetchctx_t *fctx) {
aa = ISC_TRUE;
else
aa = ISC_FALSE;
- qname = &fctx->name;
+ dqname = qname = &fctx->name;
type = fctx->type;
view = fctx->res->view;
+ dns_fixedname_init(&fqdname);
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
while (!done && result == ISC_R_SUCCESS) {
- dns_namereln_t namereln;
+ dns_namereln_t namereln, dnamereln;
int order;
unsigned int nlabels;
@@ -6081,6 +6090,8 @@ answer_response(fetchctx_t *fctx) {
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+ dnamereln = dns_name_fullcompare(dqname, name, &order,
+ &nlabels);
if (namereln == dns_namereln_equal) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6205,9 +6216,16 @@ answer_response(fetchctx_t *fctx) {
* a CNAME or DNAME).
*/
INSIST(!external);
- if (aflag ==
- DNS_RDATASETATTR_ANSWER) {
+ if ((rdataset->type !=
+ dns_rdatatype_cname) ||
+ !found_dname ||
+ (aflag ==
+ DNS_RDATASETATTR_ANSWER))
+ {
have_answer = ISC_TRUE;
+ if (rdataset->type ==
+ dns_rdatatype_cname)
+ cname = name;
name->attributes |=
DNS_NAMEATTR_ANSWER;
}
@@ -6303,11 +6321,11 @@ answer_response(fetchctx_t *fctx) {
return (DNS_R_FORMERR);
}
- if (namereln != dns_namereln_subdomain) {
+ if (dnamereln != dns_namereln_subdomain) {
char qbuf[DNS_NAME_FORMATSIZE];
char obuf[DNS_NAME_FORMATSIZE];
- dns_name_format(qname, qbuf,
+ dns_name_format(dqname, qbuf,
sizeof(qbuf));
dns_name_format(name, obuf,
sizeof(obuf));
@@ -6322,7 +6340,7 @@ answer_response(fetchctx_t *fctx) {
want_chaining = ISC_TRUE;
POST(want_chaining);
aflag = DNS_RDATASETATTR_ANSWER;
- result = dname_target(rdataset, qname,
+ result = dname_target(rdataset, dqname,
nlabels, &fdname);
if (result == ISC_R_NOSPACE) {
/*
@@ -6339,10 +6357,13 @@ answer_response(fetchctx_t *fctx) {
dname = dns_fixedname_name(&fdname);
if (!is_answertarget_allowed(view,
- qname, rdataset->type,
- dname, &fctx->domain)) {
+ dqname, rdataset->type,
+ dname, &fctx->domain))
+ {
return (DNS_R_SERVFAIL);
}
+ dqname = dns_fixedname_name(&fqdname);
+ dns_name_copy(dname, dqname, NULL);
} else {
/*
* We've found a signature that
@@ -6367,6 +6388,10 @@ answer_response(fetchctx_t *fctx) {
INSIST(!external);
if (aflag == DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE;
+ found_dname = ISC_TRUE;
+ if (cname != NULL)
+ cname->attributes &=
+ ~DNS_NAMEATTR_ANSWER;
name->attributes |=
DNS_NAMEATTR_ANSWER;
}

37
SOURCES/bind99-CVE-2016-9131.patch

@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 2bc4461..d9de369 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6533,6 +6533,19 @@ answer_response(fetchctx_t *fctx) {
log_formerr(fctx, "NSEC3 in answer");
return (DNS_R_FORMERR);
}
+ if (rdataset->type == dns_rdatatype_tkey) {
+ /*
+ * TKEY is not a valid record in a
+ * response to any query we can make.
+ */
+ log_formerr(fctx, "TKEY in answer");
+ return (DNS_R_FORMERR);
+ }
+ if (rdataset->rdclass != fctx->res->rdclass) {
+ log_formerr(fctx, "Mismatched class "
+ "in answer");
+ return (DNS_R_FORMERR);
+ }
/*
* Apply filters, if given, on answers to reject
@@ -6719,6 +6732,12 @@ answer_response(fetchctx_t *fctx) {
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
+ if (rdataset->rdclass != fctx->res->rdclass) {
+ log_formerr(fctx, "Mismatched class "
+ "in answer");
+ return (DNS_R_FORMERR);
+ }
+
/*
* Only pass DNAME or RRSIG(DNAME).
*/

31
SOURCES/bind99-CVE-2016-9147.patch

@ -0,0 +1,31 @@ @@ -0,0 +1,31 @@
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 9ad5f81..ffdde5e 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6229,15 +6229,19 @@ answer_response(fetchctx_t *fctx) {
* a CNAME or DNAME).
*/
INSIST(!external);
- if ((rdataset->type !=
- dns_rdatatype_cname) ||
- !found_dname ||
- (aflag ==
- DNS_RDATASETATTR_ANSWER))
+ /*
+ * Don't use found_cname here
+ * as we have just set it
+ * above.
+ */
+ if (cname == NULL &&
+ !found_dname &&
+ aflag ==
+ DNS_RDATASETATTR_ANSWER)
{
have_answer = ISC_TRUE;
- if (rdataset->type ==
- dns_rdatatype_cname)
+ if (found_cname &&
+ cname == NULL)
cname = name;
name->attributes |=
DNS_NAMEATTR_ANSWER;

147
SOURCES/bind99-CVE-2016-9444.patch

@ -0,0 +1,147 @@ @@ -0,0 +1,147 @@
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 869d258..c1f9498 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1150,6 +1150,63 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
return (ISC_FALSE);
}
+/*
+ * Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
+ * covering RRSIGs.
+ */
+static isc_boolean_t
+auth_signed(dns_namelist_t *section) {
+ dns_name_t *name;
+
+ for (name = ISC_LIST_HEAD(*section);
+ name != NULL;
+ name = ISC_LIST_NEXT(name, link))
+ {
+ int auth_dnssec = 0, auth_rrsig = 0;
+ dns_rdataset_t *rds;
+
+ for (rds = ISC_LIST_HEAD(name->list);
+ rds != NULL;
+ rds = ISC_LIST_NEXT(rds, link))
+ {
+ switch (rds->type) {
+ case dns_rdatatype_ds:
+ auth_dnssec |= 0x1;
+ break;
+ case dns_rdatatype_nsec:
+ auth_dnssec |= 0x2;
+ break;
+ case dns_rdatatype_nsec3:
+ auth_dnssec |= 0x4;
+ break;
+ case dns_rdatatype_rrsig:
+ break;
+ default:
+ continue;
+ }
+
+ switch (rds->covers) {
+ case dns_rdatatype_ds:
+ auth_rrsig |= 0x1;
+ break;
+ case dns_rdatatype_nsec:
+ auth_rrsig |= 0x2;
+ break;
+ case dns_rdatatype_nsec3:
+ auth_rrsig |= 0x4;
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (auth_dnssec != auth_rrsig)
+ return (ISC_FALSE);
+ }
+
+ return (ISC_TRUE);
+}
+
static isc_result_t
getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
dns_section_t sectionid, unsigned int options)
@@ -1175,12 +1232,12 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
seen_problem = ISC_FALSE;
+ section = &msg->sections[sectionid];
+
for (count = 0; count < msg->counts[sectionid]; count++) {
int recstart = source->current;
isc_boolean_t skip_name_search, skip_type_search;
- section = &msg->sections[sectionid];
-
skip_name_search = ISC_FALSE;
skip_type_search = ISC_FALSE;
free_rdataset = ISC_FALSE;
@@ -1354,7 +1411,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
goto cleanup;
rdata->rdclass = rdclass;
issigzero = ISC_FALSE;
- if (rdtype == dns_rdatatype_rrsig &&
+ if (rdtype == dns_rdatatype_rrsig &&
rdata->flags == 0) {
covers = dns_rdata_covers(rdata);
if (covers == 0)
@@ -1565,6 +1622,19 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
INSIST(free_rdataset == ISC_FALSE);
}
+ /*
+ * If any of DS, NSEC or NSEC3 appeared in the
+ * authority section of a query response without
+ * a covering RRSIG, FORMERR
+ */
+ if (sectionid == DNS_SECTION_AUTHORITY &&
+ msg->opcode == dns_opcode_query &&
+ ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
+ ((msg->flags & DNS_MESSAGEFLAG_TC) == 0) &&
+ !preserve_order &&
+ !auth_signed(section))
+ DO_FORMERR;
+
if (seen_problem)
return (DNS_R_RECOVERABLE);
return (ISC_R_SUCCESS);
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 2bc4461..e5600a3 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5194,13 +5194,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
rdataset->type,
&noqname);
if (tresult == ISC_R_SUCCESS &&
- noqname != NULL) {
- tresult =
- dns_rdataset_addnoqname(
+ noqname != NULL)
+ (void) dns_rdataset_addnoqname(
rdataset, noqname);
- RUNTIME_CHECK(tresult ==
- ISC_R_SUCCESS);
- }
}
addedrdataset = ardataset;
result = dns_db_addrdataset(fctx->cache, node,
@@ -5330,11 +5326,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
tresult = findnoqname(fctx, name,
rdataset->type, &noqname);
if (tresult == ISC_R_SUCCESS &&
- noqname != NULL) {
- tresult = dns_rdataset_addnoqname(
- rdataset, noqname);
- RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
- }
+ noqname != NULL)
+ (void) dns_rdataset_addnoqname(
+ rdataset, noqname);
}
/*

193
SOURCES/bind99-CVE-2017-3135.patch

@ -0,0 +1,193 @@ @@ -0,0 +1,193 @@
From f05af77f32742b8e601d766e1f2fe6a480c7e735 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 8 Feb 2017 12:23:20 +0100
Subject: [PATCH] 4557. [security] Combining dns64 and rpz can result in
dereferencing a NULL pointer (read). (CVE-2017-3135)
[RT#44434]

---
bin/named/query.c | 59 +++++++++++++++++++++++++-----------------------------
lib/dns/message.c | 6 +++---
lib/dns/rdataset.c | 1 +
3 files changed, 31 insertions(+), 35 deletions(-)

diff --git a/bin/named/query.c b/bin/named/query.c
index 1975dfc..f60078b 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -5591,9 +5591,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
dns_rpz_st_t *rpz_st;
isc_boolean_t resuming;
int line = -1;
- isc_boolean_t dns64_exclude, dns64;
+ isc_boolean_t dns64_exclude, dns64, rpz;
dns_clientinfomethods_t cm;
dns_clientinfo_t ci;
+ dns_name_t *rpzqname;
CTRACE("query_find");
@@ -5619,7 +5620,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
zone = NULL;
need_wildcardproof = ISC_FALSE;
empty_wild = ISC_FALSE;
- dns64_exclude = dns64 = ISC_FALSE;
+ dns64_exclude = dns64 = rpz = ISC_FALSE;
options = 0;
resuming = ISC_FALSE;
is_zone = ISC_FALSE;
@@ -5736,6 +5737,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
authoritative = ISC_FALSE;
version = NULL;
need_wildcardproof = ISC_FALSE;
+ rpz = ISC_FALSE;
if (client->view->checknames &&
!dns_rdata_checkowner(client->query.qname,
@@ -5860,11 +5862,29 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
}
/*
- * Now look for an answer in the database.
+ * Now look for an answer in the database. If this is a dns64
+ * AAAA lookup on a rpz database adjust the qname.
*/
- result = dns_db_findext(db, client->query.qname, version, type,
+ if (dns64 && rpz)
+ rpzqname = client->query.rpz_st->qname;
+ else
+ rpzqname = client->query.qname;
+
+ result = dns_db_findext(db, rpzqname, version, type,
client->query.dboptions, client->now,
&node, fname, &cm, &ci, rdataset, sigrdataset);
+ /*
+ * Fixup fname and sigrdataset.
+ */
+ if (dns64 && rpz) {
+ isc_result_t rresult;
+
+ rresult = dns_name_copy(client->query.qname, fname, NULL);
+ RUNTIME_CHECK(rresult == ISC_R_SUCCESS);
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ }
resume:
CTRACE("query_find: resume");
@@ -6067,9 +6087,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
switch (rpz_st->m.policy) {
case DNS_RPZ_POLICY_NXDOMAIN:
result = DNS_R_NXDOMAIN;
+ rpz = ISC_TRUE;
break;
case DNS_RPZ_POLICY_NODATA:
result = DNS_R_NXRRSET;
+ rpz = ISC_TRUE;
break;
case DNS_RPZ_POLICY_RECORD:
result = rpz_st->m.result;
@@ -6089,6 +6111,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rdataset->ttl = ISC_MIN(rdataset->ttl,
rpz_st->m.ttl);
}
+ rpz = ISC_TRUE;
break;
case DNS_RPZ_POLICY_WILDCNAME:
result = dns_rdataset_first(rdataset);
@@ -6130,7 +6153,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
DNS_MESSAGEFLAG_AD);
query_putrdataset(client, &sigrdataset);
- rpz_st->q.is_zone = is_zone;
is_zone = ISC_TRUE;
rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
rpz_st->m.type, zone, rpz_st->qname);
@@ -6509,15 +6531,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
- rpz_st = client->query.rpz_st;
- if (rpz_st != NULL) {
- /*
- * Arrange for RPZ rewriting of any A records.
- */
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
- is_zone = rpz_st->q.is_zone;
- rpz_st_clear(client);
- }
dns64 = ISC_TRUE;
goto db_find;
}
@@ -6786,15 +6799,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
sigrdataset = NULL;
fname = NULL;
type = qtype = dns_rdatatype_a;
- rpz_st = client->query.rpz_st;
- if (rpz_st != NULL) {
- /*
- * Arrange for RPZ rewriting of any A records.
- */
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
- is_zone = rpz_st->q.is_zone;
- rpz_st_clear(client);
- }
dns64 = ISC_TRUE;
goto db_find;
}
@@ -7296,15 +7300,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rdataset = NULL;
sigrdataset = NULL;
type = qtype = dns_rdatatype_a;
- rpz_st = client->query.rpz_st;
- if (rpz_st != NULL) {
- /*
- * Arrange for RPZ rewriting of any A records.
- */
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
- is_zone = rpz_st->q.is_zone;
- rpz_st_clear(client);
- }
dns64_exclude = dns64 = ISC_TRUE;
goto db_find;
}
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 884107e..1417067 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1234,8 +1234,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
{
isc_region_t r;
unsigned int count, rdatalen;
- dns_name_t *name;
- dns_name_t *name2;
+ dns_name_t *name = NULL;
+ dns_name_t *name2 = NULL;
dns_offsets_t *offsets;
dns_rdataset_t *rdataset;
dns_rdatalist_t *rdatalist;
@@ -1245,7 +1245,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
dns_rdata_t *rdata;
dns_ttl_t ttl;
dns_namelist_t *section;
- isc_boolean_t free_name, free_rdataset;
+ isc_boolean_t free_name = ISC_FALSE, free_rdataset = ISC_FALSE;
isc_boolean_t preserve_order, best_effort, seen_problem;
isc_boolean_t issigzero;
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index 026d771..483ddfb 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -336,6 +336,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
*/
REQUIRE(DNS_RDATASET_VALID(rdataset));
+ REQUIRE(rdataset->methods != NULL);
REQUIRE(countp != NULL);
REQUIRE((order == NULL) == (order_arg == NULL));
REQUIRE(cctx != NULL && cctx->mctx != NULL);
--
2.9.3

26
SOURCES/bind99-CVE-2017-3136.patch

@ -0,0 +1,26 @@ @@ -0,0 +1,26 @@
From d4d151cf34fab415e2823deada3433df7f475c71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 11 Apr 2017 16:19:08 +0200
Subject: [PATCH 1/3] 4575. [security] DNS64 with "break-dnssec yes;"
can result in an assertion failure. (CVE-2017-3136)
[RT #44653]

---
bin/named/query.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/bin/named/query.c b/bin/named/query.c
index f60078b..6e988f5 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -7324,6 +7324,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
result = query_dns64(client, &fname, rdataset,
sigrdataset, dbuf,
DNS_SECTION_ANSWER);
+ noqname = NULL;
dns_rdataset_disassociate(rdataset);
dns_message_puttemprdataset(client->message, &rdataset);
if (result == ISC_R_NOMORE) {
--
2.9.3

1126
SOURCES/bind99-CVE-2017-3137.patch

File diff suppressed because it is too large Load Diff

497
SOURCES/bind99-CVE-2017-3142+3143.patch

@ -0,0 +1,497 @@ @@ -0,0 +1,497 @@
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 00a0080..336c4da 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -982,6 +982,8 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
mctx = msg->mctx;
msg->verify_attempted = 1;
+ msg->verified_sig = 0;
+ msg->sig0status = dns_tsigerror_badsig;
if (is_response(msg)) {
if (msg->query.base == NULL)
@@ -1076,6 +1078,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
}
msg->verified_sig = 1;
+ msg->sig0status = dns_rcode_noerror;
dst_context_destroy(&ctx);
dns_rdata_freestruct(&sig);
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 1417067..0621175 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -3052,12 +3052,19 @@ dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
result = dns_rdata_tostruct(&rdata, &tsig, NULL);
INSIST(result == ISC_R_SUCCESS);
- if (msg->tsigstatus != dns_rcode_noerror)
+ if (msg->verified_sig &&
+ msg->tsigstatus == dns_rcode_noerror &&
+ tsig.error == dns_rcode_noerror)
+ {
+ result = ISC_R_SUCCESS;
+ } else if ((!msg->verified_sig) ||
+ (msg->tsigstatus != dns_rcode_noerror))
+ {
result = DNS_R_TSIGVERIFYFAILURE;
- else if (tsig.error != dns_rcode_noerror)
+ } else {
+ INSIST(tsig.error != dns_rcode_noerror);
result = DNS_R_TSIGERRORSET;
- else
- result = ISC_R_SUCCESS;
+ }
dns_rdata_freestruct(&tsig);
if (msg->tsigkey == NULL) {
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 3239bff..7b91d1e 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -941,11 +941,20 @@ dns_tsig_sign(dns_message_t *msg) {
isc_buffer_putuint48(&otherbuf, tsig.timesigned);
}
- if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
+ if ((key->key != NULL) &&
+ (tsig.error != dns_tsigerror_badsig) &&
+ (tsig.error != dns_tsigerror_badkey))
+ {
unsigned char header[DNS_MESSAGE_HEADERLEN];
isc_buffer_t headerbuf;
isc_uint16_t digestbits;
+ /*
+ * If it is a response, we assume that the request MAC
+ * has validated at this point. This is why we include a
+ * MAC length > 0 in the reply.
+ */
+
ret = dst_context_create3(key->key, mctx,
DNS_LOGCATEGORY_DNSSEC,
ISC_TRUE, &ctx);
@@ -953,7 +962,7 @@ dns_tsig_sign(dns_message_t *msg) {
return (ret);
/*
- * If this is a response, digest the query signature.
+ * If this is a response, digest the request's MAC.
*/
if (response) {
dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
@@ -1083,6 +1092,17 @@ dns_tsig_sign(dns_message_t *msg) {
dst_context_destroy(&ctx);
digestbits = dst_key_getbits(key->key);
if (digestbits != 0) {
+ /*
+ * XXXRAY: Is this correct? What is the
+ * expected behavior when digestbits is not an
+ * integral multiple of 8? It looks like bytes
+ * should either be (digestbits/8) or
+ * (digestbits+7)/8.
+ *
+ * In any case, for current algorithms,
+ * digestbits are an integral multiple of 8, so
+ * it has the same effect as (digestbits/8).
+ */
unsigned int bytes = (digestbits + 1) / 8;
if (response && bytes < querytsig.siglen)
bytes = querytsig.siglen;
@@ -1196,6 +1216,8 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
msg->verify_attempted = 1;
+ msg->verified_sig = 0;
+ msg->tsigstatus = dns_tsigerror_badsig;
if (msg->tcp_continuation) {
if (tsigkey == NULL || msg->querytsig == NULL)
@@ -1294,19 +1316,6 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
key = tsigkey->key;
/*
- * Is the time ok?
- */
- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2, "signature has expired");
- return (DNS_R_CLOCKSKEW);
- } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2, "signature is in the future");
- return (DNS_R_CLOCKSKEW);
- }
-
- /*
* Check digest length.
*/
alg = dst_key_alg(key);
@@ -1315,31 +1324,19 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
return (ret);
if (alg == DST_ALG_HMACMD5 || alg == DST_ALG_HMACSHA1 ||
alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
- alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512) {
- isc_uint16_t digestbits = dst_key_getbits(key);
+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
+ {
if (tsig.siglen > siglen) {
- tsig_log(msg->tsigkey, 2, "signature length to big");
+ tsig_log(msg->tsigkey, 2, "signature length too big");
return (DNS_R_FORMERR);
}
if (tsig.siglen > 0 &&
- (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2))) {
+ (tsig.siglen < 10 || tsig.siglen < ((siglen + 1) / 2)))
+ {
tsig_log(msg->tsigkey, 2,
"signature length below minimum");
return (DNS_R_FORMERR);
}
- if (tsig.siglen > 0 && digestbits != 0 &&
- tsig.siglen < ((digestbits + 1) / 8)) {
- msg->tsigstatus = dns_tsigerror_badtrunc;
- tsig_log(msg->tsigkey, 2,
- "truncated signature length too small");
- return (DNS_R_TSIGVERIFYFAILURE);
- }
- if (tsig.siglen > 0 && digestbits == 0 &&
- tsig.siglen < siglen) {
- msg->tsigstatus = dns_tsigerror_badtrunc;
- tsig_log(msg->tsigkey, 2, "signature length too small");
- return (DNS_R_TSIGVERIFYFAILURE);
- }
}
if (tsig.siglen > 0) {
@@ -1451,34 +1448,92 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
ret = dst_context_verify(ctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
- msg->tsigstatus = dns_tsigerror_badsig;
ret = DNS_R_TSIGVERIFYFAILURE;
tsig_log(msg->tsigkey, 2,
"signature failed to verify(1)");
goto cleanup_context;
- } else if (ret != ISC_R_SUCCESS)
+ } else if (ret != ISC_R_SUCCESS) {
goto cleanup_context;
-
- dst_context_destroy(&ctx);
+ }
} else if (tsig.error != dns_tsigerror_badsig &&
tsig.error != dns_tsigerror_badkey) {
- msg->tsigstatus = dns_tsigerror_badsig;
tsig_log(msg->tsigkey, 2, "signature was empty");
return (DNS_R_TSIGVERIFYFAILURE);
}
- msg->tsigstatus = dns_rcode_noerror;
+ /*
+ * Here at this point, the MAC has been verified. Even if any of
+ * the following code returns a TSIG error, the reply will be
+ * signed and WILL always include the request MAC in the digest
+ * computation.
+ */
+
+ /*
+ * Is the time ok?
+ */
+ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2, "signature has expired");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
+ } else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2, "signature is in the future");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
+ }
+
+ if (
+#ifndef PK11_MD5_DISABLE
+ alg == DST_ALG_HMACMD5 ||
+#endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 || alg == DST_ALG_HMACSHA256 ||
+ alg == DST_ALG_HMACSHA384 || alg == DST_ALG_HMACSHA512)
+ {
+ isc_uint16_t digestbits = dst_key_getbits(key);
+
+ /*
+ * XXXRAY: Is this correct? What is the expected
+ * behavior when digestbits is not an integral multiple
+ * of 8? It looks like bytes should either be
+ * (digestbits/8) or (digestbits+7)/8.
+ *
+ * In any case, for current algorithms, digestbits are
+ * an integral multiple of 8, so it has the same effect
+ * as (digestbits/8).
+ */
+ if (tsig.siglen > 0 && digestbits != 0 &&
+ tsig.siglen < ((digestbits + 1) / 8))
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2,
+ "truncated signature length too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ if (tsig.siglen > 0 && digestbits == 0 &&
+ tsig.siglen < siglen)
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2, "signature length too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ }
if (tsig.error != dns_rcode_noerror) {
+ msg->tsigstatus = tsig.error;
if (tsig.error == dns_tsigerror_badtime)
- return (DNS_R_CLOCKSKEW);
+ ret = DNS_R_CLOCKSKEW;
else
- return (DNS_R_TSIGERRORSET);
+ ret = DNS_R_TSIGERRORSET;
+ goto cleanup_context;
}
+ msg->tsigstatus = dns_rcode_noerror;
msg->verified_sig = 1;
-
- return (ISC_R_SUCCESS);
+ ret = ISC_R_SUCCESS;
cleanup_context:
if (ctx != NULL)
@@ -1503,6 +1558,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
isc_uint16_t addcount, id;
isc_boolean_t has_tsig = ISC_FALSE;
isc_mem_t *mctx;
+ unsigned int siglen;
+ unsigned int alg;
REQUIRE(source != NULL);
REQUIRE(msg != NULL);
@@ -1510,12 +1567,16 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
REQUIRE(msg->tcp_continuation == 1);
REQUIRE(msg->querytsig != NULL);
+ msg->verified_sig = 0;
+ msg->tsigstatus = dns_tsigerror_badsig;
+
if (!is_response(msg))
return (DNS_R_EXPECTEDRESPONSE);
mctx = msg->mctx;
tsigkey = dns_message_gettsigkey(msg);
+ key = tsigkey->key;
/*
* Extract and parse the previous TSIG
@@ -1548,7 +1609,8 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
* Do the key name and algorithm match that of the query?
*/
if (!dns_name_equal(keyname, &tsigkey->name) ||
- !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) {
+ !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
+ {
msg->tsigstatus = dns_tsigerror_badkey;
ret = DNS_R_TSIGVERIFYFAILURE;
tsig_log(msg->tsigkey, 2,
@@ -1557,27 +1619,40 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
}
/*
- * Is the time ok?
+ * Check digest length.
*/
- isc_stdtime_get(&now);
-
- if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2, "signature has expired");
- ret = DNS_R_CLOCKSKEW;
- goto cleanup_querystruct;
- } else if (now + msg->timeadjust <
- tsig.timesigned - tsig.fudge) {
- msg->tsigstatus = dns_tsigerror_badtime;
- tsig_log(msg->tsigkey, 2,
- "signature is in the future");
- ret = DNS_R_CLOCKSKEW;
+ alg = dst_key_alg(key);
+ ret = dst_key_sigsize(key, &siglen);
+ if (ret != ISC_R_SUCCESS)
goto cleanup_querystruct;
+ if (
+#ifndef PK11_MD5_DISABLE
+ alg == DST_ALG_HMACMD5 ||
+#endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 ||
+ alg == DST_ALG_HMACSHA256 ||
+ alg == DST_ALG_HMACSHA384 ||
+ alg == DST_ALG_HMACSHA512)
+ {
+ if (tsig.siglen > siglen) {
+ tsig_log(tsigkey, 2,
+ "signature length too big");
+ ret = DNS_R_FORMERR;
+ goto cleanup_querystruct;
+ }
+ if (tsig.siglen > 0 &&
+ (tsig.siglen < 10 ||
+ tsig.siglen < ((siglen + 1) / 2)))
+ {
+ tsig_log(tsigkey, 2,
+ "signature length below minimum");
+ ret = DNS_R_FORMERR;
+ goto cleanup_querystruct;
+ }
}
}
- key = tsigkey->key;
-
if (msg->tsigctx == NULL) {
ret = dst_context_create3(key, mctx,
DNS_LOGCATEGORY_DNSSEC,
@@ -1670,10 +1745,12 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
sig_r.length = tsig.siglen;
if (tsig.siglen == 0) {
if (tsig.error != dns_rcode_noerror) {
- if (tsig.error == dns_tsigerror_badtime)
+ msg->tsigstatus = tsig.error;
+ if (tsig.error == dns_tsigerror_badtime) {
ret = DNS_R_CLOCKSKEW;
- else
+ } else {
ret = DNS_R_TSIGERRORSET;
+ }
} else {
tsig_log(msg->tsigkey, 2,
"signature is empty");
@@ -1684,29 +1761,111 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
ret = dst_context_verify(msg->tsigctx, &sig_r);
if (ret == DST_R_VERIFYFAILURE) {
- msg->tsigstatus = dns_tsigerror_badsig;
tsig_log(msg->tsigkey, 2,
"signature failed to verify(2)");
ret = DNS_R_TSIGVERIFYFAILURE;
goto cleanup_context;
+ } else if (ret != ISC_R_SUCCESS) {
+ goto cleanup_context;
}
- else if (ret != ISC_R_SUCCESS)
+
+ /*
+ * Here at this point, the MAC has been verified. Even
+ * if any of the following code returns a TSIG error,
+ * the reply will be signed and WILL always include the
+ * request MAC in the digest computation.
+ */
+
+ /*
+ * Is the time ok?
+ */
+ isc_stdtime_get(&now);
+
+ if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2, "signature has expired");
+ ret = DNS_R_CLOCKSKEW;
+ goto cleanup_context;
+ } else if (now + msg->timeadjust <
+ tsig.timesigned - tsig.fudge)
+ {
+ msg->tsigstatus = dns_tsigerror_badtime;
+ tsig_log(msg->tsigkey, 2,
+ "signature is in the future");
+ ret = DNS_R_CLOCKSKEW;
goto cleanup_context;
+ }
- dst_context_destroy(&msg->tsigctx);
+ alg = dst_key_alg(key);
+ ret = dst_key_sigsize(key, &siglen);
+ if (ret != ISC_R_SUCCESS)
+ goto cleanup_context;
+ if (
+#ifndef PK11_MD5_DISABLE
+ alg == DST_ALG_HMACMD5 ||
+#endif
+ alg == DST_ALG_HMACSHA1 ||
+ alg == DST_ALG_HMACSHA224 ||
+ alg == DST_ALG_HMACSHA256 ||
+ alg == DST_ALG_HMACSHA384 ||
+ alg == DST_ALG_HMACSHA512)
+ {
+ isc_uint16_t digestbits = dst_key_getbits(key);
+
+ /*
+ * XXXRAY: Is this correct? What is the
+ * expected behavior when digestbits is not an
+ * integral multiple of 8? It looks like bytes
+ * should either be (digestbits/8) or
+ * (digestbits+7)/8.
+ *
+ * In any case, for current algorithms,
+ * digestbits are an integral multiple of 8, so
+ * it has the same effect as (digestbits/8).
+ */
+ if (tsig.siglen > 0 && digestbits != 0 &&
+ tsig.siglen < ((digestbits + 1) / 8))
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2,
+ "truncated signature length "
+ "too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ if (tsig.siglen > 0 && digestbits == 0 &&
+ tsig.siglen < siglen)
+ {
+ msg->tsigstatus = dns_tsigerror_badtrunc;
+ tsig_log(msg->tsigkey, 2,
+ "signature length too small");
+ ret = DNS_R_TSIGVERIFYFAILURE;
+ goto cleanup_context;
+ }
+ }
+
+ if (tsig.error != dns_rcode_noerror) {
+ msg->tsigstatus = tsig.error;
+ if (tsig.error == dns_tsigerror_badtime)
+ ret = DNS_R_CLOCKSKEW;
+ else
+ ret = DNS_R_TSIGERRORSET;
+ goto cleanup_context;
+ }
}
msg->tsigstatus = dns_rcode_noerror;
- return (ISC_R_SUCCESS);
+ msg->verified_sig = 1;
+ ret = ISC_R_SUCCESS;
cleanup_context:
- dst_context_destroy(&msg->tsigctx);
+ if (msg->tsigctx != NULL)
+ dst_context_destroy(&msg->tsigctx);
cleanup_querystruct:
dns_rdata_freestruct(&querytsig);
return (ret);
-
}
isc_result_t

124
SOURCES/bind99-CVE-2017-3145.patch

@ -0,0 +1,124 @@ @@ -0,0 +1,124 @@
From 4d73fed57703f561aefd545eda0f3f2c5e69a547 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 16 Jan 2018 09:50:45 +0100
Subject: [PATCH] 4858. [security] Addresses could be referenced after
being freed in resolver.c, causing an assertion failure.
(CVE-2017-3145) [RT #46839]

---
lib/dns/resolver.c | 37 +++++++++++++++++++++++--------------
1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 860a792..619646f 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -751,7 +751,7 @@ fctx_stoptimer(fetchctx_t *fctx) {
* cannot fail in that case.
*/
result = isc_timer_reset(fctx->timer, isc_timertype_inactive,
- NULL, NULL, ISC_TRUE);
+ NULL, NULL, ISC_TRUE);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"isc_timer_reset(): %s",
@@ -759,7 +759,6 @@ fctx_stoptimer(fetchctx_t *fctx) {
}
}
-
static inline isc_result_t
fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) {
/*
@@ -992,7 +991,8 @@ fctx_cleanupfinds(fetchctx_t *fctx) {
for (find = ISC_LIST_HEAD(fctx->finds);
find != NULL;
- find = next_find) {
+ find = next_find)
+ {
next_find = ISC_LIST_NEXT(find, publink);
ISC_LIST_UNLINK(fctx->finds, find, publink);
dns_adb_destroyfind(&find);
@@ -1008,7 +1008,8 @@ fctx_cleanupaltfinds(fetchctx_t *fctx) {
for (find = ISC_LIST_HEAD(fctx->altfinds);
find != NULL;
- find = next_find) {
+ find = next_find)
+ {
next_find = ISC_LIST_NEXT(find, publink);
ISC_LIST_UNLINK(fctx->altfinds, find, publink);
dns_adb_destroyfind(&find);
@@ -1024,7 +1025,8 @@ fctx_cleanupforwaddrs(fetchctx_t *fctx) {
for (addr = ISC_LIST_HEAD(fctx->forwaddrs);
addr != NULL;
- addr = next_addr) {
+ addr = next_addr)
+ {
next_addr = ISC_LIST_NEXT(addr, publink);
ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
dns_adb_freeaddrinfo(fctx->adb, &addr);
@@ -1039,7 +1041,8 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) {
for (addr = ISC_LIST_HEAD(fctx->altaddrs);
addr != NULL;
- addr = next_addr) {
+ addr = next_addr)
+ {
next_addr = ISC_LIST_NEXT(addr, publink);
ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
dns_adb_freeaddrinfo(fctx->adb, &addr);
@@ -1047,14 +1050,18 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) {
}
static inline void
-fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) {
- FCTXTRACE("stopeverything");
+fctx_stopqueries(fetchctx_t *fctx, isc_boolean_t no_response) {
+ FCTXTRACE("stopqueries");
fctx_cancelqueries(fctx, no_response);
+ fctx_stoptimer(fctx);
+}
+
+static inline void
+fctx_cleanupall(fetchctx_t *fctx) {
fctx_cleanupfinds(fctx);
fctx_cleanupaltfinds(fctx);
fctx_cleanupforwaddrs(fctx);
fctx_cleanupaltaddrs(fctx);
- fctx_stoptimer(fctx);
}
static inline void
@@ -1184,7 +1191,8 @@ fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
no_response = ISC_FALSE;
fctx->reason = NULL;
- fctx_stopeverything(fctx, no_response);
+
+ fctx_stopqueries(fctx, no_response);
LOCK(&res->buckets[fctx->bucketnum].lock);
@@ -3336,11 +3344,12 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
dns_resolver_cancelfetch(fctx->nsfetch);
/*
- * Shut down anything that is still running on behalf of this
- * fetch. To avoid deadlock with the ADB, we must do this
- * before we lock the bucket lock.
+ * Shut down anything still running on behalf of this
+ * fetch, and clean up finds and addresses. To avoid deadlock
+ * with the ADB, we must do this before we lock the bucket lock.
*/
- fctx_stopeverything(fctx, ISC_FALSE);
+ fctx_stopqueries(fctx, ISC_FALSE);
+ fctx_cleanupall(fctx);
LOCK(&res->buckets[bucketnum].lock);
--
2.14.3

61
SOURCES/bind99-ISC-Bugs-34738.patch

@ -0,0 +1,61 @@ @@ -0,0 +1,61 @@
From 18df9e628ea10c7d607f43fcfd935e7924731f24 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 9 Sep 2013 22:12:47 -0700
Subject: [PATCH] [master] strdup journal filename

3646. [bug] Journal filename string could be set incorrectly,
causing garbage in log messages. [RT #34738]
---
lib/dns/journal.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/lib/dns/journal.c b/lib/dns/journal.c
index 08aabd5..46a52e1 100644
--- a/lib/dns/journal.c
+++ b/lib/dns/journal.c
@@ -307,7 +307,7 @@ struct dns_journal {
unsigned int magic; /*%< JOUR */
isc_mem_t *mctx; /*%< Memory context */
journal_state_t state;
- const char *filename; /*%< Journal file name */
+ char *filename; /*%< Journal file name */
FILE * fp; /*%< File handle */
isc_offset_t offset; /*%< Current file offset */
journal_header_t header; /*%< In-core journal header */
@@ -573,10 +573,13 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
isc_mem_attach(mctx, &j->mctx);
j->state = JOURNAL_STATE_INVALID;
j->fp = NULL;
- j->filename = filename;
+ j->filename = isc_mem_strdup(mctx, filename);
j->index = NULL;
j->rawindex = NULL;
+ if (j->filename == NULL)
+ FAIL(ISC_R_NOMEMORY);
+
result = isc_stdio_open(j->filename, write ? "rb+" : "rb", &fp);
if (result == ISC_R_FILENOTFOUND) {
@@ -679,6 +682,8 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
sizeof(journal_rawpos_t));
j->index = NULL;
}
+ if (j->filename != NULL)
+ isc_mem_free(j->mctx, j->filename);
if (j->fp != NULL)
(void)isc_stdio_close(j->fp);
isc_mem_putanddetach(&j->mctx, j, sizeof(*j));
@@ -1242,7 +1247,8 @@ dns_journal_destroy(dns_journal_t **journalp) {
isc_mem_put(j->mctx, j->it.target.base, j->it.target.length);
if (j->it.source.base != NULL)
isc_mem_put(j->mctx, j->it.source.base, j->it.source.length);
-
+ if (j->filename != NULL)
+ isc_mem_free(j->mctx, j->filename);
if (j->fp != NULL)
(void)isc_stdio_close(j->fp);
j->magic = 0;
--
1.8.3.1

213
SOURCES/bind99-ISC-Bugs-34870-v3.patch

@ -0,0 +1,213 @@ @@ -0,0 +1,213 @@
diff -up bind-9.9.4/bin/dig/dighost.c.send_buffers bind-9.9.4/bin/dig/dighost.c
--- bind-9.9.4/bin/dig/dighost.c.send_buffers 2013-10-31 14:22:20.296811613 +0100
+++ bind-9.9.4/bin/dig/dighost.c 2013-10-31 14:57:00.336400190 +0100
@@ -194,6 +194,7 @@ isc_boolean_t validated = ISC_TRUE;
isc_entropy_t *entp = NULL;
isc_mempool_t *commctx = NULL;
isc_boolean_t debugging = ISC_FALSE;
+isc_boolean_t debugtiming = ISC_FALSE;
isc_boolean_t memdebugging = ISC_FALSE;
char *progname = NULL;
isc_mutex_t lookup_lock;
@@ -553,6 +554,12 @@ debug(const char *format, ...) {
if (debugging) {
fflush(stdout);
+ if (debugtiming) {
+ struct timeval tv;
+ (void)gettimeofday(&tv, NULL);
+ fprintf(stderr, "%ld.%06ld: ", (long)tv.tv_sec,
+ (long)tv.tv_usec);
+ }
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
@@ -2416,8 +2423,10 @@ send_done(isc_task_t *_task, isc_event_t
for (b = ISC_LIST_HEAD(sevent->bufferlist);
b != NULL;
- b = ISC_LIST_HEAD(sevent->bufferlist))
+ b = ISC_LIST_HEAD(sevent->bufferlist)) {
ISC_LIST_DEQUEUE(sevent->bufferlist, b, link);
+ isc_mem_free(mctx, b);
+ }
query = event->ev_arg;
query->waiting_senddone = ISC_FALSE;
@@ -2609,6 +2618,17 @@ send_tcp_connect(dig_query_t *query) {
}
}
+static isc_buffer_t *
+clone_buffer(isc_buffer_t *source) {
+ isc_buffer_t *buffer;
+ buffer = isc_mem_allocate(mctx, sizeof(*buffer));
+ if (buffer == NULL)
+ fatal("memory allocation failure in %s:%d",
+ __FILE__, __LINE__);
+ *buffer = *source;
+ return (buffer);
+}
+
/*%
* Send a UDP packet to the remote nameserver, possible starting the
* recv action as well. Also make sure that the timer is running and
@@ -2618,6 +2638,7 @@ static void
send_udp(dig_query_t *query) {
dig_lookup_t *l = NULL;
isc_result_t result;
+ isc_buffer_t *sendbuf;
debug("send_udp(%p)", query);
@@ -2664,14 +2685,16 @@ send_udp(dig_query_t *query) {
debug("recvcount=%d", recvcount);
}
ISC_LIST_INIT(query->sendlist);
- ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link);
+ sendbuf = clone_buffer(&query->sendbuf);
+ ISC_LIST_ENQUEUE(query->sendlist, sendbuf, link);
debug("sending a request");
TIME_NOW(&query->time_sent);
INSIST(query->sock != NULL);
query->waiting_senddone = ISC_TRUE;
- result = isc_socket_sendtov(query->sock, &query->sendlist,
- global_task, send_done, query,
- &query->sockaddr, NULL);
+ result = isc_socket_sendtov2(query->sock, &query->sendlist,
+ global_task, send_done, query,
+ &query->sockaddr, NULL,
+ ISC_SOCKFLAG_NORETRY);
check_result(result, "isc_socket_sendtov");
sendcount++;
}
@@ -2838,6 +2861,7 @@ static void
launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
isc_result_t result;
dig_lookup_t *l;
+ isc_buffer_t *buffer;
INSIST(!free_now);
@@ -2861,9 +2885,15 @@ launch_next_query(dig_query_t *query, is
isc_buffer_putuint16(&query->slbuf, (isc_uint16_t) query->sendbuf.used);
ISC_LIST_INIT(query->sendlist);
ISC_LINK_INIT(&query->slbuf, link);
- ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link);
- if (include_question)
- ISC_LIST_ENQUEUE(query->sendlist, &query->sendbuf, link);
+ if (!query->first_soa_rcvd) {
+ buffer = clone_buffer(&query->slbuf);
+ ISC_LIST_ENQUEUE(query->sendlist, buffer, link);
+ if (include_question) {
+ buffer = clone_buffer(&query->sendbuf);
+ ISC_LIST_ENQUEUE(query->sendlist, buffer, link);
+ }
+ }
+
ISC_LINK_INIT(&query->lengthbuf, link);
ISC_LIST_ENQUEUE(query->lengthlist, &query->lengthbuf, link);
diff -up bind-9.9.4/bin/dig/host.c.send_buffers bind-9.9.4/bin/dig/host.c
--- bind-9.9.4/bin/dig/host.c.send_buffers 2013-10-31 14:22:20.270811568 +0100
+++ bind-9.9.4/bin/dig/host.c 2013-10-31 14:22:20.328811669 +0100
@@ -638,6 +638,8 @@ pre_parse_args(int argc, char **argv) {
case 'w': break;
case 'C': break;
case 'D':
+ if (debugging)
+ debugtiming = ISC_TRUE;
debugging = ISC_TRUE;
break;
case 'N': break;
diff -up bind-9.9.4/bin/dig/include/dig/dig.h.send_buffers bind-9.9.4/bin/dig/include/dig/dig.h
--- bind-9.9.4/bin/dig/include/dig/dig.h.send_buffers 2013-10-31 14:22:20.270811568 +0100
+++ bind-9.9.4/bin/dig/include/dig/dig.h 2013-10-31 14:22:20.328811669 +0100
@@ -275,7 +275,7 @@ extern isc_boolean_t validated;
extern isc_taskmgr_t *taskmgr;
extern isc_task_t *global_task;
extern isc_boolean_t free_now;
-extern isc_boolean_t debugging, memdebugging;
+extern isc_boolean_t debugging, debugtiming, memdebugging;
extern char *progname;
extern int tries;
diff -up bind-9.9.4/lib/isc/include/isc/namespace.h.send_buffers bind-9.9.4/lib/isc/include/isc/namespace.h
--- bind-9.9.4/lib/isc/include/isc/namespace.h.send_buffers 2013-09-05 07:09:08.000000000 +0200
+++ bind-9.9.4/lib/isc/include/isc/namespace.h 2013-10-31 14:22:20.328811669 +0100
@@ -106,6 +106,7 @@
#define isc_socket_sendv isc__socket_sendv
#define isc_socket_sendtov isc__socket_sendtov
#define isc_socket_sendto2 isc__socket_sendto2
+#define isc_socket_sendtov2 isc__socket_sendtov2
#define isc_socket_cleanunix isc__socket_cleanunix
#define isc_socket_permunix isc__socket_permunix
#define isc_socket_bind isc__socket_bind
diff -up bind-9.9.4/lib/isc/include/isc/socket.h.send_buffers bind-9.9.4/lib/isc/include/isc/socket.h
--- bind-9.9.4/lib/isc/include/isc/socket.h.send_buffers 2013-09-05 07:09:08.000000000 +0200
+++ bind-9.9.4/lib/isc/include/isc/socket.h 2013-10-31 14:22:20.328811669 +0100
@@ -866,6 +866,11 @@ isc_socket_sendtov(isc_socket_t *sock, i
isc_task_t *task, isc_taskaction_t action, const void *arg,
isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
isc_result_t
+isc_socket_sendtov2(isc_socket_t *sock, isc_bufferlist_t *buflist,
+ isc_task_t *task, isc_taskaction_t action, const void *arg,
+ isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+ unsigned int flags);
+isc_result_t
isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
isc_task_t *task,
isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
diff -up bind-9.9.4/lib/isc/unix/socket.c.send_buffers bind-9.9.4/lib/isc/unix/socket.c
--- bind-9.9.4/lib/isc/unix/socket.c.send_buffers 2013-10-31 14:22:20.293811608 +0100
+++ bind-9.9.4/lib/isc/unix/socket.c 2013-10-31 14:22:20.330811673 +0100
@@ -510,6 +510,11 @@ isc__socket_sendtov(isc_socket_t *sock,
isc_task_t *task, isc_taskaction_t action, const void *arg,
isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendtov2(isc_socket_t *sock, isc_bufferlist_t *buflist,
+ isc_task_t *task, isc_taskaction_t action, const void *arg,
+ isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+ unsigned int flags);
+ISC_SOCKETFUNC_SCOPE isc_result_t
isc__socket_sendto2(isc_socket_t *sock, isc_region_t *region,
isc_task_t *task,
isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
@@ -4796,15 +4801,25 @@ ISC_SOCKETFUNC_SCOPE isc_result_t
isc__socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
isc_task_t *task, isc_taskaction_t action, const void *arg)
{
- return (isc__socket_sendtov(sock, buflist, task, action, arg, NULL,
- NULL));
+ return (isc__socket_sendtov2(sock, buflist, task, action, arg, NULL,
+ NULL, 0));
}
ISC_SOCKETFUNC_SCOPE isc_result_t
-isc__socket_sendtov(isc_socket_t *sock0, isc_bufferlist_t *buflist,
+isc__socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
isc_task_t *task, isc_taskaction_t action, const void *arg,
isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
{
+ return (isc__socket_sendtov2(sock, buflist, task, action, arg, address,
+ pktinfo, 0));
+}
+
+ISC_SOCKETFUNC_SCOPE isc_result_t
+isc__socket_sendtov2(isc_socket_t *sock0, isc_bufferlist_t *buflist,
+ isc_task_t *task, isc_taskaction_t action, const void *arg,
+ isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+ unsigned int flags)
+{
isc__socket_t *sock = (isc__socket_t *)sock0;
isc_socketevent_t *dev;
isc__socketmgr_t *manager;
@@ -4837,7 +4852,7 @@ isc__socket_sendtov(isc_socket_t *sock0,
buffer = ISC_LIST_HEAD(*buflist);
}
- return (socket_send(sock, dev, task, address, pktinfo, 0));
+ return (socket_send(sock, dev, task, address, pktinfo, flags));
}
ISC_SOCKETFUNC_SCOPE isc_result_t

31
SOURCES/bind99-ISC-Bugs-35073.patch

@ -0,0 +1,31 @@ @@ -0,0 +1,31 @@
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 486c102..dc12a85 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -1566,16 +1566,20 @@ evaluate_realm(char *cmdline) {
#ifdef GSSAPI
char *word;
char buf[1024];
+ int n;
- word = nsu_strsep(&cmdline, " \t\r\n");
- if (word == NULL || *word == 0) {
- if (realm != NULL)
- isc_mem_free(mctx, realm);
+ if (realm != NULL) {
+ isc_mem_free(mctx, realm);
realm = NULL;
- return (STATUS_MORE);
}
- snprintf(buf, sizeof(buf), "@%s", word);
+ word = nsu_strsep(&cmdline, " \t\r\n");
+ if (word == NULL || *word == 0)
+ return (STATUS_MORE);
+
+ n = snprintf(buf, sizeof(buf), "@%s", word);
+ if (n < 0 || (size_t)n >= sizeof(buf))
+ fatal("realm is too long");
realm = isc_mem_strdup(mctx, buf);
if (realm == NULL)
fatal("out of memory");

42
SOURCES/bind99-ISC-Bugs-35080.patch

@ -0,0 +1,42 @@ @@ -0,0 +1,42 @@
commit 3a2ea636103eaf40404fb82f228605d384c36434
Author: Mark Andrews <marka@isc.org>
Date: Tue Dec 17 09:08:59 2013 +1100

3692. [bug] Two calls to dns_db_getoriginnode were fatal if there
was no data at the node. [RT #35080]
(cherry picked from commit 161e803a5608956271d8120be37a1b383d14b647)

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 2dd4aa0..941b77e 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1638,8 +1638,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
nodelock = &rbtdb->node_locks[bucket];
+#define KEEP_NODE(n, r) \
+ ((n)->data != NULL || (n)->down != NULL || (n) == (r)->origin_node)
+
/* Handle easy and typical case first. */
- if (!node->dirty && (node->data != NULL || node->down != NULL)) {
+ if (!node->dirty && KEEP_NODE(node, rbtdb)) {
dns_rbtnode_refdecrement(node, &nrefs);
INSIST((int)nrefs >= 0);
if (nrefs == 0) {
@@ -1708,12 +1711,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
isc_refcount_decrement(&nodelock->references, &refs);
INSIST((int)refs >= 0);
- /*
- * XXXDCL should this only be done for cache zones?
- */
- if (node->data != NULL || node->down != NULL)
+ if (KEEP_NODE(node, rbtdb))
goto restore_locks;
+#undef KEEP_NODE
+
if (write_locked) {
/*
* We can now delete the node.

685
SOURCES/bind99-automatic-interface-scanning-rh1294506.patch

@ -0,0 +1,685 @@ @@ -0,0 +1,685 @@
From 5013230b31da1d94ce5682e5c5c38011da744971 Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Wed, 11 May 2016 15:17:55 +0200
Subject: [PATCH] Added support for automatic interface scan when new address
is assigned to any interface

Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
bin/named/config.c | 1 +
bin/named/control.c | 3 +
bin/named/include/named/control.h | 1 +
bin/named/include/named/server.h | 8 +++
bin/named/interfacemgr.c | 144 ++++++++++++++++++++++++++++++++++++++
bin/named/named.conf.docbook | 1 +
bin/named/server.c | 31 +++++++-
bin/named/statschannel.c | 5 ++
bin/rndc/rndc.c | 1 +
bin/rndc/rndc.docbook | 12 ++++
config.h.in | 12 ++++
configure.in | 5 +-
doc/arm/Bv9ARM-book.xml | 22 +++++-
lib/isc/include/isc/socket.h | 10 ++-
lib/isc/unix/socket.c | 59 ++++++++++++++++
lib/isccfg/namedconf.c | 1 +
16 files changed, 310 insertions(+), 6 deletions(-)

diff --git a/bin/named/config.c b/bin/named/config.c
index f6d0263..b43c0fc 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -52,6 +52,7 @@
/*% default configuration */
static char defaultconf[] = "\
options {\n\
+ automatic-interface-scan yes;\n\
# blackhole {none;};\n"
#ifndef WIN32
" coresize default;\n\
diff --git a/bin/named/control.c b/bin/named/control.c
index 06eadce..86fa691 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -185,6 +185,9 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
command_compare(command, NS_COMMAND_THAW)) {
result = ns_server_freeze(ns_g_server, ISC_FALSE, command,
text);
+ } else if (command_compare(command, NS_COMMAND_SCAN)) {
+ result = ISC_R_SUCCESS;
+ ns_server_scan_interfaces(ns_g_server);
} else if (command_compare(command, NS_COMMAND_SYNC)) {
result = ns_server_sync(ns_g_server, command, text);
} else if (command_compare(command, NS_COMMAND_RECURSING)) {
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index d730a83..52ed583 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -59,6 +59,7 @@
#define NS_COMMAND_NULL "null"
#define NS_COMMAND_NOTIFY "notify"
#define NS_COMMAND_VALIDATION "validation"
+#define NS_COMMAND_SCAN "scan"
#define NS_COMMAND_SIGN "sign"
#define NS_COMMAND_LOADKEYS "loadkeys"
#define NS_COMMAND_ADDZONE "addzone"
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index ff0bfd3..83622f4 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -37,6 +37,7 @@
#define NS_EVENTCLASS ISC_EVENTCLASS(0x4E43)
#define NS_EVENT_RELOAD (NS_EVENTCLASS + 0)
#define NS_EVENT_CLIENTCONTROL (NS_EVENTCLASS + 1)
+#define NS_EVENT_IFSCAN (NS_EVENTCLASS + 2)
/*%
* Name server state. Better here than in lots of separate global variables.
@@ -114,6 +115,7 @@ struct ns_server {
dns_name_t *session_keyname;
unsigned int session_keyalg;
isc_uint16_t session_keybits;
+ isc_boolean_t interface_auto;
};
#define NS_SERVER_MAGIC ISC_MAGIC('S','V','E','R')
@@ -201,6 +203,12 @@ ns_server_reloadwanted(ns_server_t *server);
*/
void
+ns_server_scan_interfaces(ns_server_t *server);
+/*%<
+ * Trigger a interface scan.
+ */
+
+void
ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush);
/*%<
* Inform the server that the zones should be flushed to disk on shutdown.
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index 4f6b0f3..a9aa4a4 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -33,6 +33,28 @@
#include <named/client.h>
#include <named/log.h>
#include <named/interfacemgr.h>
+#include <named/server.h>
+
+#ifdef HAVE_NET_ROUTE_H
+#include <net/route.h>
+#if defined(RTM_VERSION) && defined(RTM_NEWADDR) && defined(RTM_DELADDR)
+#define USE_ROUTE_SOCKET 1
+#define ROUTE_SOCKET_PROTOCOL PF_ROUTE
+#define MSGHDR rt_msghdr
+#define MSGTYPE rtm_type
+#endif
+#endif
+
+#if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H)
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#if defined(RTM_NEWADDR) && defined(RTM_DELADDR)
+#define USE_ROUTE_SOCKET 1
+#define ROUTE_SOCKET_PROTOCOL PF_NETLINK
+#define MSGHDR nlmsghdr
+#define MSGTYPE nlmsg_type
+#endif
+#endif
#define IFMGR_MAGIC ISC_MAGIC('I', 'F', 'M', 'G')
#define NS_INTERFACEMGR_VALID(t) ISC_MAGIC_VALID(t, IFMGR_MAGIC)
@@ -55,6 +77,11 @@ struct ns_interfacemgr {
dns_aclenv_t aclenv; /*%< Localhost/localnets ACLs */
ISC_LIST(ns_interface_t) interfaces; /*%< List of interfaces. */
ISC_LIST(isc_sockaddr_t) listenon;
+#ifdef USE_ROUTE_SOCKET
+ isc_task_t * task;
+ isc_socket_t * route;
+ unsigned char buf[2048];
+#endif
};
static void
@@ -63,6 +90,71 @@ purge_old_interfaces(ns_interfacemgr_t *mgr);
static void
clearlistenon(ns_interfacemgr_t *mgr);
+#ifdef USE_ROUTE_SOCKET
+static void
+route_event(isc_task_t *task, isc_event_t *event) {
+ isc_socketevent_t *sevent = NULL;
+ ns_interfacemgr_t *mgr = NULL;
+ isc_region_t r;
+ isc_result_t result;
+ struct MSGHDR *rtm;
+
+ UNUSED(task);
+
+ REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
+ mgr = event->ev_arg;
+ sevent = (isc_socketevent_t *)event;
+
+ if (sevent->result != ISC_R_SUCCESS) {
+ if (sevent->result != ISC_R_CANCELED)
+ isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+ "automatic interface scanning "
+ "terminated: %s",
+ isc_result_totext(sevent->result));
+ ns_interfacemgr_detach(&mgr);
+ isc_event_free(&event);
+ return;
+ }
+
+ rtm = (struct MSGHDR *)mgr->buf;
+#ifdef RTM_VERSION
+ if (rtm->rtm_version != RTM_VERSION) {
+ isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+ "automatic interface rescanning disabled: "
+ "rtm->rtm_version mismatch (%u != %u) "
+ "recompile required", rtm->rtm_version,
+ RTM_VERSION);
+ isc_task_detach(&mgr->task);
+ isc_socket_detach(&mgr->route);
+ ns_interfacemgr_detach(&mgr);
+ isc_event_free(&event);
+ return;
+ }
+#endif
+
+ switch (rtm->MSGTYPE) {
+ case RTM_NEWADDR:
+ case RTM_DELADDR:
+ if (ns_g_server->interface_auto)
+ ns_server_scan_interfaces(ns_g_server);
+ break;
+ default:
+ break;
+ }
+
+ /*
+ * Look for next route event.
+ */
+ r.base = mgr->buf;
+ r.length = sizeof(mgr->buf);
+ result = isc_socket_recv(mgr->route, &r, 1, mgr->task,
+ route_event, mgr);
+ if (result != ISC_R_SUCCESS)
+ ns_interfacemgr_detach(&mgr);
+ isc_event_free(&event);
+}
+#endif
+
isc_result_t
ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
isc_socketmgr_t *socketmgr,
@@ -112,11 +204,52 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
mgr->aclenv.geoip = ns_g_geoip;
#endif
+#ifdef USE_ROUTE_SOCKET
+ mgr->route = NULL;
+ result = isc_socket_create(mgr->socketmgr, ROUTE_SOCKET_PROTOCOL,
+ isc_sockettype_raw, &mgr->route);
+ switch (result) {
+ case ISC_R_NOPERM:
+ case ISC_R_SUCCESS:
+ case ISC_R_NOTIMPLEMENTED:
+ case ISC_R_FAMILYNOSUPPORT:
+ break;
+ default:
+ goto cleanup_aclenv;
+ }
+
+ mgr->task = NULL;
+ if (mgr->route != NULL) {
+ result = isc_task_create(taskmgr, 0, &mgr->task);
+ if (result != ISC_R_SUCCESS)
+ goto cleanup_route;
+ }
+ mgr->references = (mgr->route != NULL) ? 2 : 1;
+#else
mgr->references = 1;
+#endif
mgr->magic = IFMGR_MAGIC;
*mgrp = mgr;
+
+#ifdef USE_ROUTE_SOCKET
+ if (mgr->route != NULL) {
+ isc_region_t r = { mgr->buf, sizeof(mgr->buf) };
+
+ result = isc_socket_recv(mgr->route, &r, 1, mgr->task,
+ route_event, mgr);
+ if (result != ISC_R_SUCCESS)
+ ns_interfacemgr_detach(&mgr);
+ }
+#endif
return (ISC_R_SUCCESS);
+#ifdef USE_ROUTE_SOCKET
+ cleanup_route:
+ if (mgr->route != NULL)
+ isc_socket_detach(&mgr->route);
+ cleanup_aclenv:
+ dns_aclenv_destroy(&mgr->aclenv);
+#endif
cleanup_listenon:
ns_listenlist_detach(&mgr->listenon4);
ns_listenlist_detach(&mgr->listenon6);
@@ -128,6 +261,13 @@ ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
static void
ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+#ifdef USE_ROUTE_SOCKET
+ if (mgr->route != NULL)
+ isc_socket_detach(&mgr->route);
+ if (mgr->task != NULL)
+ isc_task_detach(&mgr->task);
+#endif
dns_aclenv_destroy(&mgr->aclenv);
ns_listenlist_detach(&mgr->listenon4);
ns_listenlist_detach(&mgr->listenon6);
@@ -179,6 +319,10 @@ ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) {
* consider all interfaces "old".
*/
mgr->generation++;
+#ifdef USE_ROUTE_SOCKET
+ if (mgr->route != NULL)
+ isc_socket_cancel(mgr->route, mgr->task, ISC_SOCKCANCEL_RECV);
+#endif
purge_old_interfaces(mgr);
}
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 8c23e52..a8cd31e 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -373,6 +373,7 @@ options {
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
+ automatic-interface-scan <replaceable>boolean</replaceable>;
deny-answer-addresses {
<replaceable>address_match_list</replaceable>
} <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
diff --git a/bin/named/server.c b/bin/named/server.c
index 24b31c3..942bab6 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -4485,8 +4485,9 @@ adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
}
/*
- * This event callback is invoked to do periodic network
- * interface scanning.
+ * This event callback is invoked to do periodic network interface
+ * scanning. It is also called by ns_server_scan_interfaces(),
+ * invoked by "rndc scan"
*/
static void
interface_timer_tick(isc_task_t *task, isc_event_t *event) {
@@ -4494,7 +4495,14 @@ interface_timer_tick(isc_task_t *task, isc_event_t *event) {
ns_server_t *server = (ns_server_t *) event->ev_arg;
INSIST(task == server->task);
UNUSED(task);
+
+ if (event->ev_type == NS_EVENT_IFSCAN)
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+ "automatic interface rescan");
+
isc_event_free(&event);
+
/*
* XXX should scan interfaces unlocked and get exclusive access
* only to replace ACLs.
@@ -5419,6 +5427,14 @@ load_configuration(const char *filename, ns_server_t *server,
server->interface_interval = interface_interval;
/*
+ * Enable automatic interface scans.
+ */
+ obj = NULL;
+ result = ns_config_get(maps, "automatic-interface-scan", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ server->interface_auto = cfg_obj_asboolean(obj);
+
+ /*
* Configure the dialup heartbeat timer.
*/
obj = NULL;
@@ -6637,6 +6653,17 @@ ns_server_reloadwanted(ns_server_t *server) {
UNLOCK(&server->reload_event_lock);
}
+void
+ns_server_scan_interfaces(ns_server_t *server) {
+ isc_event_t *event;
+
+ event = isc_event_allocate(ns_g_mctx, server, NS_EVENT_IFSCAN,
+ interface_timer_tick, server,
+ sizeof(isc_event_t));
+ if (event != NULL)
+ isc_task_send(server->task, &event);
+}
+
static char *
next_token(char **stringp, const char *delim) {
char *res;
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
index 37e98a8..b985f62 100644
--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -341,6 +341,7 @@ init_desc(void) {
SET_SOCKSTATDESC(tcp4open, "TCP/IPv4 sockets opened", "TCP4Open");
SET_SOCKSTATDESC(tcp6open, "TCP/IPv6 sockets opened", "TCP6Open");
SET_SOCKSTATDESC(unixopen, "Unix domain sockets opened", "UnixOpen");
+ SET_SOCKSTATDESC(rawopen, "Raw sockets opened", "RawOpen");
SET_SOCKSTATDESC(udp4openfail, "UDP/IPv4 socket open failures",
"UDP4OpenFail");
SET_SOCKSTATDESC(udp6openfail, "UDP/IPv6 socket open failures",
@@ -351,6 +352,8 @@ init_desc(void) {
"TCP6OpenFail");
SET_SOCKSTATDESC(unixopenfail, "Unix domain socket open failures",
"UnixOpenFail");
+ SET_SOCKSTATDESC(rawopenfail, "Raw socket open failures",
+ "RawOpenFail");
SET_SOCKSTATDESC(udp4close, "UDP/IPv4 sockets closed", "UDP4Close");
SET_SOCKSTATDESC(udp6close, "UDP/IPv6 sockets closed", "UDP6Close");
SET_SOCKSTATDESC(tcp4close, "TCP/IPv4 sockets closed", "TCP4Close");
@@ -358,6 +361,7 @@ init_desc(void) {
SET_SOCKSTATDESC(unixclose, "Unix domain sockets closed", "UnixClose");
SET_SOCKSTATDESC(fdwatchclose, "FDwatch sockets closed",
"FDWatchClose");
+ SET_SOCKSTATDESC(rawclose, "Raw sockets closed", "RawClose");
SET_SOCKSTATDESC(udp4bindfail, "UDP/IPv4 socket bind failures",
"UDP4BindFail");
SET_SOCKSTATDESC(udp6bindfail, "UDP/IPv6 socket bind failures",
@@ -424,6 +428,7 @@ init_desc(void) {
"UnixRecvErr");
SET_SOCKSTATDESC(fdwatchrecvfail, "FDwatch recv errors",
"FDwatchRecvErr");
+ SET_SOCKSTATDESC(rawrecvfail, "Raw recv errors", "RawRecvErr");
INSIST(i == isc_sockstatscounter_max);
/* Initialize DNSSEC statistics */
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 9a007e2..be198b1 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -160,6 +160,7 @@ command is one of the following:\n\
Add zone to given view. Requires new-zone-file option.\n\
delzone [\"file\"] zone [class [view]]\n\
Removes zone from given view. Requires new-zone-file option.\n\
+ scan Scan available network interfaces for changes.\n\
signing -list zone [class [view]]\n\
List the private records showing the state of DNSSEC\n\
signing in the given zone.\n\
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index 1789aaa..5b37b7f 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -330,6 +330,18 @@
</varlistentry>
<varlistentry>
+ <term><userinput>scan</userinput></term>
+ <listitem>
+ <para>
+ Scan the list of available network interfaces
+ for changes, without performing a full
+ <command>reconfig</command> or waiting for the
+ <command>interface-interval</command> timer.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><userinput>sync <optional>-clean</optional> <optional><replaceable>zone</replaceable> <optional><replaceable>class</replaceable> <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
<listitem>
<para>
diff --git a/config.h.in b/config.h.in
index 6ed8381..3515f69 100644
--- a/config.h.in
+++ b/config.h.in
@@ -280,6 +280,12 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the <linux/capability.h> header file. */
#undef HAVE_LINUX_CAPABILITY_H
+/* Define to 1 if you have the <linux/netlink.h> header file. */
+#undef HAVE_LINUX_NETLINK_H
+
+/* Define to 1 if you have the <linux/rtnetlink.h> header file. */
+#undef HAVE_LINUX_RTNETLINK_H
+
/* Define to 1 if you have the <linux/types.h> header file. */
#undef HAVE_LINUX_TYPES_H
@@ -295,6 +301,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the <net/if6.h> header file. */
#undef HAVE_NET_IF6_H
+/* Define to 1 if you have the <net/route.h> header file. */
+#undef HAVE_NET_ROUTE_H
+
/* Define if your OpenSSL version supports ECDSA. */
#undef HAVE_OPENSSL_ECDSA
@@ -358,6 +367,9 @@ int sigwait(const unsigned int *set, int *sig);
/* Define to 1 if you have the <sys/select.h> header file. */
#undef HAVE_SYS_SELECT_H
+/* Define to 1 if you have the <sys/socket.h> header file. */
+#undef HAVE_SYS_SOCKET_H
+
/* Define to 1 if you have the <sys/sockio.h> header file. */
#undef HAVE_SYS_SOCKIO_H
diff --git a/configure.in b/configure.in
index d72093f..38e626d 100644
--- a/configure.in
+++ b/configure.in
@@ -375,11 +375,14 @@ fi
AC_HEADER_STDC
-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
+AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h sys/socket.h net/route.h linux/netlink.h linux/rtnetlink.h,,,
[$ac_includes_default
#ifdef HAVE_SYS_PARAM_H
# include <sys/param.h>
#endif
+#ifdef HAVE_SYS_SOCKET_H
+# include <sys/socket.h>
+#endif
])
AC_C_CONST
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 92c7b72..4c47d92 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -4964,7 +4964,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> policy given | disabled | passthru | nxdomain | nodata | cname <replaceable>domain</replaceable> </optional>
<optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional> ;
} <optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional>
- <optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> <optional> min-ns-dots <replaceable>number</replaceable> </optional> ; </optional>
+ <optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> <optional> min-ns-dots <replaceable>number</replaceable> </optional>
+ <optional> automatic-interface-scan <replaceable>yes_or_no</replaceable> </optional>
+ ; </optional>
};
</programlisting>
@@ -5726,6 +5728,23 @@ options {
<variablelist>
<varlistentry>
+ <term><command>automatic-interface-scan</command></term>
+ <listitem>
+ <para>
+ If <userinput>yes</userinput> and supported by the OS,
+ automatically rescan network interfaces when the interface
+ addresses are added or removed. The default is
+ <userinput>yes</userinput>.
+ </para>
+ <para>
+ Currently the OS needs to support routing sockets for
+ <command>automatic-interface-scan</command> to be
+ supported.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><command>allow-new-zones</command></term>
<listitem>
<para>
@@ -10494,6 +10513,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
<optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> automatic-interface-scan { <replaceable>yes_or_no</replaceable> }; </optional>
<optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional>
<optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
<optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index c5a753a..1cd90bb 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -150,7 +150,12 @@ enum {
isc_sockstatscounter_unixrecvfail = 50,
isc_sockstatscounter_fdwatchrecvfail = 51,
- isc_sockstatscounter_max = 52
+ isc_sockstatscounter_rawopen = 52,
+ isc_sockstatscounter_rawopenfail = 53,
+ isc_sockstatscounter_rawclose = 54,
+ isc_sockstatscounter_rawrecvfail = 55,
+
+ isc_sockstatscounter_max = 56
};
/***
@@ -221,7 +226,8 @@ typedef enum {
isc_sockettype_udp = 1,
isc_sockettype_tcp = 2,
isc_sockettype_unix = 3,
- isc_sockettype_fdwatch = 4
+ isc_sockettype_fdwatch = 4,
+ isc_sockettype_raw = 5
} isc_sockettype_t;
/*@{*/
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 82d0d16..cbc506b 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -28,6 +28,11 @@
#include <sys/time.h>
#include <sys/uio.h>
+#if defined(HAVE_LINUX_NETLINK_H) && defined(HAVE_LINUX_RTNETLINK_H)
+#include <linux/netlink.h>
+#include <linux/rtnetlink.h>
+#endif
+
#include <errno.h>
#include <fcntl.h>
#include <stddef.h>
@@ -708,6 +713,18 @@ static const isc_statscounter_t fdwatchstatsindex[] = {
isc_sockstatscounter_fdwatchsendfail,
isc_sockstatscounter_fdwatchrecvfail
};
+static const isc_statscounter_t rawstatsindex[] = {
+ isc_sockstatscounter_rawopen,
+ isc_sockstatscounter_rawopenfail,
+ isc_sockstatscounter_rawclose,
+ -1,
+ -1,
+ -1,
+ -1,
+ -1,
+ -1,
+ isc_sockstatscounter_rawrecvfail,
+};
#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL) || \
defined(USE_WATCHER_THREAD)
@@ -1744,6 +1761,7 @@ doio_recv(isc__socket_t *sock, isc_socketevent_t *dev) {
return (DOIO_EOF);
break;
case isc_sockettype_udp:
+ case isc_sockettype_raw:
break;
case isc_sockettype_fdwatch:
default:
@@ -2306,6 +2324,44 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *sock,
case isc_sockettype_unix:
sock->fd = socket(sock->pf, SOCK_STREAM, 0);
break;
+ case isc_sockettype_raw:
+ errno = EPFNOSUPPORT;
+ /*
+ * PF_ROUTE is a alias for PF_NETLINK on linux.
+ */
+#if defined(PF_ROUTE)
+ if (sock->fd == -1 && sock->pf == PF_ROUTE) {
+#ifdef NETLINK_ROUTE
+ sock->fd = socket(sock->pf, SOCK_RAW,
+ NETLINK_ROUTE);
+#else
+ sock->fd = socket(sock->pf, SOCK_RAW, 0);
+#endif
+ if (sock->fd != -1) {
+#ifdef NETLINK_ROUTE
+ struct sockaddr_nl sa;
+ int n;
+
+ /*
+ * Do an implicit bind.
+ */
+ memset(&sa, 0, sizeof(sa));
+ sa.nl_family = AF_NETLINK;
+ sa.nl_groups = RTMGRP_IPV4_IFADDR |
+ RTMGRP_IPV6_IFADDR;
+ n = bind(sock->fd,
+ (struct sockaddr *) &sa,
+ sizeof(sa));
+ if (n < 0) {
+ close(sock->fd);
+ sock->fd = -1;
+ }
+#endif
+ sock->bound = 1;
+ }
+ }
+ #endif
+ break;
case isc_sockettype_fdwatch:
/*
* We should not be called for isc_sockettype_fdwatch
@@ -2602,6 +2658,9 @@ socket_create(isc_socketmgr_t *manager0, int pf, isc_sockettype_t type,
case isc_sockettype_unix:
sock->statsindex = unixstatsindex;
break;
+ case isc_sockettype_raw:
+ sock->statsindex = rawstatsindex;
+ break;
default:
INSIST(0);
}
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index f5ff8e3..f49ff70 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -931,6 +931,7 @@ bindkeys_clauses[] = {
*/
static cfg_clausedef_t
options_clauses[] = {
+ { "automatic-interface-scan", &cfg_type_boolean, 0 },
{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
{ "bindkeys-file", &cfg_type_qstring, 0 },
--
2.5.5

307
SOURCES/bind99-coverity-fixes.patch

@ -0,0 +1,307 @@ @@ -0,0 +1,307 @@
From 127701d9d32e568f09c775e722286e9c0b8c72ec Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Fri, 22 May 2015 16:56:25 +0200
Subject: [PATCH] Fix coverity issues

http://cov01.lab.eng.brq.redhat.com/covscanhub/waiving/9377/
Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
bin/named/server.c | 8 +++-----
lib/dns/dispatch.c | 5 +++--
lib/dns/dst_api.c | 6 ++++++
lib/dns/gen.c | 16 +++++++++++++++-
lib/dns/name.c | 8 ++------
lib/dns/nsec3.c | 4 ++--
lib/dns/rcode.c | 4 +++-
lib/isc/netaddr.c | 1 +
lib/isc/pk11.c | 21 ++++++++++++++-------
9 files changed, 49 insertions(+), 24 deletions(-)

diff --git a/bin/named/server.c b/bin/named/server.c
index 227c646..5e94660 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -8018,9 +8018,11 @@ ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text) {
dns_zone_t *zone = NULL;
char classstr[DNS_RDATACLASS_FORMATSIZE];
char zonename[DNS_NAME_FORMATSIZE];
- const char *vname, *sep, *msg = NULL, *arg;
+ const char *vname, *sep, *arg;
isc_boolean_t cleanup = ISC_FALSE;
+ UNUSED(text);
+
(void) next_token(&args, " \t");
arg = next_token(&args, " \t");
@@ -8061,10 +8063,6 @@ ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text) {
result = synczone(zone, &cleanup);
isc_task_endexclusive(server->task);
- if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
- isc_buffer_putmem(text, (const unsigned char *)msg,
- strlen(msg) + 1);
-
view = dns_zone_getview(zone);
if (strcmp(view->name, "_default") == 0 ||
strcmp(view->name, "_bind") == 0)
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 5063914..c93651d 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -2278,9 +2278,10 @@ dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr,
/* Create or adjust socket pool */
if (mgr->spool != NULL) {
- if (maxrequests < DNS_DISPATCH_POOLSOCKS * 2)
+ if (maxrequests < DNS_DISPATCH_POOLSOCKS * 2) {
isc_mempool_setmaxalloc(mgr->spool, DNS_DISPATCH_POOLSOCKS * 2);
isc_mempool_setfreemax(mgr->spool, DNS_DISPATCH_POOLSOCKS * 2);
+ }
UNLOCK(&mgr->buffer_lock);
return (ISC_R_SUCCESS);
}
@@ -3765,7 +3766,7 @@ dns_dispatchset_create(isc_mem_t *mctx, isc_socketmgr_t *sockmgr,
goto fail_alloc;
dset->dispatches = isc_mem_get(mctx, sizeof(dns_dispatch_t *) * n);
- if (dset == NULL) {
+ if (dset->dispatches == NULL) {
result = ISC_R_NOMEMORY;
goto fail_lock;
}
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index d96473f..e71f202 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -1882,6 +1882,9 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
#ifdef BIND9
unsigned int flags = dst_entropy_flags;
+ if (dst_entropy_pool == NULL)
+ return (ISC_R_FAILURE);
+
if (len == 0)
return (ISC_R_SUCCESS);
@@ -1914,6 +1917,9 @@ dst__entropy_status(void) {
unsigned char buf[32];
static isc_boolean_t first = ISC_TRUE;
+ if (dst_entropy_pool == NULL)
+ return (0);
+
if (first) {
/* Someone believes RAND_status() initializes the PRNG */
flags &= ~ISC_ENTROPY_GOODONLY;
diff --git a/lib/dns/gen.c b/lib/dns/gen.c
index 6b533dd..548f892 100644
--- a/lib/dns/gen.c
+++ b/lib/dns/gen.c
@@ -335,10 +335,14 @@ insert_into_typenames(int type, const char *typename, const char *attr) {
typename);
exit(1);
}
+
strncpy(ttn->typename, typename, sizeof(ttn->typename));
- ttn->type = type;
+ ttn->typename[sizeof(ttn->typename) - 1] = '\0';
strncpy(ttn->macroname, ttn->typename, sizeof(ttn->macroname));
+ ttn->macroname[sizeof(ttn->macroname) - 1] = '\0';
+
+ ttn->type = type;
c = strlen(ttn->macroname);
while (c > 0) {
if (ttn->macroname[c - 1] == '-')
@@ -364,7 +368,10 @@ insert_into_typenames(int type, const char *typename, const char *attr) {
attr, typename);
exit(1);
}
+
strncpy(ttn->attr, attr, sizeof(ttn->attr));
+ ttn->attr[sizeof(ttn->attr) - 1] = '\0';
+
ttn->sorted = 0;
if (maxtype < type)
maxtype = type;
@@ -393,11 +400,17 @@ add(int rdclass, const char *classname, int type, const char *typename,
newtt->next = NULL;
newtt->rdclass = rdclass;
newtt->type = type;
+
strncpy(newtt->classname, classname, sizeof(newtt->classname));
+ newtt->classname[sizeof(newtt->classname) - 1] = '\0';
+
strncpy(newtt->typename, typename, sizeof(newtt->typename));
+ newtt->typename[sizeof(newtt->typename) - 1] = '\0';
+
if (strncmp(dirname, "./", 2) == 0)
dirname += 2;
strncpy(newtt->dirname, dirname, sizeof(newtt->dirname));
+ newtt->dirname[sizeof(newtt->dirname) - 1] = '\0';
tt = types;
oldtt = NULL;
@@ -436,6 +449,7 @@ add(int rdclass, const char *classname, int type, const char *typename,
}
newcc->rdclass = rdclass;
strncpy(newcc->classname, classname, sizeof(newcc->classname));
+ newcc->classname[sizeof(newcc->classname) - 1] = '\0';
cc = classes;
oldcc = NULL;
diff --git a/lib/dns/name.c b/lib/dns/name.c
index 4fcabb1..93173ee 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -1859,7 +1859,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
0)
return (DNS_R_DISALLOWED);
new_current = c & 0x3F;
- n = 1;
state = fw_newcurrent;
} else
return (DNS_R_BADLABELTYPE);
@@ -1867,8 +1866,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
case fw_ordinary:
if (downcase)
c = maptolower[c];
- /* FALLTHROUGH */
- case fw_copy:
*ndata++ = c;
n--;
if (n == 0)
@@ -1877,9 +1874,6 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
case fw_newcurrent:
new_current *= 256;
new_current += c;
- n--;
- if (n != 0)
- break;
if (new_current >= biggest_pointer)
return (DNS_R_BADPOINTER);
biggest_pointer = new_current;
@@ -2398,6 +2392,8 @@ dns_name_tostring(dns_name_t *name, char **target, isc_mem_t *mctx) {
isc_buffer_usedregion(&buf, &reg);
p = isc_mem_allocate(mctx, reg.length + 1);
+ if (p == NULL)
+ return (ISC_R_NOMEMORY);
memcpy(p, (char *) reg.base, (int) reg.length);
p[reg.length] = '\0';
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 935f515..86fad33 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -842,8 +842,8 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
dns_db_detachnode(db, &newnode);
} while (1);
- if (result == ISC_R_NOMORE)
- result = ISC_R_SUCCESS;
+ /* result cannot be ISC_R_NOMORE here */
+ INSIST(result != ISC_R_NOMORE);
failure:
if (dbit != NULL)
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index 0b7fe8c..091b3c7 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -216,7 +216,9 @@ maybe_numeric(unsigned int *valuep, isc_textregion_t *source,
* isc_parse_uint32(). isc_parse_uint32() requires
* null termination, so we must make a copy.
*/
- strncpy(buffer, source->base, NUMBERSIZE);
+ strncpy(buffer, source->base, sizeof(buffer));
+ buffer[sizeof(buffer) - 1] = '\0';
+
INSIST(buffer[source->length] == '\0');
result = isc_parse_uint32(&n, buffer, 10);
diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c
index 5cce1bc..6706542 100644
--- a/lib/isc/netaddr.c
+++ b/lib/isc/netaddr.c
@@ -235,6 +235,7 @@ isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen) {
nbytes = prefixlen / 8;
nbits = prefixlen % 8;
if (nbits != 0) {
+ INSIST(nbytes < ipbytes);
if ((p[nbytes] & (0xff>>nbits)) != 0U)
return (ISC_R_FAILURE);
nbytes++;
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 015bff2..de4479b 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -130,7 +130,10 @@
#include <pkcs11/cryptoki.h>
#include <pkcs11/pkcs11.h>
-#define PINLEN 32
+/* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */
+#ifndef PINLEN
+#define PINLEN 256
+#endif
#ifndef PK11_NO_LOGERR
#define PK11_NO_LOGERR 1
@@ -163,7 +166,7 @@ struct pk11_token {
char manuf[32];
char model[16];
char serial[16];
- char pin[PINLEN];
+ char pin[PINLEN + 1];
};
static ISC_LIST(pk11_token_t) tokens;
@@ -498,7 +501,9 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
/* Override the token's PIN */
if (logon && pin != NULL && *pin != '\0') {
- memset(token->pin, 0, PINLEN);
+ if (strlen(pin) > PINLEN)
+ return ISC_R_RANGE;
+ memset(token->pin, 0, PINLEN + 1);
strncpy(token->pin, pin, PINLEN);
}
@@ -1099,7 +1104,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
char *uri, *p, *a, *na, *v;
size_t len, l;
FILE *stream = NULL;
- char pin[PINLEN];
+ char pin[PINLEN + 1];
isc_boolean_t gotpin = ISC_FALSE;
isc_result_t ret;
@@ -1207,10 +1212,12 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
ret = isc_stdio_open(v, "r", &stream);
if (ret != ISC_R_SUCCESS)
goto err;
- memset(pin, 0, PINLEN);
- ret = isc_stdio_read(pin, 1, PINLEN - 1, stream, NULL);
+ memset(pin, 0, PINLEN + 1);
+ ret = isc_stdio_read(pin, 1, PINLEN + 1, stream, &l);
if ((ret != ISC_R_SUCCESS) && (ret != ISC_R_EOF))
goto err;
+ if (l > PINLEN)
+ DST_RET(ISC_R_RANGE);
ret = isc_stdio_close(stream);
stream = NULL;
if (ret != ISC_R_SUCCESS)
@@ -1238,7 +1245,7 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
DST_RET(ISC_R_NOTFOUND);
obj->slot = token->slotid;
if (gotpin) {
- memmove(token->pin, pin, PINLEN);
+ memmove(token->pin, pin, PINLEN + 1);
obj->reqlogon = ISC_TRUE;
}
--
2.1.0

44
SOURCES/bind99-coverity-fixes2.patch

@ -0,0 +1,44 @@ @@ -0,0 +1,44 @@
From 1f3ac11cb4ecfab52f517ebf78493b0f05318be2 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 16 Jun 2014 15:31:04 -0700
Subject: [PATCH] [v9_9] null terminate strings for coverity

---
bin/dig/dig.c | 1 +
bin/tests/system/dlzexternal/driver.c | 6 ++++++
2 files changed, 7 insertions(+)

diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 8a5fead..6af0964 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -1453,6 +1453,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
strncpy((*lookup)->textname, textname,
sizeof((*lookup)->textname));
+ (*lookup)->textname[sizeof((*lookup)->textname)-1] = 0;
debug("looking up %s", (*lookup)->textname);
(*lookup)->trace_root = ISC_TF((*lookup)->trace ||
(*lookup)->ns_search_only);
diff --git a/bin/tests/system/dlzexternal/driver.c b/bin/tests/system/dlzexternal/driver.c
index 053c25a..f99ac14 100644
--- a/bin/tests/system/dlzexternal/driver.c
+++ b/bin/tests/system/dlzexternal/driver.c
@@ -133,8 +133,14 @@ add_name(struct dlz_example_data *state, struct record *list,
return (ISC_R_NOSPACE);
strncpy(list[i].name, name, sizeof(list[i].name));
+ list[i].name[sizeof(list[i].name) - 1] = '\0';
+
strncpy(list[i].type, type, sizeof(list[i].type));
+ list[i].type[sizeof(list[i].type) - 1] = '\0';
+
strncpy(list[i].data, data, sizeof(list[i].data));
+ list[i].data[sizeof(list[i].data) - 1] = '\0';
+
list[i].ttl = ttl;
return (ISC_R_SUCCESS);
--
2.9.3

5176
SOURCES/bind99-dyndb.patch

File diff suppressed because it is too large Load Diff

13
SOURCES/bind99-forward.patch

@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
diff -up bind-9.9.0b2/lib/dns/include/dns/Makefile.in.forward bind-9.9.0b2/lib/dns/include/dns/Makefile.in
--- bind-9.9.0b2/lib/dns/include/dns/Makefile.in.forward 2011-12-07 16:17:50.822438237 +0100
+++ bind-9.9.0b2/lib/dns/include/dns/Makefile.in 2011-12-07 16:18:00.374455261 +0100
@@ -31,7 +31,8 @@ HEADERS = acl.h adb.h byaddr.h cache.h c
rdataslab.h rdatatype.h request.h resolver.h result.h \
rootns.h rpz.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \
- validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h
+ validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h \
+ forward.h
GENHEADERS = enumclass.h enumtype.h rdatastruct.h

14
SOURCES/bind99-libidn4.patch

@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
diff -up bind-9.7.0-P2/bin/dig/dig.docbook.rh811566 bind-9.7.0-P2/bin/dig/dig.docbook
--- bind-9.7.0-P2/bin/dig/dig.docbook.rh811566 2012-06-20 15:50:03.206839118 +0200
+++ bind-9.7.0-P2/bin/dig/dig.docbook 2012-06-20 15:50:28.368558830 +0200
@@ -912,8 +912,8 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
<command>dig</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
- If you'd like to turn off the IDN support for some reason, defines
- the <envar>IDN_DISABLE</envar> environment variable.
+ If you'd like to turn off the IDN support for some reason, define
+ the <envar>CHARSET=ASCII</envar> environment variable.
The IDN support is disabled if the variable is set when
<command>dig</command> runs.
</para>

41
SOURCES/bind99-rh1067424.patch

@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
From 09f1a6e812c02bd8bf1644e2253e21c26d25613a Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Thu, 20 Feb 2014 11:01:00 +0100
Subject: [PATCH] check TSIG key ID when receiving NOTIFY

Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
lib/dns/zone.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 01ff97b..54b7896 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -11846,6 +11846,8 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
int match = 0;
isc_netaddr_t netaddr;
isc_sockaddr_t local, remote;
+ dns_tsigkey_t *tsigkey;
+ dns_name_t *tsig;
REQUIRE(DNS_ZONE_VALID(zone));
@@ -11928,10 +11930,12 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
/*
* Accept notify requests from non masters if they are on
- * 'zone->notify_acl'.
+ * 'zone->notify_acl' or if used key ID match the ACLs.
*/
+ tsigkey = dns_message_gettsigkey(msg);
+ tsig = dns_tsigkey_identity(tsigkey);
if (i >= zone->masterscnt && zone->notify_acl != NULL &&
- dns_acl_match(&netaddr, NULL, zone->notify_acl,
+ dns_acl_match(&netaddr, tsig, zone->notify_acl,
&zone->view->aclenv,
&match, NULL) == ISC_R_SUCCESS &&
match > 0)
--
1.8.5.3

53
SOURCES/bind99-rh1072379.patch

@ -0,0 +1,53 @@ @@ -0,0 +1,53 @@
From 7f5bdf7f4063c2fefb18900468d2c851f8de7816 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 18 Feb 2014 23:32:02 -0800
Subject: [PATCH] [master] fix dns_resolver_destroyfetch race

3747. [bug] A race condition could lead to a core dump when
destroying a resolver fetch object. [RT #35385]
---
lib/dns/resolver.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index fa188c1..66ab41f 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -357,6 +357,7 @@ typedef struct {
struct dns_fetch {
unsigned int magic;
+ isc_mem_t * mctx;
fetchctx_t * private;
};
@@ -8561,6 +8562,8 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
fetch = isc_mem_get(res->mctx, sizeof(*fetch));
if (fetch == NULL)
return (ISC_R_NOMEMORY);
+ fetch->mctx = NULL;
+ isc_mem_attach(res->mctx, &fetch->mctx);
bucketnum = dns_name_fullhash(name, ISC_FALSE) % res->nbuckets;
@@ -8651,7 +8654,7 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
FTRACE("created");
*fetchp = fetch;
} else
- isc_mem_put(res->mctx, fetch, sizeof(*fetch));
+ isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch));
return (result);
}
@@ -8742,7 +8745,7 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
UNLOCK(&res->buckets[bucketnum].lock);
- isc_mem_put(res->mctx, fetch, sizeof(*fetch));
+ isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch));
*fetchp = NULL;
if (bucket_empty)
--
1.9.0

164
SOURCES/bind99-rh1098959.patch

@ -0,0 +1,164 @@ @@ -0,0 +1,164 @@
diff -up bind-9.8.2rc1/bin/named/include/named/lwresd.h.lwres_tasks_clients bind-9.8.2rc1/bin/named/include/named/lwresd.h
--- bind-9.8.2rc1/bin/named/include/named/lwresd.h.lwres_tasks_clients 2007-06-20 01:46:59.000000000 +0200
+++ bind-9.8.2rc1/bin/named/include/named/lwresd.h 2014-05-19 09:41:56.792427201 +0200
@@ -36,6 +36,8 @@ struct ns_lwresd {
dns_view_t *view;
ns_lwsearchlist_t *search;
unsigned int ndots;
+ unsigned int ntasks;
+ unsigned int nclients;
isc_mem_t *mctx;
isc_boolean_t shutting_down;
unsigned int refs;
diff -up bind-9.8.2rc1/bin/named/lwresd.c.lwres_tasks_clients bind-9.8.2rc1/bin/named/lwresd.c
--- bind-9.8.2rc1/bin/named/lwresd.c.lwres_tasks_clients 2009-09-03 01:48:01.000000000 +0200
+++ bind-9.8.2rc1/bin/named/lwresd.c 2014-05-19 09:41:56.793427201 +0200
@@ -60,11 +60,7 @@
#define LWRESLISTENER_MAGIC ISC_MAGIC('L', 'W', 'R', 'L')
#define VALID_LWRESLISTENER(l) ISC_MAGIC_VALID(l, LWRESLISTENER_MAGIC)
-/*!
- * The total number of clients we can handle will be NTASKS * NRECVS.
- */
-#define NTASKS 2 /*%< tasks to create to handle lwres queries */
-#define NRECVS 2 /*%< max clients per task */
+#define LWRESD_NCLIENTS_MAX 32768 /*%< max clients per task */
typedef ISC_LIST(ns_lwreslistener_t) ns_lwreslistenerlist_t;
@@ -395,6 +391,24 @@ ns_lwdmanager_create(isc_mem_t *mctx, co
}
}
+ obj = NULL;
+ (void)cfg_map_get(lwres, "lwres-tasks", &obj);
+ if (obj != NULL)
+ lwresd->ntasks = cfg_obj_asuint32(obj);
+ else
+ lwresd->ntasks = ns_g_cpus;
+
+ obj = NULL;
+ (void)cfg_map_get(lwres, "lwres-clients", &obj);
+ if (obj != NULL) {
+ lwresd->nclients = cfg_obj_asuint32(obj);
+ if (lwresd->nclients > LWRESD_NCLIENTS_MAX)
+ lwresd->nclients = LWRESD_NCLIENTS_MAX;
+ } else if (ns_g_lwresdonly)
+ lwresd->nclients = 1024;
+ else
+ lwresd->nclients = 256;
+
lwresd->magic = LWRESD_MAGIC;
*lwresdp = lwresd;
@@ -604,15 +618,24 @@ static isc_result_t
listener_startclients(ns_lwreslistener_t *listener) {
ns_lwdclientmgr_t *cm;
unsigned int i;
- isc_result_t result;
+ isc_result_t result = ISC_R_SUCCESS;
+
+ isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+ NS_LOGMODULE_LWRESD, ISC_LOG_DEBUG(6),
+ "listener_startclients: creating %d "
+ "managers with %d clients each",
+ listener->manager->ntasks, listener->manager->nclients);
/*
* Create the client managers.
*/
- result = ISC_R_SUCCESS;
- for (i = 0; i < NTASKS && result == ISC_R_SUCCESS; i++)
- result = ns_lwdclientmgr_create(listener, NRECVS,
+ for (i = 0; i < listener->manager->ntasks; i++) {
+ result = ns_lwdclientmgr_create(listener,
+ listener->manager->nclients,
ns_g_taskmgr);
+ if (result != ISC_R_SUCCESS)
+ break;
+ }
/*
* Ensure that we have created at least one.
diff -up bind-9.8.2rc1/bin/named/named.conf.docbook.lwres_tasks_clients bind-9.8.2rc1/bin/named/named.conf.docbook
--- bind-9.8.2rc1/bin/named/named.conf.docbook.lwres_tasks_clients 2011-11-07 01:31:47.000000000 +0100
+++ bind-9.8.2rc1/bin/named/named.conf.docbook 2014-05-19 09:41:56.793427201 +0200
@@ -185,6 +185,8 @@ lwres {
view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>;
search { <replaceable>string</replaceable>; ... };
ndots <replaceable>integer</replaceable>;
+ lwres-tasks <replaceable>integer</replaceable>;
+ lwres-clients <replaceable>integer</replaceable>;
};
</literallayout>
</refsect1>
diff -up bind-9.8.2rc1/doc/arm/Bv9ARM-book.xml.lwres_tasks_clients bind-9.8.2rc1/doc/arm/Bv9ARM-book.xml
--- bind-9.8.2rc1/doc/arm/Bv9ARM-book.xml.lwres_tasks_clients 2014-05-19 09:41:56.770427201 +0200
+++ bind-9.8.2rc1/doc/arm/Bv9ARM-book.xml 2014-05-19 10:26:40.147380836 +0200
@@ -2964,7 +2964,12 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.
be configured to act as a lightweight resolver daemon using the
<command>lwres</command> statement in <filename>named.conf</filename>.
</para>
-
+ <para>
+ The number of client queries that the <command>lwresd</command>
+ daemon is able to serve can be set using the
+ <option>lwres-tasks</option> and <option>lwres-clients</option>
+ statements in the configuration.
+ </para>
</sect1>
</chapter>
@@ -4959,6 +4964,8 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> view <replaceable>view_name</replaceable>; </optional>
<optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
<optional> ndots <replaceable>number</replaceable>; </optional>
+ <optional> lwres-tasks <replaceable>number</replaceable>; </optional>
+ <optional> lwres-clients <replaceable>number</replaceable>; </optional>
};
</programlisting>
@@ -5017,6 +5024,31 @@ badresp:1,adberr:0,findfail:0,valfail:0]
number of dots in a relative domain name that should result in an
exact match lookup before search path elements are appended.
</para>
+ <para>
+ The <option>lwres-tasks</option> statement specifies the number
+ of worker threads the lightweight resolver will dedicate to serving
+ clients. By default the number is the same as the number of CPUs on
+ the system; this can be overridden using the <option>-n</option>
+ command line option when starting the server.
+ </para>
+ <para>
+ The <option>lwres-clients</option> specifies
+ the number of client objects per thread the lightweight
+ resolver should create to serve client queries.
+ By default, if the lightweight resolver runs as a part
+ of <command>named</command>, 256 client objects are
+ created for each task; if it runs as <command>lwresd</command>,
+ 1024 client objects are created for each thread. The maximum
+ value is 32768; higher values will be silently ignored and
+ the maximum will be used instead.
+ Note that setting too high a value may overconsume
+ system resources.
+ </para>
+ <para>
+ The maximum number of client queries that the lightweight
+ resolver can handle at any one time equals
+ <option>lwres-tasks</option> times <option>lwres-clients</option>.
+ </para>
</sect2>
<sect2>
<title><command>masters</command> Statement Grammar</title>
diff -up bind-9.8.2rc1/lib/isccfg/namedconf.c.lwres_tasks_clients bind-9.8.2rc1/lib/isccfg/namedconf.c
--- bind-9.8.2rc1/lib/isccfg/namedconf.c.lwres_tasks_clients 2014-05-19 09:41:56.771427201 +0200
+++ bind-9.8.2rc1/lib/isccfg/namedconf.c 2014-05-19 09:41:56.797427201 +0200
@@ -2563,6 +2563,8 @@ lwres_clauses[] = {
{ "view", &cfg_type_lwres_view, 0 },
{ "search", &cfg_type_lwres_searchlist, 0 },
{ "ndots", &cfg_type_uint32, 0 },
+ { "lwres-tasks", &cfg_type_uint32, 0},
+ { "lwres-clients", &cfg_type_uint32, 0},
{ NULL, NULL, 0 }
};

408
SOURCES/bind99-rh1214827.patch

@ -0,0 +1,408 @@ @@ -0,0 +1,408 @@
From c8cd2cd7f21ce56f93532a6d5f26239e60657acb Mon Sep 17 00:00:00 2001
From: Tomas Hozza <thozza@redhat.com>
Date: Thu, 25 Jun 2015 14:53:31 +0200
Subject: [PATCH] nsupdate: Don't extract REAML from ticket, but leave it up to
GSSAPI

The current implementation of nsupdate does not work correctly with
GSSAPI in cross realm trust scenarios. The realm is currently
extracted from local kerberos ticket instead of letting GSSAPI to
figure out the realm based on the remote nameserver hostname.

RFC 4752 section 3.1 states that the client should use
GSS_C_NT_HOSTBASED_SERVICE when calling gss_import_name().

nsupdate now leaves the realm detection up to GSSAPI, if the realm is
not specified explicitly using the 'realm' option. If the option is
used, the old behavior is preserved.

Signed-off-by: Tomas Hozza <thozza@redhat.com>
---
bin/nsupdate/nsupdate.1 | 3 +-
bin/nsupdate/nsupdate.c | 72 ++++++++-----------------------------------
bin/nsupdate/nsupdate.docbook | 2 +-
bin/nsupdate/nsupdate.html | 2 +-
bin/tests/dst/gsstest.c | 4 +--
lib/dns/gssapictx.c | 16 +++++++---
lib/dns/include/dns/tkey.h | 24 +++++++++------
lib/dns/include/dst/gssapi.h | 8 +++--
lib/dns/tkey.c | 28 +++++++++--------
9 files changed, 65 insertions(+), 94 deletions(-)

diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1
index 1e2dcaf..c847fb8 100644
--- a/bin/nsupdate/nsupdate.1
+++ b/bin/nsupdate/nsupdate.1
@@ -259,8 +259,7 @@ on the commandline.
.RS 4
When using GSS\-TSIG use
\fIrealm_name\fR
-rather than the default realm in
-\fIkrb5.conf\fR. If no realm is specified the saved realm is cleared.
+rather than leaving the realm detection up to GSSAPI. If no realm is specified the saved realm is cleared.
.RE
.PP
\fB[prereq]\fR\fB nxdomain\fR {domain\-name}
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index b901e03..644e3d9 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -2489,57 +2489,6 @@ sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
#ifdef GSSAPI
-/*
- * Get the realm from the users kerberos ticket if possible
- */
-static void
-get_ticket_realm(isc_mem_t *mctx)
-{
- krb5_context ctx;
- krb5_error_code rc;
- krb5_ccache ccache;
- krb5_principal princ;
- char *name, *ticket_realm;
-
- rc = krb5_init_context(&ctx);
- if (rc != 0)
- return;
-
- rc = krb5_cc_default(ctx, &ccache);
- if (rc != 0) {
- krb5_free_context(ctx);
- return;
- }
-
- rc = krb5_cc_get_principal(ctx, ccache, &princ);
- if (rc != 0) {
- krb5_cc_close(ctx, ccache);
- krb5_free_context(ctx);
- return;
- }
-
- rc = krb5_unparse_name(ctx, princ, &name);
- if (rc != 0) {
- krb5_free_principal(ctx, princ);
- krb5_cc_close(ctx, ccache);
- krb5_free_context(ctx);
- return;
- }
-
- ticket_realm = strrchr(name, '@');
- if (ticket_realm != NULL) {
- realm = isc_mem_strdup(mctx, ticket_realm);
- }
-
- free(name);
- krb5_free_principal(ctx, princ);
- krb5_cc_close(ctx, ccache);
- krb5_free_context(ctx);
- if (realm != NULL && debugging)
- fprintf(stderr, "Found realm from ticket: %s\n", realm+1);
-}
-
-
static void
start_gssrequest(dns_name_t *master) {
gss_ctx_id_t context;
@@ -2580,11 +2529,15 @@ start_gssrequest(dns_name_t *master) {
dns_fixedname_init(&fname);
servname = dns_fixedname_name(&fname);
- if (realm == NULL)
- get_ticket_realm(mctx);
-
- result = isc_string_printf(servicename, sizeof(servicename),
- "DNS/%s%s", namestr, realm ? realm : "");
+ if (realm != NULL) {
+ /* Use explicit REALM passed as argument */
+ result = isc_string_printf(servicename, sizeof(servicename),
+ "DNS/%s%s", namestr, realm);
+ } else {
+ /* Use service@host as advised in RFC4752 section 3.1 */
+ result = isc_string_printf(servicename, sizeof(servicename),
+ "DNS@%s", namestr);
+ }
if (result != ISC_R_SUCCESS)
fatal("isc_string_printf(servicename) failed: %s",
isc_result_totext(result));
@@ -2623,9 +2576,9 @@ start_gssrequest(dns_name_t *master) {
/* Build first request. */
context = GSS_C_NO_CONTEXT;
- result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0,
- &context, use_win2k_gsstsig,
- mctx, &err_message);
+ result = dns_tkey_buildgssquery(rmsg, keyname, servname,
+ realm != NULL ? ISC_TRUE : ISC_FALSE, NULL, 0,
+ &context, use_win2k_gsstsig, mctx, &err_message);
if (result == ISC_R_FAILURE)
fatal("tkey query failed: %s",
err_message != NULL ? err_message : "unknown error");
@@ -2765,6 +2718,7 @@ recvgss(isc_task_t *task, isc_event_t *event) {
tsigkey = NULL;
result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname,
+ realm != NULL ? ISC_TRUE : ISC_FALSE,
&context, &tsigkey, gssring,
use_win2k_gsstsig,
&err_message);
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index c54211c..bbcc681 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -418,7 +418,7 @@
<listitem>
<para>
When using GSS-TSIG use <parameter>realm_name</parameter> rather
- than the default realm in <filename>krb5.conf</filename>. If no
+ than leaving the realm detection up to GSSAPI. If no
realm is specified the saved realm is cleared.
</para>
</listitem>
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index 276d4af..9c0eba0 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -327,7 +327,7 @@
</span></dt>
<dd><p>
When using GSS-TSIG use <em class="parameter"><code>realm_name</code></em> rather
- than the default realm in <code class="filename">krb5.conf</code>. If no
+ than leaving the realm detection up to GSSAPI. If no
realm is specified the saved realm is cleared.
</p></dd>
<dt><span class="term">
diff --git a/bin/tests/dst/gsstest.c b/bin/tests/dst/gsstest.c
index c1296f7..7c85d0b 100755
--- a/bin/tests/dst/gsstest.c
+++ b/bin/tests/dst/gsstest.c
@@ -309,7 +309,7 @@ initctx2(isc_task_t *task, isc_event_t *event) {
printf("Received token from server, calling gss_init_sec_context()\n");
isc_buffer_init(&outtoken, array, DNS_NAME_MAXTEXT + 1);
result = dns_tkey_processgssresponse(query, response,
- dns_fixedname_name(&gssname),
+ dns_fixedname_name(&gssname), ISC_FALSE,
&gssctx, &outtoken,
&tsigkey, ring, NULL);
gssctx = *gssctxp;
@@ -396,7 +396,7 @@ initctx1(isc_task_t *task, isc_event_t *event) {
printf("Calling gss_init_sec_context()\n");
gssctx = GSS_C_NO_CONTEXT;
result = dns_tkey_buildgssquery(query, dns_fixedname_name(&servername),
- dns_fixedname_name(&gssname),
+ dns_fixedname_name(&gssname), ISC_FALSE,
NULL, 36000, &gssctx, ISC_TRUE,
mctx, NULL);
CHECK("dns_tkey_buildgssquery", result);
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index aeaeb85..21222e0 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -558,14 +558,15 @@ gss_err_message(isc_mem_t *mctx, isc_uint32_t major, isc_uint32_t minor,
#endif
isc_result_t
-dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
- isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
- isc_mem_t *mctx, char **err_message)
+dst_gssapi_initctx(dns_name_t *name, isc_boolean_t explicit_realm,
+ isc_buffer_t *intoken, isc_buffer_t *outtoken,
+ gss_ctx_id_t *gssctx, isc_mem_t *mctx, char **err_message)
{
#ifdef GSSAPI
isc_region_t r;
isc_buffer_t namebuf;
gss_name_t gname;
+ gss_OID gname_type;
OM_uint32 gret, minor, ret_flags, flags;
gss_buffer_desc gintoken, *gintokenp, gouttoken = GSS_C_EMPTY_BUFFER;
isc_result_t result;
@@ -580,7 +581,13 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
name_to_gbuffer(name, &namebuf, &gnamebuf);
/* Get the name as a GSS name */
- gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
+ if (explicit_realm == ISC_TRUE) {
+ gname_type = GSS_C_NO_OID;
+ } else {
+ gname_type = GSS_C_NT_HOSTBASED_SERVICE;
+ }
+
+ gret = gss_import_name(&minor, &gnamebuf, gname_type, &gname);
if (gret != GSS_S_COMPLETE) {
gss_err_message(mctx, gret, minor, err_message);
result = ISC_R_FAILURE;
@@ -642,6 +649,7 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
return (result);
#else
UNUSED(name);
+ UNUSED(explicit_realm);
UNUSED(intoken);
UNUSED(outtoken);
UNUSED(gssctx);
diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h
index 0dcec1e..a0e6c2a 100644
--- a/lib/dns/include/dns/tkey.h
+++ b/lib/dns/include/dns/tkey.h
@@ -123,9 +123,9 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
- isc_buffer_t *intoken, isc_uint32_t lifetime,
- gss_ctx_id_t *context, isc_boolean_t win2k,
- isc_mem_t *mctx, char **err_message);
+ isc_boolean_t explicit_realm, isc_buffer_t *intoken,
+ isc_uint32_t lifetime, gss_ctx_id_t *context,
+ isc_boolean_t win2k, isc_mem_t *mctx, char **err_message);
/*%<
* Builds a query containing a TKEY that will generate a GSSAPI context.
* The key is requested to have the specified lifetime (in seconds).
@@ -134,6 +134,8 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
*\li 'msg' is a valid message
*\li 'name' is a valid name
*\li 'gname' is a valid name
+ *\li 'explicit_realm' ISC_TRUE if an explicit realm is used,
+ * ISC_FALSE if the realm detection is left up to GSSAPI.
*\li 'context' is a pointer to a valid gss_ctx_id_t
* (which may have the value GSS_C_NO_CONTEXT)
*\li 'win2k' when true says to turn on some hacks to work
@@ -188,9 +190,10 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
isc_result_t
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
- dns_name_t *gname, gss_ctx_id_t *context,
- isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
- dns_tsig_keyring_t *ring, char **err_message);
+ dns_name_t *gname, isc_boolean_t explicit_realm,
+ gss_ctx_id_t *context, isc_buffer_t *outtoken,
+ dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
+ char **err_message);
/*%<
* XXX
*/
@@ -216,9 +219,10 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
isc_result_t
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
- dns_name_t *server, gss_ctx_id_t *context,
- dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
- isc_boolean_t win2k, char **err_message);
+ dns_name_t *server, isc_boolean_t explicit_realm,
+ gss_ctx_id_t *context, dns_tsigkey_t **outkey,
+ dns_tsig_keyring_t *ring, isc_boolean_t win2k,
+ char **err_message);
/*
* Client side negotiation of GSS-TSIG. Process the response
@@ -231,6 +235,8 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
* it will be filled with the new message to send
* 'rmsg' is a valid message, the incoming TKEY message
* 'server' is the server name
+ * 'explicit_realm' ISC_TRUE if an explicit realm is used,
+ * ISC_FALSE if the realm detection is left up to GSSAPI.
* 'context' is the input context handle
* 'outkey' receives the established key, if non-NULL;
* if non-NULL must point to NULL
diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h
index 1e81a55..d093fa3 100644
--- a/lib/dns/include/dst/gssapi.h
+++ b/lib/dns/include/dst/gssapi.h
@@ -93,15 +93,17 @@ dst_gssapi_releasecred(gss_cred_id_t *cred);
*/
isc_result_t
-dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
- isc_buffer_t *outtoken, gss_ctx_id_t *gssctx,
- isc_mem_t *mctx, char **err_message);
+dst_gssapi_initctx(dns_name_t *name, isc_boolean_t explicit_realm,
+ isc_buffer_t *intoken, isc_buffer_t *outtoken,
+ gss_ctx_id_t *gssctx, isc_mem_t *mctx, char **err_message);
/*
* Initiates a GSS context.
*
* Requires:
* 'name' is a valid name, preferably one known by the GSS
* provider
+ * 'explicit_realm' True if the REALM is explicitly included in the 'name',
+ * otherwise leave the REALM detection up to GSSAPI
* 'intoken' is a token received from the acceptor, or NULL if
* there isn't one
* 'outtoken' is a buffer to receive the token generated by
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 20c98e5..3463d3a 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -1016,9 +1016,9 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
isc_result_t
dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
- isc_buffer_t *intoken, isc_uint32_t lifetime,
- gss_ctx_id_t *context, isc_boolean_t win2k,
- isc_mem_t *mctx, char **err_message)
+ isc_boolean_t explicit_realm, isc_buffer_t *intoken,
+ isc_uint32_t lifetime, gss_ctx_id_t *context,
+ isc_boolean_t win2k, isc_mem_t *mctx, char **err_message)
{
dns_rdata_tkey_t tkey;
isc_result_t result;
@@ -1035,7 +1035,7 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
REQUIRE(mctx != NULL);
isc_buffer_init(&token, array, sizeof(array));
- result = dst_gssapi_initctx(gname, NULL, &token, context,
+ result = dst_gssapi_initctx(gname, explicit_realm, NULL, &token, context,
mctx, err_message);
if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
return (result);
@@ -1251,9 +1251,10 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
isc_result_t
dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
- dns_name_t *gname, gss_ctx_id_t *context,
- isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
- dns_tsig_keyring_t *ring, char **err_message)
+ dns_name_t *gname, isc_boolean_t explicit_realm,
+ gss_ctx_id_t *context, isc_buffer_t *outtoken,
+ dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
+ char **err_message)
{
dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
dns_name_t *tkeyname;
@@ -1304,7 +1305,7 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
isc_buffer_init(outtoken, array, sizeof(array));
isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
- RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context,
+ RETERR(dst_gssapi_initctx(gname, explicit_realm, &intoken, outtoken, context,
ring->mctx, err_message));
RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
@@ -1384,9 +1385,10 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
isc_result_t
dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
- dns_name_t *server, gss_ctx_id_t *context,
- dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
- isc_boolean_t win2k, char **err_message)
+ dns_name_t *server, isc_boolean_t explicit_realm,
+ gss_ctx_id_t *context, dns_tsigkey_t **outkey,
+ dns_tsig_keyring_t *ring, isc_boolean_t win2k,
+ char **err_message)
{
dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
dns_name_t *tkeyname;
@@ -1430,8 +1432,8 @@ dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
isc_buffer_init(&outtoken, array, sizeof(array));
- result = dst_gssapi_initctx(server, &intoken, &outtoken, context,
- ring->mctx, err_message);
+ result = dst_gssapi_initctx(server, explicit_realm, &intoken, &outtoken,
+ context, ring->mctx, err_message);
if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
return (result);
--
2.4.3

178
SOURCES/bind99-rh1215164.patch

@ -0,0 +1,178 @@ @@ -0,0 +1,178 @@
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
index 8538ca8..0ab0049 100644
--- a/bin/check/named-checkzone.8
+++ b/bin/check/named-checkzone.8
@@ -251,7 +251,7 @@ so that include directives in the configuration file are processed as if run by
.PP
\-T \fImode\fR
.RS 4
-Check if Sender Policy Framework records (TXT and SPF) both exist or both don't exist. A warning is issued if they don't match. Possible modes are
+Check if Sender Policy Framework (SPF) records exist and issues a warning if an SPF-formatted TXT record is not also present. Possible modes are
\fB"warn"\fR
(default),
\fB"ignore"\fR.
diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook
index ea37fa2..e78d574 100644
--- a/bin/check/named-checkzone.docbook
+++ b/bin/check/named-checkzone.docbook
@@ -408,10 +408,10 @@
<term>-T <replaceable class="parameter">mode</replaceable></term>
<listitem>
<para>
- Check if Sender Policy Framework records (TXT and SPF)
- both exist or both don't exist. A warning is issued
- if they don't match. Possible modes are
- <command>"warn"</command> (default), <command>"ignore"</command>.
+ Check if Sender Policy Framework (SPF) records exist
+ and issues a warning if an SPF-formatted TXT record is
+ not also present. Possible modes are <command>"warn"</command>
+ (default), <command>"ignore"</command>.
</para>
</listitem>
</varlistentry>
diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh
index 2353c14..7d9192e 100644
--- a/bin/tests/system/checkzone/tests.sh
+++ b/bin/tests/system/checkzone/tests.sh
@@ -44,12 +44,12 @@ echo "I:checking with spf warnings ($n)"
ret=0
$CHECKZONE example zones/spf.db > test.out1.$n 2>&1 || ret=1
$CHECKZONE -T ignore example zones/spf.db > test.out2.$n 2>&1 || ret=1
-grep "'x.example' found SPF/TXT" test.out1.$n > /dev/null || ret=1
-grep "'y.example' found SPF/SPF" test.out1.$n > /dev/null || ret=1
-grep "'example' found SPF/" test.out1.$n > /dev/null && ret=1
-grep "'x.example' found SPF/" test.out2.$n > /dev/null && ret=1
-grep "'y.example' found SPF/" test.out2.$n > /dev/null && ret=1
-grep "'example' found SPF/" test.out2.$n > /dev/null && ret=1
+grep "'x.example' found type SPF" test.out1.$n > /dev/null && ret=1
+grep "'y.example' found type SPF" test.out1.$n > /dev/null || ret=1
+grep "'example' found type SPF" test.out1.$n > /dev/null && ret=1
+grep "'x.example' found type SPF" test.out2.$n > /dev/null && ret=1
+grep "'y.example' found type SPF" test.out2.$n > /dev/null && ret=1
+grep "'example' found type SPF" test.out2.$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
diff --git a/bin/tests/system/spf/tests.sh b/bin/tests/system/spf/tests.sh
index 6acd283..3da6e2e 100644
--- a/bin/tests/system/spf/tests.sh
+++ b/bin/tests/system/spf/tests.sh
@@ -24,19 +24,16 @@ echo "I:checking that SPF warnings have been correctly generated ($n)"
ret=0
grep "zone spf/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1
-grep "'x.spf' found SPF/TXT" ns1/named.run > /dev/null || ret=1
-grep "'y.spf' found SPF/SPF" ns1/named.run > /dev/null || ret=1
-grep "'spf' found SPF/" ns1/named.run > /dev/null && ret=1
+grep "'y.spf' found type SPF" ns1/named.run > /dev/null || ret=1
+grep "'spf' found type SPF" ns1/named.run > /dev/null && ret=1
grep "zone warn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1
-grep "'x.warn' found SPF/TXT" ns1/named.run > /dev/null || ret=1
-grep "'y.warn' found SPF/SPF" ns1/named.run > /dev/null || ret=1
-grep "'warn' found SPF/" ns1/named.run > /dev/null && ret=1
+grep "'y.warn' found type SPF" ns1/named.run > /dev/null || ret=1
+grep "'warn' found type SPF" ns1/named.run > /dev/null && ret=1
grep "zone nowarn/IN: loaded serial 0" ns1/named.run > /dev/null || ret=1
-grep "'x.nowarn' found SPF/" ns1/named.run > /dev/null && ret=1
-grep "'y.nowarn' found SPF/" ns1/named.run > /dev/null && ret=1
-grep "'nowarn' found SPF/" ns1/named.run > /dev/null && ret=1
+grep "'y.nowarn' found type SPF" ns1/named.run > /dev/null && ret=1
+grep "'nowarn' found type SPF" ns1/named.run > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 96c9faf..bd42e11 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -4750,7 +4750,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
- <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+ <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> allow-new-zones { <replaceable>yes_or_no</replaceable> }; </optional>
<optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
<optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
@@ -6573,10 +6573,13 @@ options {
The default is <command>yes</command>.
</para>
<para>
- Check that the two forms of Sender Policy Framework
- records (TXT records starting with "v=spf1" and SPF) either
- both exist or both don't exist. Warnings are
- emitted it they don't and be suppressed with
+ The use of the SPF record for publishing Sender
+ Policy Framework is deprecated as the migration
+ from using TXT records to SPF records was abandoned.
+ Enabling this option also checks that a TXT Sender
+ Policy Framework record exists (starts with "v=spf1")
+ if there is an SPF record. Warnings are emitted if the
+ TXT record does not exist and can be suppressed with
<command>check-spf</command>.
</para>
</listitem>
@@ -6618,11 +6621,11 @@ options {
<term><command>check-spf</command></term>
<listitem>
<para>
- When performing integrity checks, check that the
- two forms of Sender Policy Framwork records (TXT
- records starting with "v=spf1" and SPF) both exist
- or both don't exist and issue a warning if not
- met. The default is <command>warn</command>.
+ If <command>check-integrity</command> is set then
+ check that there is a TXT Sender Policy Framework
+ record present (starts with "v=spf1") if there is an
+ SPF record present. The default is
+ <command>warn</command>.
</para>
</listitem>
</varlistentry>
@@ -10372,7 +10375,7 @@ view "external" {
<optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
<optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
- <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+ <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>ignore</replaceable> ); </optional>
<optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
<optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
<optional> file <replaceable>string</replaceable> ; </optional>
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 86fad98..08c6d10 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -2612,8 +2612,8 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
checkspf:
/*
- * Check if there is a type TXT spf record without a type SPF
- * RRset being present.
+ * Check if there is a type SPF record without an
+ * SPF-formatted type TXT record also being present.
*/
if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKSPF))
goto next;
@@ -2642,16 +2642,13 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
dns_rdataset_disassociate(&rdataset);
notxt:
- if (have_spf != have_txt) {
+ if (have_spf && !have_txt) {
char namebuf[DNS_NAME_FORMATSIZE];
- const char *found = have_txt ? "TXT" : "SPF";
- const char *need = have_txt ? "SPF" : "TXT";
dns_name_format(name, namebuf, sizeof(namebuf));
- dns_zone_log(zone, ISC_LOG_WARNING, "'%s' found SPF/%s "
- "record but no SPF/%s record found, add "
- "matching type %s record", namebuf, found,
- need, need);
+ dns_zone_log(zone, ISC_LOG_WARNING, "'%s' found type "
+ "SPF record but no SPF TXT record found, "
+ "add matching type TXT record", namebuf);
}
next:

67
SOURCES/bind99-rh1215687-limits.patch

@ -0,0 +1,67 @@ @@ -0,0 +1,67 @@
diff -up bind-9.9.4/bin/named/interfacemgr.c.rh1215687-limits bind-9.9.4/bin/named/interfacemgr.c
--- bind-9.9.4/bin/named/interfacemgr.c.rh1215687-limits 2015-05-20 16:08:21.286007013 +0200
+++ bind-9.9.4/bin/named/interfacemgr.c 2015-05-20 16:21:49.227001713 +0200
@@ -275,7 +275,7 @@ ns_interface_listenudp(ns_interface_t *i
result = dns_dispatch_getudp_dup(ifp->mgr->dispatchmgr,
ns_g_socketmgr,
ns_g_taskmgr, &ifp->addr,
- 4096, 1000, 32768, 8219, 8237,
+ 4096, 32768, 32768, 8219, 8237,
attrs, attrmask,
&ifp->udpdispatch[disp],
disp == 0
diff -up bind-9.9.4/bin/named/server.c.rh1215687-limits bind-9.9.4/bin/named/server.c
--- bind-9.9.4/bin/named/server.c.rh1215687-limits 2015-05-20 16:08:21.272006979 +0200
+++ bind-9.9.4/bin/named/server.c 2015-05-20 16:08:21.288007018 +0200
@@ -992,7 +992,7 @@ get_view_querysource_dispatch(const cfg_
}
if (isc_sockaddr_getport(&sa) == 0) {
attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
- maxdispatchbuffers = 4096;
+ maxdispatchbuffers = 32768;
} else {
INSIST(obj != NULL);
if (is_firstview) {
@@ -1001,7 +1001,7 @@ get_view_querysource_dispatch(const cfg_
"suppresses port randomization and can be "
"insecure.");
}
- maxdispatchbuffers = 1000;
+ maxdispatchbuffers = 32768;
}
attrmask = 0;
@@ -6491,7 +6491,7 @@ ns_add_reserved_dispatch(ns_server_t *se
result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
ns_g_taskmgr, &dispatch->addr, 4096,
- 1000, 32768, 16411, 16433,
+ 32768, 32768, 16411, 16433,
attrs, attrmask, &dispatch->dispatch);
if (result != ISC_R_SUCCESS)
goto cleanup;
diff -up bind-9.9.4/lib/dns/dispatch.c.rh1215687-limits bind-9.9.4/lib/dns/dispatch.c
diff -up bind-9.9.4/lib/dns/request.c.rh1215687-limits bind-9.9.4/lib/dns/request.c
--- bind-9.9.4/lib/dns/request.c.rh1215687-limits 2013-09-05 07:09:08.000000000 +0200
+++ bind-9.9.4/lib/dns/request.c 2015-05-20 16:08:21.286007013 +0200
@@ -601,7 +601,7 @@ find_udp_dispatch(dns_requestmgr_t *requ
requestmgr->socketmgr,
requestmgr->taskmgr,
srcaddr, 4096,
- 1000, 32768, 16411, 16433,
+ 32768, 32768, 16411, 16433,
attrs, attrmask,
dispatchp));
}
diff -up bind-9.9.4/lib/dns/resolver.c.rh1215687-limits bind-9.9.4/lib/dns/resolver.c
--- bind-9.9.4/lib/dns/resolver.c.rh1215687-limits 2015-05-20 16:08:21.277006991 +0200
+++ bind-9.9.4/lib/dns/resolver.c 2015-05-20 16:08:21.285007010 +0200
@@ -1489,7 +1489,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddr
result = dns_dispatch_getudp(res->dispatchmgr,
res->socketmgr,
res->taskmgr, &addr,
- 4096, 1000, 32768, 16411,
+ 4096, 20000, 32768, 16411,
16433, attrs, attrmask,
&query->dispatch);
if (result != ISC_R_SUCCESS)

5539
SOURCES/bind99-rh1220594-geoip.patch

File diff suppressed because it is too large Load Diff

12
SOURCES/bind99-rh1259514.patch

@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
diff --git a/bin/tests/system/tkey/ns1/named.conf.in b/bin/tests/system/tkey/ns1/named.conf.in
index 50600b7..b0f1700 100644
--- a/bin/tests/system/tkey/ns1/named.conf.in
+++ b/bin/tests/system/tkey/ns1/named.conf.in
@@ -32,6 +32,7 @@ options {
tkey-domain "server";
tkey-dhkey "server" KEYID;
allow-query-cache { any; };
+ random-device "/dev/urandom";
};
key rndc_key {

58
SOURCES/bind99-rh1291185.patch

@ -0,0 +1,58 @@ @@ -0,0 +1,58 @@
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 8696b15..5ef2dd6 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7373,9 +7373,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
* NXDOMAIN, NXRDATASET, or referral.
*/
result = noanswer_response(fctx, NULL, 0);
- if (result == DNS_R_CHASEDSSERVERS) {
- } else if (result == DNS_R_DELEGATION) {
- force_referral:
+ switch (result) {
+ case ISC_R_SUCCESS:
+ case DNS_R_CHASEDSSERVERS:
+ break;
+ case DNS_R_DELEGATION:
+ force_referral:
/*
* We don't have the answer, but we know a better
* place to look.
@@ -7400,7 +7403,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
fctx->adberr = 0;
result = ISC_R_SUCCESS;
- } else if (result != ISC_R_SUCCESS) {
+ break;
+ default:
/*
* Something has gone wrong.
*/
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 142b09e..35900b3 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -1216,6 +1216,7 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
dns_name_t *zfname;
dns_rdataset_t zrdataset, zsigrdataset;
dns_fixedname_t zfixedname;
+ unsigned int ztoptions = 0;
#ifndef BIND9
UNUSED(zone);
@@ -1242,9 +1243,12 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
#ifdef BIND9
zone = NULL;
LOCK(&view->lock);
- if (view->zonetable != NULL)
- result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
- else
+ if (view->zonetable != NULL) {
+ if ((options & DNS_DBFIND_NOEXACT) != 0)
+ ztoptions |= DNS_ZTFIND_NOEXACT;
+ result = dns_zt_find(view->zonetable, name, ztoptions,
+ NULL, &zone);
+ } else
result = ISC_R_NOTFOUND;
if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
result = dns_zone_getdb(zone, &db);

1847
SOURCES/bind99-rh1306610.patch

File diff suppressed because it is too large Load Diff

41
SOURCES/bind99-rh1392362.patch

@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
From 3acf8e092f95233bc3d854e161569487dce83ba2 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 3 Feb 2017 14:22:03 +1100
Subject: [PATCH] 4567. [port] Call getprotobyname and getservbyname prior to
calling chroot so that shared libraries get loaded. [RT #44537]

---
lib/isc/unix/dir.c | 10 ++++++++++
1 file changed, 10 insertions(+)

diff --git a/lib/isc/unix/dir.c b/lib/isc/unix/dir.c
index 0d64778..ee80f41 100644
--- a/lib/isc/unix/dir.c
+++ b/lib/isc/unix/dir.c
@@ -31,6 +31,7 @@
#include <isc/dir.h>
#include <isc/magic.h>
+#include <isc/netdb.h>
#include <isc/string.h>
#include <isc/util.h>
@@ -172,6 +173,15 @@ isc_dir_chroot(const char *dirname) {
REQUIRE(dirname != NULL);
#ifdef HAVE_CHROOT
+ /*
+ * Try to use getservbyname and getprotobyname before chroot.
+ * If WKS records are used in a zone under chroot, Name Service Switch
+ * may fail to load library in chroot.
+ * Do not report errors if it fails, we do not need any result now.
+ */
+ if (getprotobyname("udp"))
+ (void)getservbyname("domain", "udp");
+
if (chroot(dirname) < 0 || chdir("/") < 0)
return (isc__errno2result(errno));
--
2.9.3

139
SOURCES/bind99-rh1416304.patch

@ -0,0 +1,139 @@ @@ -0,0 +1,139 @@
From e7a2611c555e03314ac4f7960044b05cce040364 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 31 Jul 2014 11:38:11 +1000
Subject: [PATCH] 3905. [bug] Address deadlock between view.c and adb.c. [RT
#36341]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Original-commit: 5e746ab61ed8158f784b86111fef95581a08b7dd
Signed-off-by: Petr Menšík <pemensik@redhat.com>
---
lib/dns/adb.c | 57 +++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 41 insertions(+), 16 deletions(-)

diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index a6da94d..ac89e66 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -15,8 +15,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: adb.c,v 1.264 2011/12/05 17:10:51 each Exp $ */
-
/*! \file
*
* \note
@@ -157,7 +155,7 @@ struct dns_adb {
unsigned int *entry_refcnt;
isc_event_t cevent;
- isc_boolean_t cevent_sent;
+ isc_boolean_t cevent_out;
isc_boolean_t shutting_down;
isc_eventlist_t whenshutdown;
isc_event_t growentries;
@@ -322,6 +320,7 @@ static inline isc_boolean_t unlink_entry(dns_adb_t *, dns_adbentry_t *);
static isc_boolean_t kill_name(dns_adbname_t **, isc_eventtype_t);
static void water(void *, int);
static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
+static void shutdown_task(isc_task_t *task, isc_event_t *ev);
/*
* MUST NOT overlap DNS_ADBFIND_* flags!
@@ -1499,10 +1498,13 @@ check_exit(dns_adb_t *adb) {
* If there aren't any external references either, we're
* done. Send the control event to initiate shutdown.
*/
- INSIST(!adb->cevent_sent); /* Sanity check. */
+ INSIST(!adb->cevent_out); /* Sanity check. */
+ ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
+ DNS_EVENT_ADBCONTROL, shutdown_task, adb,
+ adb, NULL, NULL);
event = &adb->cevent;
isc_task_send(adb->task, &event);
- adb->cevent_sent = ISC_TRUE;
+ adb->cevent_out = ISC_TRUE;
}
}
@@ -2431,10 +2433,9 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
adb->view = view;
adb->taskmgr = taskmgr;
adb->next_cleanbucket = 0;
- ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
- DNS_EVENT_ADBCONTROL, shutdown_task, adb,
- adb, NULL, NULL);
- adb->cevent_sent = ISC_FALSE;
+ ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent),
+ 0, NULL, 0, NULL, NULL, NULL, NULL, NULL);
+ adb->cevent_out = ISC_FALSE;
adb->shutting_down = ISC_FALSE;
ISC_LIST_INIT(adb->whenshutdown);
@@ -2468,7 +2469,7 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
"intializing table sizes to %u\n",
nbuckets[11]);
adb->nentries = nbuckets[11];
- adb->nnames= nbuckets[11];
+ adb->nnames = nbuckets[11];
}
@@ -2741,9 +2742,28 @@ dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp) {
UNLOCK(&adb->lock);
}
+static void
+shutdown_stage2(isc_task_t *task, isc_event_t *event) {
+ dns_adb_t *adb;
+
+ UNUSED(task);
+
+ adb = event->ev_arg;
+ INSIST(DNS_ADB_VALID(adb));
+
+ LOCK(&adb->lock);
+ INSIST(adb->shutting_down);
+ adb->cevent_out = ISC_FALSE;
+ (void)shutdown_names(adb);
+ (void)shutdown_entries(adb);
+ if (dec_adb_irefcnt(adb))
+ check_exit(adb);
+ UNLOCK(&adb->lock);
+}
+
void
dns_adb_shutdown(dns_adb_t *adb) {
- isc_boolean_t need_check_exit;
+ isc_event_t *event;
/*
* Shutdown 'adb'.
@@ -2754,11 +2774,16 @@ dns_adb_shutdown(dns_adb_t *adb) {
if (!adb->shutting_down) {
adb->shutting_down = ISC_TRUE;
isc_mem_setwater(adb->mctx, water, adb, 0, 0);
- need_check_exit = shutdown_names(adb);
- if (!need_check_exit)
- need_check_exit = shutdown_entries(adb);
- if (need_check_exit)
- check_exit(adb);
+ /*
+ * Isolate shutdown_names and shutdown_entries calls.
+ */
+ inc_adb_irefcnt(adb);
+ ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
+ DNS_EVENT_ADBCONTROL, shutdown_stage2, adb,
+ adb, NULL, NULL);
+ adb->cevent_out = ISC_TRUE;
+ event = &adb->cevent;
+ isc_task_send(adb->task, &event);
}
UNLOCK(&adb->lock);
--
2.9.3

102
SOURCES/bind99-rh1464850-2.patch

@ -0,0 +1,102 @@ @@ -0,0 +1,102 @@
From a58f31659a924c59f6342d79d2c19ee956453d82 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Sat, 18 Oct 2014 12:40:13 +1100
Subject: [PATCH 2/2] 3980. [bug] Improve --with-tuning=large by
self tuning of SO_RCVBUF size. [RT #37187]

(cherry picked from commit 871f3c8beeb2134b17414ec167b90a57adb8e122)
---
lib/isc/unix/socket.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 61 insertions(+), 5 deletions(-)

diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index af0c3bc..90953ff 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -2245,6 +2245,62 @@ free_socket(isc__socket_t **socketp) {
*socketp = NULL;
}
+#ifdef SO_RCVBUF
+static isc_once_t rcvbuf_once = ISC_ONCE_INIT;
+static int rcvbuf = RCVBUFSIZE;
+
+static void
+set_rcvbuf(void) {
+ int fd;
+ int max = rcvbuf, min;
+ ISC_SOCKADDR_LEN_T len;
+
+ fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+#if defined(ISC_PLATFORM_HAVEIPV6)
+ if (fd == -1) {
+ switch (errno) {
+ case EPROTONOSUPPORT:
+ case EPFNOSUPPORT:
+ case EAFNOSUPPORT:
+ /*
+ * Linux 2.2 (and maybe others) return EINVAL instead of
+ * EAFNOSUPPORT.
+ */
+ case EINVAL:
+ fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+ break;
+ }
+ }
+#endif
+ if (fd == -1)
+ return;
+
+ len = sizeof(min);
+ if (getsockopt(fd, SOL_SOCKET, SO_RCVBUF, (void *)&min, &len) >= 0 &&
+ min < rcvbuf) {
+ again:
+ if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, (void *)&rcvbuf,
+ sizeof(rcvbuf)) == -1) {
+ if (errno == ENOBUFS && rcvbuf > min) {
+ max = rcvbuf - 1;
+ rcvbuf = (rcvbuf + min) / 2;
+ goto again;
+ } else {
+ rcvbuf = min;
+ goto cleanup;
+ }
+ } else
+ min = rcvbuf;
+ if (min != max) {
+ rcvbuf = max;
+ goto again;
+ }
+ }
+ cleanup:
+ close (fd);
+}
+#endif
+
#ifdef SO_BSDCOMPAT
/*
* This really should not be necessary to do. Having to workout
@@ -2609,15 +2665,15 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *sock,
#if defined(SO_RCVBUF)
optlen = sizeof(size);
if (getsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
- (void *)&size, &optlen) >= 0 &&
- size < RCVBUFSIZE) {
- size = RCVBUFSIZE;
+ (void *)&size, &optlen) >= 0 && size < rcvbuf) {
+ RUNTIME_CHECK(isc_once_do(&rcvbuf_once,
+ set_rcvbuf) == ISC_R_SUCCESS);
if (setsockopt(sock->fd, SOL_SOCKET, SO_RCVBUF,
- (void *)&size, sizeof(size)) == -1) {
+ (void *)&rcvbuf, sizeof(rcvbuf)) == -1) {
isc__strerror(errno, strbuf, sizeof(strbuf));
UNEXPECTED_ERROR(__FILE__, __LINE__,
"setsockopt(%d, SO_RCVBUF, %d) %s: %s",
- sock->fd, size,
+ sock->fd, rcvbuf,
isc_msgcat_get(isc_msgcat,
ISC_MSGSET_GENERAL,
ISC_MSG_FAILED,
--
2.9.5

1849
SOURCES/bind99-rh1464850.patch

File diff suppressed because one or more lines are too long

434
SOURCES/bind99-rh1470637-tests.patch

@ -0,0 +1,434 @@ @@ -0,0 +1,434 @@
From 148bbbd1c1463c9b9626d7d9668d8768179d596b Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 11 Dec 2015 14:52:12 +1100
Subject: [PATCH 1/2] add digdelv

(cherry picked from commit 51aed1827453f40ee56b165d45c5d58d96838d94)

Deleted failing tests
---
bin/tests/system/conf.sh.in | 2 +-
bin/tests/system/digdelv/clean.sh | 21 +++++
bin/tests/system/digdelv/ns1/named.conf | 37 +++++++++
bin/tests/system/digdelv/ns1/root.db | 29 +++++++
bin/tests/system/digdelv/ns2/example.db | 50 ++++++++++++
bin/tests/system/digdelv/ns2/named.conf | 40 ++++++++++
bin/tests/system/digdelv/ns3/named.conf | 36 +++++++++
bin/tests/system/digdelv/tests.sh | 137 ++++++++++++++++++++++++++++++++
8 files changed, 351 insertions(+), 1 deletion(-)
create mode 100644 bin/tests/system/digdelv/clean.sh
create mode 100644 bin/tests/system/digdelv/ns1/named.conf
create mode 100644 bin/tests/system/digdelv/ns1/root.db
create mode 100644 bin/tests/system/digdelv/ns2/example.db
create mode 100644 bin/tests/system/digdelv/ns2/named.conf
create mode 100644 bin/tests/system/digdelv/ns3/named.conf
create mode 100644 bin/tests/system/digdelv/tests.sh

diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 6df4734..49c5686 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -60,7 +60,7 @@ SAMPLE=$TOP/lib/export/samples/sample
# v6synth
SUBDIRS="acl additional allow_query addzone autosign builtin
cacheclean checkconf @CHECKDS@ checknames checkzone @COVERAGE@
- database dlv dlvauto dlz dlzexternal dname dns64 dnssec dyndb
+ database digdelv dlv dlvauto dlz dlzexternal dname dns64 dnssec dyndb
ecdsa formerr forward glue gost ixfr inline limits logfileconfig
lwresd masterfile masterformat metadata notify nsupdate pending
@PKCS11_TEST@ redirect resolver rndc rpz rrl rrsetorder rsabigexponent
diff --git a/bin/tests/system/digdelv/clean.sh b/bin/tests/system/digdelv/clean.sh
new file mode 100644
index 0000000..0f442fb
--- /dev/null
+++ b/bin/tests/system/digdelv/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+rm -f dig.out.test*
+rm -f delv.out.test*
+rm -f */named.memstats
+rm -f */named.run
+rm -f ns*/named.lock
diff --git a/bin/tests/system/digdelv/ns1/named.conf b/bin/tests/system/digdelv/ns1/named.conf
new file mode 100644
index 0000000..c5f0470
--- /dev/null
+++ b/bin/tests/system/digdelv/ns1/named.conf
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+// NS1
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { fd92:7065:b8e:ffff::1; };
+ recursion no;
+ notify yes;
+ dnssec-enable no;
+ dnssec-validation no;
+};
+
+zone "." {
+ type master;
+ file "root.db";
+};
+
diff --git a/bin/tests/system/digdelv/ns1/root.db b/bin/tests/system/digdelv/ns1/root.db
new file mode 100644
index 0000000..f4316a5
--- /dev/null
+++ b/bin/tests/system/digdelv/ns1/root.db
@@ -0,0 +1,29 @@
+; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 300
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+. NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
+a.root-servers.nil. AAAA fd92:7065:b8e:ffff::1
+
+example. NS ns2.example.
+ns2.example. A 10.53.0.2
+ns2.example. AAAA fd92:7065:b8e:ffff::2
diff --git a/bin/tests/system/digdelv/ns2/example.db b/bin/tests/system/digdelv/ns2/example.db
new file mode 100644
index 0000000..0a1aa5d
--- /dev/null
+++ b/bin/tests/system/digdelv/ns2/example.db
@@ -0,0 +1,50 @@
+; Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ NS ns3
+ns2 A 10.53.0.2
+ns2 AAAA fd92:7065:b8e:ffff::2
+ns3 A 10.53.0.3
+ns3 AAAA fd92:7065:b8e:ffff::3
+
+a A 10.0.0.1
+a AAAA fd92:7065:b8e:ffff::1
+b A 10.0.0.2
+b AAAA fd92:7065:b8e:ffff::2
+c A 10.0.0.3
+c AAAA fd92:7065:b8e:ffff::3
+
+foo TXT "testing"
+foo A 10.0.1.0
+foo SSHFP 2 1 123456789abcdef67890123456789abcdef67890
+
+;;
+;; we are not testing DNSSEC behavior, so we don't care about the semantics
+;; of the following records.
+dnskey 300 DNSKEY 256 3 1 (
+ AQPTpWyReB/e9Ii6mVGnakS8hX2zkh/iUYAg
+ +Ge4noWROpTWOIBvm76zeJPWs4Zfqa1IsswD
+ Ix5Mqeg0zwclz59uecKsKyx5w9IhtZ8plc4R
+ b9VIE5x7KNHAYTvTO5d4S8M=
+ )
+
diff --git a/bin/tests/system/digdelv/ns2/named.conf b/bin/tests/system/digdelv/ns2/named.conf
new file mode 100644
index 0000000..266e958
--- /dev/null
+++ b/bin/tests/system/digdelv/ns2/named.conf
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.2;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { fd92:7065:b8e:ffff::2; };
+ recursion no;
+ dnssec-enable no;
+ dnssec-validation no;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+zone "example" {
+ type master;
+ file "example.db";
+};
diff --git a/bin/tests/system/digdelv/ns3/named.conf b/bin/tests/system/digdelv/ns3/named.conf
new file mode 100644
index 0000000..e73c543
--- /dev/null
+++ b/bin/tests/system/digdelv/ns3/named.conf
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+// NS4
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.3;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { fd92:7065:b8e:ffff::3; };
+ recursion yes;
+ acache-enable yes;
+ dnssec-enable no;
+ dnssec-validation no;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
new file mode 100644
index 0000000..988bd52
--- /dev/null
+++ b/bin/tests/system/digdelv/tests.sh
@@ -0,0 +1,137 @@
+# Copyright (C) 2015 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+# using dig insecure mode as not testing dnssec here
+DIGOPTS="-i -p 5300"
+
+if [ -x ${DIG} ] ; then
+ n=`expr $n + 1`
+ echo "I:checking dig short form works ($n)"
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 +short a a.example > dig.out.test$n || ret=1
+ if test `wc -l < dig.out.test$n` != 1 ; then ret=1 ; fi
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+ n=`expr $n + 1`
+ echo "I:checking dig split width works ($n)"
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 +split=4 -t sshfp foo.example > dig.out.test$n || ret=1
+ grep " 9ABC DEF6 7890 " < dig.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+ n=`expr $n + 1`
+ echo "I:checking dig with reverse lookup works ($n)"
+ ret=0
+ $DIG $DIGOPTS @10.53.0.3 -x 127.0.0.1 > dig.out.test$n 2>&1 || ret=1
+ # doesn't matter if has answer
+ grep -i "127\.in-addr\.arpa\." < dig.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+ n=`expr $n + 1`
+ echo "I:checking dig over TCP works ($n)"
+ ret=0
+ $DIG $DIGOPTS +tcp @10.53.0.3 a a.example > dig.out.test$n || ret=1
+ grep "10\.0\.0\.1$" < dig.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+ n=`expr $n + 1`
+ echo "I:checking dig +rrcomments works for DNSKEY($n)"
+ ret=0
+ $DIG $DIGOPTS +tcp @10.53.0.3 +rrcomments DNSKEY dnskey.example > dig.out.test$n || ret=1
+ grep "; ZSK; alg = RSAMD5 *; key id = 30795" < dig.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+else
+ echo "W:$DIG is needed, so skipping these dig tests"
+fi
+
+# using delv insecure mode as not testing dnssec here
+DELVOPTS="-i -p 5300"
+
+if [ -n "${DELV}" -a -x "${DELV}" ] ; then
+ n=`expr $n + 1`
+ echo "I:checking delv short form works ($n)"
+ ret=0
+ $DELV $DELVOPTS @10.53.0.3 +short a a.example > delv.out.test$n || ret=1
+ if test `wc -l < delv.out.test$n` != 1 ; then ret=1 ; fi
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+ n=`expr $n + 1`
+ echo "I:checking delv split width works ($n)"
+ ret=0
+ $DELV $DELVOPTS @10.53.0.3 +split=4 -t sshfp foo.example > delv.out.test$n || ret=1
+ grep " 9ABC DEF6 7890 " < delv.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+ n=`expr $n + 1`
+ echo "I:checking delv with IPv6 on IPv4 does not work ($n)"
+ if $TESTSOCK6 fd92:7065:b8e:ffff::3
+ then
+ ret=0
+ # following should fail because @IPv4 overrides earlier @IPv6 above
+ # and -6 forces IPv6 so this should fail, such as:
+ # ;; getaddrinfo failed: hostname nor servname provided, or not known
+ # ;; resolution failed: not found
+ # note that delv returns success even on lookup failure
+ $DELV $DELVOPTS @fd92:7065:b8e:ffff::3 @10.53.0.3 -6 -t txt foo.example > delv.out.test$n 2>&1 || ret=1
+ # it should have no results but error output
+ grep "testing" < delv.out.test$n > /dev/null && ret=1
+ grep "getaddrinfo failed:" < delv.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+ else
+ echo "I:IPv6 unavailable; skipping"
+ fi
+
+ n=`expr $n + 1`
+ echo "I:checking delv with reverse lookup works ($n)"
+ ret=0
+ $DELV $DELVOPTS @10.53.0.3 -x 127.0.0.1 > delv.out.test$n 2>&1 || ret=1
+ # doesn't matter if has answer
+ grep -i "127\.in-addr\.arpa\." < delv.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+ n=`expr $n + 1`
+ echo "I:checking delv over TCP works ($n)"
+ ret=0
+ $DELV $DELVOPTS @10.53.0.3 a a.example > delv.out.test$n || ret=1
+ grep "10\.0\.0\.1$" < delv.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+ n=`expr $n + 1`
+ echo "I:checking delv +rrcomments works for DNSKEY($n)"
+ ret=0
+ $DELV $DELVOPTS @10.53.0.3 +rrcomments DNSKEY dnskey.example > delv.out.test$n || ret=1
+ grep "; ZSK; alg = RSAMD5 *; key id = 30795" < delv.out.test$n > /dev/null || ret=1
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
+ exit $status
+else
+ echo "W:${DELV:-delv} is not available, so skipping these delv tests"
+fi
--
2.9.5

195
SOURCES/bind99-rh1470637.patch

@ -0,0 +1,195 @@ @@ -0,0 +1,195 @@
From a200b2dd994cbb4ff29151ff46342268bc8fb3c2 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 11 Sep 2017 10:34:10 -0700
Subject: [PATCH 2/2] dig: retain domain when retrying with tcp

4712. [bug] "dig +domain" and "dig +search" didn't retain the
search domain when retrying with TCP. [RT #45547]

(cherry picked from commit 8e014c45ae75a3ca893cec6a0711beb69ecd18a4)
(cherry picked from commit 88e2cefcc2e8f48c0fba97661ff79c2506b52b23)
(cherry picked from commit 51b00c6c783ccf5dca86119ff8f4f8b994298ca4)

Modified to pass with libidn

Fix origin test
---
bin/dig/dighost.c | 13 ++++-------
bin/tests/system/ans.pl | 43 +++++++++++++++++++++++++----------
bin/tests/system/digdelv/ans4/startme | 0
bin/tests/system/digdelv/tests.sh | 23 ++++++++++++++++++-
4 files changed, 58 insertions(+), 21 deletions(-)
create mode 100644 bin/tests/system/digdelv/ans4/startme

diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 5c03d95..3a066c6 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -887,6 +887,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
looknew->section_answer = lookold->section_answer;
looknew->section_authority = lookold->section_authority;
looknew->section_additional = lookold->section_additional;
+ looknew->origin = lookold->origin;
looknew->retries = lookold->retries;
looknew->tsigctx = NULL;
looknew->need_search = lookold->need_search;
@@ -2134,6 +2135,7 @@ setup_lookup(dig_lookup_t *lookup) {
#ifdef WITH_IDN
if (lookup->origin != NULL) {
+ debug("trying origin %s", lookup->origin->origin);
mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
lookup->origin->origin, utf8_origin,
sizeof(utf8_origin));
@@ -2148,6 +2150,7 @@ setup_lookup(dig_lookup_t *lookup) {
idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
#elif defined (WITH_LIBIDN)
if (lookup->origin != NULL) {
+ debug("trying origin %s", lookup->origin->origin);
result = libidn_locale_to_utf8 (lookup->origin->origin, utf8_str);
check_result (result, "convert origin to UTF-8");
if (len > 0 && utf8_name[len - 1] != '.') {
@@ -3409,7 +3407,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
printf(";; Truncated, retrying in TCP mode.\n");
n = requeue_lookup(l, ISC_TRUE);
n->tcp_mode = ISC_TRUE;
- n->origin = query->lookup->origin;
dns_message_destroy(&msg);
isc_event_free(&event);
clear_query(query);
diff --git a/bin/tests/system/ans.pl b/bin/tests/system/ans.pl
index d6ff3c2..d8c9f9d 100644
--- a/bin/tests/system/ans.pl
+++ b/bin/tests/system/ans.pl
@@ -35,7 +35,12 @@
#
# There can be any number of patterns, each associated
# with any number of response RRs. Each pattern is a
-# Perl regular expression.
+# Perl regular expression. If an empty pattern ("//") is
+# received, the server will ignore all incoming queries (TCP
+# connections will still be accepted, but both UDP queries
+# and TCP queries will not be responded to). If a non-empty
+# pattern is then received over the same control connection,
+# default behavior is restored.
#
# Each incoming query is converted into a string of the form
# "qname qtype" (the printable query domain name, space,
@@ -105,6 +110,9 @@ $SIG{TERM} = \&rmpid;
#my @answers = ();
my @rules;
+my $udphandler;
+my $tcphandler;
+
sub handleUDP {
my ($buf) = @_;
my $request;
@@ -414,8 +422,15 @@ for (;;) {
while (my $line = $conn->getline) {
chomp $line;
if ($line =~ m!^/(.*)/$!) {
- $rule = { pattern => $1, answer => [] };
- push(@rules, $rule);
+ if (length($1) == 0) {
+ $udphandler = sub { return; };
+ $tcphandler = sub { return; };
+ } else {
+ $udphandler = \&handleUDP;
+ $tcphandler = \&handleTCP;
+ $rule = { pattern => $1, answer => [] };
+ push(@rules, $rule);
+ }
} else {
push(@{$rule->{answer}},
new Net::DNS::RR($line));
@@ -430,9 +445,11 @@ for (;;) {
printf "UDP request\n";
my $buf;
$udpsock->recv($buf, 512);
- my $result = handleUDP($buf);
- my $num_chars = $udpsock->send($result);
- print " Sent $num_chars bytes via UDP\n";
+ my $result = &$udphandler($buf);
+ if (defined($result)) {
+ my $num_chars = $udpsock->send($result);
+ print " Sent $num_chars bytes via UDP\n";
+ }
} elsif (vec($rout, fileno($tcpsock), 1)) {
my $conn = $tcpsock->accept;
my $buf;
@@ -444,12 +461,14 @@ for (;;) {
$n = $conn->sysread($buf, $len);
last unless $n == $len;
print "TCP request\n";
- my $result = handleTCP($buf);
- foreach my $response (@$result) {
- $len = length($response);
- $n = $conn->syswrite(pack("n", $len), 2);
- $n = $conn->syswrite($response, $len);
- print " Sent: $n chars via TCP\n";
+ my $result = &$tcphandler($buf);
+ if (defined($result)) {
+ foreach my $response (@$result) {
+ $len = length($response);
+ $n = $conn->syswrite(pack("n", $len), 2);
+ $n = $conn->syswrite($response, $len);
+ print " Sent: $n chars via TCP\n";
+ }
}
}
$conn->close;
diff --git a/bin/tests/system/digdelv/ans4/startme b/bin/tests/system/digdelv/ans4/startme
new file mode 100644
index 0000000..e69de29
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
index 988bd52..a19256c 100644
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@@ -19,6 +19,7 @@ status=0
n=0
# using dig insecure mode as not testing dnssec here
DIGOPTS="-i -p 5300"
+SENDCMD="$PERL $SYSTEMTESTTOP/send.pl 10.53.0.4 5301"
if [ -x ${DIG} ] ; then
n=`expr $n + 1`
@@ -62,6 +63,24 @@ if [ -x ${DIG} ] ; then
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+ n=`expr $n + 1`
+ echo "I:checking dig preserves origin on TCP retries ($n)"
+ ret=0
+ # Ask ans4 to still accept TCP connections, but not respond to queries
+ echo "//" | $SENDCMD
+ $DIG $DIGOPTS -d +tcp @10.53.0.4 +retry=1 +time=1 +domain=bar foo > dig.out.test$n 2>&1 && ret=1
+ l=`grep "trying origin bar" dig.out.test$n | wc -l`
+ [ ${l:-0} -eq 2 ] || ret=1
+ if grep "libidn_locale_to_utf8" dig.out.test$n > /dev/null
+ then
+ # libidn patch uses always using root origin, but print also name
+ grep '^foo\.$' < dig.out.test$n > /dev/null && ret=1
+ else
+ grep "using root origin" < dig.out.test$n > /dev/null && ret=1
+ fi
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+
else
echo "W:$DIG is needed, so skipping these dig tests"
fi
@@ -131,7 +150,9 @@ if [ -n "${DELV}" -a -x "${DELV}" ] ; then
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
- exit $status
else
echo "W:${DELV:-delv} is not available, so skipping these delv tests"
fi
+
+echo "I:exit status: $status"
+[ $status -eq 0 ] || exit 1
--
2.9.5

32
SOURCES/bind99-rh1472862.patch

@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
From e3894cd3a92be79a64072835008ec589b17c601a Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 9 Apr 2014 17:17:53 -0700
Subject: [PATCH] [v9_9] missing manpage install rule for dnssec-importkey

(cherry picked from commit 540daf2887dfc813657c27408a2363ba719bf8d4)
---
bin/dnssec/Makefile.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 5966d16..58352d8 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -55,12 +55,12 @@ SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
dnssec-revoke.8 dnssec-settime.8 dnssec-signzone.8 \
- dnssec-verify.8
+ dnssec-verify.8 dnssec-importkey.8
HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \
dnssec-keygen.html dnssec-revoke.html \
dnssec-settime.html dnssec-signzone.html \
- dnssec-verify.html
+ dnssec-verify.html dnssec-importkey.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
--
2.9.4

574
SOURCES/bind99-rh1476013.patch

@ -0,0 +1,574 @@ @@ -0,0 +1,574 @@
From 4827d4b06c2aaec913536143e4a26a0904d1fc58 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 7 Jul 2017 23:19:05 +1000
Subject: [PATCH] 4647. [bug] Change 4643 broke verification of TSIG signed TCP
message sequences where not all the messages contain TSIG records. These may
be used in AXFR and IXFR responses. [RT #45509]

(cherry picked from commit 58f0fb325bbd9258d06431281eb8fdea2b126305)
---
lib/dns/tests/Makefile.in | 9 +-
lib/dns/tests/tsig_test.c | 489 ++++++++++++++++++++++++++++++++++++++++++++++
lib/dns/tsig.c | 10 +-
3 files changed, 504 insertions(+), 4 deletions(-)
create mode 100644 lib/dns/tests/tsig_test.c

diff --git a/lib/dns/tests/Makefile.in b/lib/dns/tests/Makefile.in
index 8d1b83e..023e60c 100644
--- a/lib/dns/tests/Makefile.in
+++ b/lib/dns/tests/Makefile.in
@@ -39,13 +39,13 @@ LIBS = @LIBS@ @ATFLIBS@
OBJS = dnstest.@O@
SRCS = dnstest.c gost_test.c master_test.c dbiterator_test.c time_test.c \
- private_test.c update_test.c zonemgr_test.c zt_test.c \
+ private_test.c tsig_test.c update_test.c zonemgr_test.c zt_test.c \
dbdiff_test.c geoip_test.c dispatch_test.c nsec3_test.c \
rdataset_test.c rdata_test.c
SUBDIRS =
TARGETS = gost_test@EXEEXT@ master_test@EXEEXT@ dbiterator_test@EXEEXT@ time_test@EXEEXT@ \
- private_test@EXEEXT@ update_test@EXEEXT@ zonemgr_test@EXEEXT@ \
+ private_test@EXEEXT@ tsig_test@EXEEXT@ update_test@EXEEXT@ zonemgr_test@EXEEXT@ \
zt_test@EXEEXT@ dbversion_test@EXEEXT@ dbdiff_test@EXEEXT@ geoip_test@EXEEXT@ \
dispatch_test@EXEEXT@ nsec3_test@EXEEXT@ \
rdataset_test@EXEEXT@ rdata_test@EXEEXT@
@@ -134,6 +134,11 @@ geoip_test@EXEEXT@: geoip_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
geoip_test.@O@ dnstest.@O@ ${DNSLIBS} \
${ISCLIBS} ${LIBS}
+tsig_test@EXEEXT@: tsig_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+ tsig_test.@O@ dnstest.@O@ ${DNSLIBS} \
+ ${ISCLIBS} ${LIBS}
+
unit::
sh ${top_srcdir}/unit/unittest.sh
diff --git a/lib/dns/tests/tsig_test.c b/lib/dns/tests/tsig_test.c
new file mode 100644
index 0000000..956e4a0
--- /dev/null
+++ b/lib/dns/tests/tsig_test.c
@@ -0,0 +1,489 @@
+/*
+ * Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+/* ! \file */
+
+#include <config.h>
+#include <atf-c.h>
+#include <isc/mem.h>
+
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/tsig.h>
+
+#include "dnstest.h"
+
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h> /* uintptr_t */
+#endif
+
+static int debug = 0;
+
+static isc_result_t
+add_mac(dst_context_t *tsigctx, isc_buffer_t *buf) {
+ dns_rdata_any_tsig_t tsig;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ isc_buffer_t databuf;
+ isc_region_t r;
+ isc_result_t result;
+ unsigned char tsigbuf[1024];
+
+ isc_buffer_usedregion(buf, &r);
+ dns_rdata_fromregion(&rdata, dns_rdataclass_any,
+ dns_rdatatype_tsig, &r);
+ isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
+ CHECK(dns_rdata_tostruct(&rdata, &tsig, NULL));
+ isc_buffer_putuint16(&databuf, tsig.siglen);
+ isc_buffer_putmem(&databuf, tsig.signature, tsig.siglen);
+ isc_buffer_usedregion(&databuf, &r);
+ result = dst_context_adddata(tsigctx, &r);
+ dns_rdata_freestruct(&tsig);
+ cleanup:
+ return (result);
+}
+
+static isc_result_t
+add_tsig(dst_context_t *tsigctx, dns_tsigkey_t *key, isc_buffer_t *target) {
+ dns_compress_t cctx;
+ dns_rdata_any_tsig_t tsig;
+ dns_rdata_t rdata = DNS_RDATA_INIT;
+ dns_rdatalist_t rdatalist;
+ dns_rdataset_t rdataset;
+ isc_buffer_t *dynbuf = NULL;
+ isc_buffer_t databuf;
+ isc_buffer_t sigbuf;
+ isc_region_t r;
+ isc_result_t result = ISC_R_SUCCESS;
+ isc_stdtime_t now;
+ unsigned char tsigbuf[1024];
+ unsigned int count;
+ unsigned int sigsize;
+ isc_boolean_t invalidate_ctx = ISC_FALSE;
+
+ CHECK(dns_compress_init(&cctx, -1, mctx));
+ invalidate_ctx = ISC_TRUE;
+
+ memset(&tsig, 0, sizeof(tsig));
+ tsig.common.rdclass = dns_rdataclass_any;
+ tsig.common.rdtype = dns_rdatatype_tsig;
+ ISC_LINK_INIT(&tsig.common, link);
+ dns_name_init(&tsig.algorithm, NULL);
+ dns_name_clone(key->algorithm, &tsig.algorithm);
+
+ isc_stdtime_get(&now);
+ tsig.timesigned = now;
+ tsig.fudge = DNS_TSIG_FUDGE;
+ tsig.originalid = 50;
+ tsig.error = dns_rcode_noerror;
+ tsig.otherlen = 0;
+ tsig.other = NULL;
+
+ isc_buffer_init(&databuf, tsigbuf, sizeof(tsigbuf));
+ isc_buffer_putuint48(&databuf, tsig.timesigned);
+ isc_buffer_putuint16(&databuf, tsig.fudge);
+ isc_buffer_usedregion(&databuf, &r);
+ CHECK(dst_context_adddata(tsigctx, &r));
+
+ CHECK(dst_key_sigsize(key->key, &sigsize));
+ tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
+ if (tsig.signature == NULL)
+ CHECK(ISC_R_NOMEMORY);
+ isc_buffer_init(&sigbuf, tsig.signature, sigsize);
+ CHECK(dst_context_sign(tsigctx, &sigbuf));
+ tsig.siglen = isc_buffer_usedlength(&sigbuf);
+
+ CHECK(isc_buffer_allocate(mctx, &dynbuf, 512));
+ CHECK(dns_rdata_fromstruct(&rdata, dns_rdataclass_any,
+ dns_rdatatype_tsig, &tsig, dynbuf));
+ dns_rdatalist_init(&rdatalist);
+ rdatalist.rdclass = dns_rdataclass_any;
+ rdatalist.type = dns_rdatatype_tsig;
+ ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+ dns_rdataset_init(&rdataset);
+ CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+ CHECK(dns_rdataset_towire(&rdataset, &key->name, &cctx,
+ target, 0, &count));
+
+ /*
+ * Fixup additional record count.
+ */
+ ((unsigned char*)target->base)[11]++;
+ if (((unsigned char*)target->base)[11] == 0)
+ ((unsigned char*)target->base)[10]++;
+ cleanup:
+ if (tsig.signature != NULL)
+ isc_mem_put(mctx, tsig.signature, sigsize);
+ if (dynbuf != NULL)
+ isc_buffer_free(&dynbuf);
+ if (invalidate_ctx)
+ dns_compress_invalidate(&cctx);
+
+ return (result);
+}
+
+static void
+printmessage(dns_message_t *msg) {
+ isc_buffer_t b;
+ char *buf = NULL;
+ int len = 1024;
+ isc_result_t result = ISC_R_SUCCESS;
+
+ if (!debug)
+ return;
+
+ do {
+ buf = isc_mem_get(mctx, len);
+ if (buf == NULL) {
+ result = ISC_R_NOMEMORY;
+ break;
+ }
+
+ isc_buffer_init(&b, buf, len);
+ result = dns_message_totext(msg, &dns_master_style_debug,
+ 0, &b);
+ if (result == ISC_R_NOSPACE) {
+ isc_mem_put(mctx, buf, len);
+ len *= 2;
+ } else if (result == ISC_R_SUCCESS)
+ printf("%.*s\n", (int) isc_buffer_usedlength(&b), buf);
+ } while (result == ISC_R_NOSPACE);
+
+ if (buf != NULL)
+ isc_mem_put(mctx, buf, len);
+}
+
+static void
+render(isc_buffer_t *buf, unsigned flags, dns_tsigkey_t *key,
+ isc_buffer_t **tsigin, isc_buffer_t **tsigout,
+ dst_context_t *tsigctx)
+{
+ dns_message_t *msg = NULL;
+ dns_compress_t cctx;
+ isc_result_t result;
+
+ result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &msg);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_create: %s",
+ dns_result_totext(result));
+
+ msg->id = 50;
+ msg->rcode = dns_rcode_noerror;
+ msg->flags = flags;
+
+ if (tsigin == tsigout)
+ msg->tcp_continuation = 1;
+
+ if (tsigctx == NULL) {
+ result = dns_message_settsigkey(msg, key);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_settsigkey: %s",
+ dns_result_totext(result));
+
+ result = dns_message_setquerytsig(msg, *tsigin);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_setquerytsig: %s",
+ dns_result_totext(result));
+ }
+
+ result = dns_compress_init(&cctx, -1, mctx);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_compress_init: %s",
+ dns_result_totext(result));
+
+ result = dns_message_renderbegin(msg, &cctx, buf);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_renderbegin: %s",
+ dns_result_totext(result));
+
+ result = dns_message_renderend(msg);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_renderend: %s",
+ dns_result_totext(result));
+
+ if (tsigctx != NULL) {
+ isc_region_t r;
+
+ isc_buffer_usedregion(buf, &r);
+ result = dst_context_adddata(tsigctx, &r);
+ } else {
+ if (tsigin == tsigout && *tsigin != NULL)
+ isc_buffer_free(tsigin);
+
+ result = dns_message_getquerytsig(msg, mctx, tsigout);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_getquerytsig: %s",
+ dns_result_totext(result));
+ }
+
+ dns_compress_invalidate(&cctx);
+ dns_message_destroy(&msg);
+}
+
+/*
+ * Check that a simulated three message TCP sequence where the first
+ * and last messages contain TSIGs but the intermediate message doesn't
+ * correctly verifies.
+ */
+ATF_TC(tsig_tcp);
+ATF_TC_HEAD(tsig_tcp, tc) {
+ atf_tc_set_md_var(tc, "descr", "test tsig tcp-continuation validation");
+}
+ATF_TC_BODY(tsig_tcp, tc) {
+ dns_name_t *tsigowner = NULL;
+ dns_fixedname_t fkeyname;
+ dns_message_t *msg = NULL;
+ dns_name_t *keyname;
+ dns_tsig_keyring_t *ring = NULL;
+ dns_tsigkey_t *key = NULL;
+ isc_buffer_t *buf = NULL;
+ isc_buffer_t *querytsig = NULL;
+ isc_buffer_t *tsigin = NULL;
+ isc_buffer_t *tsigout = NULL;
+ isc_result_t result;
+ unsigned char secret[16] = { 0 };
+ dst_context_t *tsigctx = NULL;
+ dst_context_t *outctx = NULL;
+
+ UNUSED(tc);
+
+ result = dns_test_begin(stderr, ISC_FALSE);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+ /* isc_log_setdebuglevel(lctx, 99); */
+
+ dns_fixedname_init(&fkeyname);
+ keyname = dns_fixedname_name(&fkeyname);
+ result = dns_name_fromstring(keyname, "test", 0, NULL);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+ result = dns_tsigkeyring_create(mctx, &ring);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+ result = dns_tsigkey_create(keyname, dns_tsig_hmacsha256_name,
+ secret, sizeof(secret), ISC_FALSE,
+ NULL, 0, 0, mctx, ring, &key);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+ /*
+ * Create request.
+ */
+ result = isc_buffer_allocate(mctx, &buf, 65535);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+ render(buf, 0, key, &tsigout, &querytsig, NULL);
+ isc_buffer_free(&buf);
+
+ /*
+ * Create response message 1.
+ */
+ result = isc_buffer_allocate(mctx, &buf, 65535);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+ render(buf, DNS_MESSAGEFLAG_QR, key, &querytsig, &tsigout, NULL);
+
+ /*
+ * Process response message 1.
+ */
+ result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_create: %s",
+ dns_result_totext(result));
+
+ result = dns_message_settsigkey(msg, key);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_settsigkey: %s",
+ dns_result_totext(result));
+
+ result = dns_message_parse(msg, buf, 0);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_parse: %s",
+ dns_result_totext(result));
+
+ printmessage(msg);
+
+ result = dns_message_setquerytsig(msg, querytsig);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_setquerytsig: %s",
+ dns_result_totext(result));
+
+ result = dns_tsig_verify(buf, msg, NULL, NULL);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_tsig_verify: %s",
+ dns_result_totext(result));
+ ATF_CHECK_EQ(msg->verified_sig, 1);
+ ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
+
+ /*
+ * Check that we have a TSIG in the first message.
+ */
+ ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
+
+ result = dns_message_getquerytsig(msg, mctx, &tsigin);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_getquerytsig: %s",
+ dns_result_totext(result));
+
+ tsigctx = msg->tsigctx;
+ msg->tsigctx = NULL;
+ isc_buffer_free(&buf);
+ dns_message_destroy(&msg);
+
+ result = dst_context_create2(key->key, mctx, DNS_LOGCATEGORY_DNSSEC,
+ &outctx);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+ /*
+ * Start digesting.
+ */
+ result = add_mac(outctx, tsigout);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+ /*
+ * Create response message 2.
+ */
+ result = isc_buffer_allocate(mctx, &buf, 65535);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+ render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
+
+ /*
+ * Process response message 2.
+ */
+ result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_create: %s",
+ dns_result_totext(result));
+
+ msg->tcp_continuation = 1;
+ msg->tsigctx = tsigctx;
+ tsigctx = NULL;
+
+ result = dns_message_settsigkey(msg, key);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_settsigkey: %s",
+ dns_result_totext(result));
+
+ result = dns_message_parse(msg, buf, 0);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_parse: %s",
+ dns_result_totext(result));
+
+ printmessage(msg);
+
+ result = dns_message_setquerytsig(msg, tsigin);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_setquerytsig: %s",
+ dns_result_totext(result));
+
+ result = dns_tsig_verify(buf, msg, NULL, NULL);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_tsig_verify: %s",
+ dns_result_totext(result));
+ ATF_CHECK_EQ(msg->verified_sig, 1);
+ ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
+
+ /*
+ * Check that we don't have a TSIG in the second message.
+ */
+ tsigowner = NULL;
+ ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) == NULL);
+
+ tsigctx = msg->tsigctx;
+ msg->tsigctx = NULL;
+ isc_buffer_free(&buf);
+ dns_message_destroy(&msg);
+
+ /*
+ * Create response message 3.
+ */
+ result = isc_buffer_allocate(mctx, &buf, 65535);
+ ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+ render(buf, DNS_MESSAGEFLAG_QR, key, &tsigout, &tsigout, outctx);
+
+ result = add_tsig(outctx, key, buf);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "add_tsig: %s",
+ dns_result_totext(result));
+
+ /*
+ * Process response message 3.
+ */
+ result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_create: %s",
+ dns_result_totext(result));
+
+ msg->tcp_continuation = 1;
+ msg->tsigctx = tsigctx;
+ tsigctx = NULL;
+
+ result = dns_message_settsigkey(msg, key);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_settsigkey: %s",
+ dns_result_totext(result));
+
+ result = dns_message_parse(msg, buf, 0);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_parse: %s",
+ dns_result_totext(result));
+
+ printmessage(msg);
+
+ /*
+ * Check that we had a TSIG in the third message.
+ */
+ ATF_REQUIRE(dns_message_gettsig(msg, &tsigowner) != NULL);
+
+ result = dns_message_setquerytsig(msg, tsigin);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_setquerytsig: %s",
+ dns_result_totext(result));
+
+ result = dns_tsig_verify(buf, msg, NULL, NULL);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_tsig_verify: %s",
+ dns_result_totext(result));
+ ATF_CHECK_EQ(msg->verified_sig, 1);
+ ATF_CHECK_EQ(msg->tsigstatus, dns_rcode_noerror);
+
+ if (tsigin != NULL)
+ isc_buffer_free(&tsigin);
+
+ result = dns_message_getquerytsig(msg, mctx, &tsigin);
+ ATF_CHECK_EQ_MSG(result, ISC_R_SUCCESS,
+ "dns_message_getquerytsig: %s",
+ dns_result_totext(result));
+
+ isc_buffer_free(&buf);
+ dns_message_destroy(&msg);
+
+ if (outctx != NULL)
+ dst_context_destroy(&outctx);
+ if (querytsig != NULL)
+ isc_buffer_free(&querytsig);
+ if (tsigin != NULL)
+ isc_buffer_free(&tsigin);
+ if (tsigout != NULL)
+ isc_buffer_free(&tsigout);
+ if (buf != NULL)
+ isc_buffer_free(&buf);
+ if (msg != NULL)
+ dns_message_destroy(&msg);
+ if (key != NULL)
+ dns_tsigkey_detach(&key);
+ if (ring != NULL)
+ dns_tsigkeyring_detach(&ring);
+ dns_test_end();
+}
+
+/*
+ * Main
+ */
+ATF_TP_ADD_TCS(tp) {
+ ATF_TP_ADD_TC(tp, tsig_tcp);
+ return (atf_no_error());
+}
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 7b91d1e..325c901 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -1535,7 +1535,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
msg->verified_sig = 1;
ret = ISC_R_SUCCESS;
-cleanup_context:
+ cleanup_context:
if (ctx != NULL)
dst_context_destroy(&ctx);
@@ -1859,8 +1859,14 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
ret = ISC_R_SUCCESS;
cleanup_context:
- if (msg->tsigctx != NULL)
+ /*
+ * Except in error conditions, don't destroy the DST context
+ * for unsigned messages; it is a running sum till the next
+ * TSIG signed message.
+ */
+ if ((ret != ISC_R_SUCCESS || has_tsig) && msg->tsigctx != NULL) {
dst_context_destroy(&msg->tsigctx);
+ }
cleanup_querystruct:
dns_rdata_freestruct(&querytsig);
--
2.9.4

1961
SOURCES/bind99-rh1501531.patch

File diff suppressed because it is too large Load Diff

44
SOURCES/bind99-rh640538.patch

@ -0,0 +1,44 @@ @@ -0,0 +1,44 @@
diff -up bind-9.9.2/bin/dig/dig.docbook.rh640538 bind-9.9.2/bin/dig/dig.docbook
--- bind-9.9.2/bin/dig/dig.docbook.rh640538 2012-09-27 02:35:19.000000000 +0200
+++ bind-9.9.2/bin/dig/dig.docbook 2012-11-12 14:47:17.385334972 +0100
@@ -961,6 +961,40 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
</refsect1>
<refsect1>
+ <title>RETURN CODES</title>
+ <para>
+ <command>Dig</command> return codes are:
+ <variablelist>
+ <varlistentry>
+ <listitem>
+ <para>0: Everything went well, including things like NXDOMAIN</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>1: Usage error</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>8: Couldn't open batch file</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>9: No reply from server</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <listitem>
+ <para>10: Internal error</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+ </refsect1>
+
+ <refsect1>
<title>FILES</title>
<para><filename>/etc/resolv.conf</filename>
</para>

12
SOURCES/bind99-rrl.patch

@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
diff -up bind-9.9.3rc1/lib/dns/include/dns/Makefile.in.rrl bind-9.9.3rc1/lib/dns/include/dns/Makefile.in
--- bind-9.9.3rc1/lib/dns/include/dns/Makefile.in.rrl 2013-04-16 16:37:00.682186997 +0200
+++ bind-9.9.3rc1/lib/dns/include/dns/Makefile.in 2013-04-16 16:37:08.387169682 +0200
@@ -32,7 +32,7 @@ HEADERS = acl.h adb.h byaddr.h cache.h c
rootns.h rpz.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
tcpmsg.h time.h tkey.h tsig.h ttl.h types.h \
validator.h version.h view.h xfrin.h zone.h zonekey.h zt.h \
- forward.h
+ forward.h rrl.h
GENHEADERS = enumclass.h enumtype.h rdatastruct.h

159
SOURCES/bind99-rt43779.patch

@ -0,0 +1,159 @@ @@ -0,0 +1,159 @@
commit 524f5c0d8fa5bd55c98243be889528f48437a2f7
Author: Mark Andrews <marka@isc.org>
Date: Fri Dec 9 12:50:18 2016 +1100

4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
in responses resulting in SERVFAIL being returned.
[RT #43779]
(cherry picked from commit 60cb462c56536f307fac4db8bdebf1247e2b5f66)

diff --git a/bin/tests/system/dname/ns2/example.db b/bin/tests/system/dname/ns2/example.db
index ece3506..4289134 100644
--- a/bin/tests/system/dname/ns2/example.db
+++ b/bin/tests/system/dname/ns2/example.db
@@ -29,4 +29,6 @@ a.short A 10.0.0.1
short-dname DNAME short
a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2
long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong
-;
+cname CNAME a.cnamedname
+cnamedname DNAME target
+a.target A 10.0.0.3
diff --git a/bin/tests/system/dname/tests.sh b/bin/tests/system/dname/tests.sh
index d22f54b..04bfcb2 100644
--- a/bin/tests/system/dname/tests.sh
+++ b/bin/tests/system/dname/tests.sh
@@ -63,6 +63,24 @@ grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:checking cname to dname from authoritative"
+ret=0
+$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname
+grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking cname to dname from recursive"
+ret=0
+$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname
+grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1
+grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1
+grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 4bef072..de80928 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6463,7 +6463,7 @@ static isc_result_t
answer_response(fetchctx_t *fctx) {
isc_result_t result;
dns_message_t *message;
- dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+ dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
dns_name_t *cname = NULL;
dns_rdataset_t *rdataset, *ns_rdataset;
isc_boolean_t done, external, chaining, aa, found, want_chaining;
@@ -6471,7 +6471,7 @@ answer_response(fetchctx_t *fctx) {
isc_boolean_t wanted_chaining;
unsigned int aflag;
dns_rdatatype_t type;
- dns_fixedname_t fdname, fqname, fqdname;
+ dns_fixedname_t fdname, fqname;
dns_view_t *view;
FCTXTRACE("answer_response");
@@ -6495,13 +6495,12 @@ answer_response(fetchctx_t *fctx) {
aa = ISC_TRUE;
else
aa = ISC_FALSE;
- dqname = qname = &fctx->name;
+ qname = &fctx->name;
type = fctx->type;
view = fctx->res->view;
- dns_fixedname_init(&fqdname);
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
while (!done && result == ISC_R_SUCCESS) {
- dns_namereln_t namereln, dnamereln;
+ dns_namereln_t namereln;
int order;
unsigned int nlabels;
@@ -6509,8 +6508,6 @@ answer_response(fetchctx_t *fctx) {
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
- dnamereln = dns_name_fullcompare(dqname, name, &order,
- &nlabels);
if (namereln == dns_namereln_equal) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6763,11 +6760,24 @@ answer_response(fetchctx_t *fctx) {
return (DNS_R_FORMERR);
}
- if (dnamereln != dns_namereln_subdomain) {
+ /*
+ * If DNAME + synthetic CNAME then the
+ * namereln is dns_namereln_subdomain.
+ *
+ * If synthetic CNAME + DNAME then the
+ * namereln is dns_namereln_commonancestor
+ * and the number of label must match the
+ * DNAME. This order is not RFC compliant.
+ */
+
+ if (namereln != dns_namereln_subdomain &&
+ (namereln != dns_namereln_commonancestor ||
+ nlabels != dns_name_countlabels(name)))
+ {
char qbuf[DNS_NAME_FORMATSIZE];
char obuf[DNS_NAME_FORMATSIZE];
- dns_name_format(dqname, qbuf,
+ dns_name_format(qname, qbuf,
sizeof(qbuf));
dns_name_format(name, obuf,
sizeof(obuf));
@@ -6782,7 +6792,7 @@ answer_response(fetchctx_t *fctx) {
want_chaining = ISC_TRUE;
POST(want_chaining);
aflag = DNS_RDATASETATTR_ANSWER;
- result = dname_target(rdataset, dqname,
+ result = dname_target(rdataset, qname,
nlabels, &fdname);
if (result == ISC_R_NOSPACE) {
/*
@@ -6799,13 +6809,11 @@ answer_response(fetchctx_t *fctx) {
dname = dns_fixedname_name(&fdname);
if (!is_answertarget_allowed(view,
- dqname, rdataset->type,
+ qname, rdataset->type,
dname, &fctx->domain))
{
return (DNS_R_SERVFAIL);
}
- dqname = dns_fixedname_name(&fqdname);
- dns_name_copy(dname, dqname, NULL);
} else {
/*
* We've found a signature that
@@ -6951,7 +6959,8 @@ answer_response(fetchctx_t *fctx) {
rdataset->trust =
dns_trust_additional;
- if (rdataset->type == dns_rdatatype_ns) {
+ if (rdataset->type == dns_rdatatype_ns)
+ {
ns_name = name;
ns_rdataset = rdataset;
}

482
SOURCES/bind99-rt44318.patch

@ -0,0 +1,482 @@ @@ -0,0 +1,482 @@
From e92ac3b83209ddc46ca9a3facd7edf1f14052edf Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 8 Feb 2017 13:49:47 +0100
Subject: [PATCH] 4558. [bug] Synthesised CNAME before matching DNAME
was still being cached when it should not have been. [RT
#44318]

Fixes and tests last case fixed by CVE-2016-9147
---
bin/tests/system/dname/ans3/ans.pl | 95 +++++++++++++++++++++++
bin/tests/system/dname/ns1/root.db | 5 +-
bin/tests/system/dname/tests.sh | 25 ++++++-
lib/dns/resolver.c | 150 +++++++++++++++++++++++++------------
4 files changed, 225 insertions(+), 50 deletions(-)
create mode 100644 bin/tests/system/dname/ans3/ans.pl

diff --git a/bin/tests/system/dname/ans3/ans.pl b/bin/tests/system/dname/ans3/ans.pl
new file mode 100644
index 0000000..271fc7d
--- /dev/null
+++ b/bin/tests/system/dname/ans3/ans.pl
@@ -0,0 +1,95 @@
+#!/usr/bin/env perl
+#
+# Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+use strict;
+use warnings;
+
+use IO::File;
+use Getopt::Long;
+use Net::DNS::Nameserver;
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my $localaddr = "10.53.0.3";
+my $localport = 5300;
+my $verbose = 0;
+my $ttl = 60;
+my $zone = "example.broken";
+my $nsname = "ns3.$zone";
+my $synth = "synth-then-dname.$zone";
+my $synth2 = "synth2-then-dname.$zone";
+
+sub reply_handler {
+ my ($qname, $qclass, $qtype, $peerhost, $query, $conn) = @_;
+ my ($rcode, @ans, @auth, @add);
+
+ print ("request: $qname/$qtype\n");
+ STDOUT->flush();
+
+ if ($qname eq "example.broken") {
+ if ($qtype eq "SOA") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass SOA . . 0 0 0 0 0");
+ push @ans, $rr;
+ } elsif ($qtype eq "NS") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass NS $nsname");
+ push @ans, $rr;
+ $rr = new Net::DNS::RR("$nsname $ttl $qclass A $localaddr");
+ push @add, $rr;
+ }
+ $rcode = "NOERROR";
+ } elsif ($qname eq "cname-to-$synth2") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.$synth2");
+ push @ans, $rr;
+ $rr = new Net::DNS::RR("name.$synth2 $ttl $qclass CNAME name");
+ push @ans, $rr;
+ $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
+ push @ans, $rr;
+ $rcode = "NOERROR";
+ } elsif ($qname eq "$synth" || $qname eq "$synth2") {
+ if ($qtype eq "DNAME") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME .");
+ push @ans, $rr;
+ }
+ $rcode = "NOERROR";
+ } elsif ($qname eq "name.$synth") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.");
+ push @ans, $rr;
+ $rr = new Net::DNS::RR("$synth $ttl $qclass DNAME .");
+ push @ans, $rr;
+ $rcode = "NOERROR";
+ } elsif ($qname eq "name.$synth2") {
+ my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.");
+ push @ans, $rr;
+ $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
+ push @ans, $rr;
+ $rcode = "NOERROR";
+ } else {
+ $rcode = "REFUSED";
+ }
+ return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+}
+
+GetOptions(
+ 'port=i' => \$localport,
+ 'verbose!' => \$verbose,
+);
+
+my $ns = Net::DNS::Nameserver->new(
+ LocalAddr => $localaddr,
+ LocalPort => $localport,
+ ReplyHandler => \&reply_handler,
+ Verbose => $verbose,
+);
+
+$ns->main_loop;
diff --git a/bin/tests/system/dname/ns1/root.db b/bin/tests/system/dname/ns1/root.db
index 7049e77..2e84ae0 100644
--- a/bin/tests/system/dname/ns1/root.db
+++ b/bin/tests/system/dname/ns1/root.db
@@ -12,8 +12,6 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db,v 1.2 2011/03/18 21:14:19 fdupont Exp $
-
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
@@ -27,3 +25,6 @@ a.root-servers.nil. A 10.53.0.1
example. NS ns2.example.
ns2.example. A 10.53.0.2
+
+example.broken. NS ns3.example.broken.
+ns3.example.broken. A 10.53.0.3
diff --git a/bin/tests/system/dname/tests.sh b/bin/tests/system/dname/tests.sh
index 04bfcb2..6dc9e88 100644
--- a/bin/tests/system/dname/tests.sh
+++ b/bin/tests/system/dname/tests.sh
@@ -20,6 +20,7 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=0
+n=0
echo "I:checking short dname from authoritative"
ret=0
@@ -81,6 +82,26 @@ grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
-echo "I:exit status: $status"
+n=`expr $n + 1`
+echo "I:checking dname is returned with synthesized cname before dname ($n)"
+ret=0
+$DIG @10.53.0.4 -p 5300 name.synth-then-dname.example.broken A > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep '^name.synth-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
+grep '^synth-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
-exit $status
+n=`expr $n + 1`
+echo "I:checking dname is returned with cname to synthesized cname before dname ($n)"
+ret=0
+$DIG @10.53.0.4 -p 5300 cname-to-synth2-then-dname.example.broken A > dig.out.test$n
+grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
+grep '^cname-to-synth2-then-dname\.example\.broken\..*CNAME.*name\.synth2-then-dname\.example\.broken.$' dig.out.test$n > /dev/null || ret=1
+grep '^name\.synth2-then-dname\.example\.broken\..*CNAME.*name.$' dig.out.test$n > /dev/null || ret=1
+grep '^synth2-then-dname\.example\.broken\..*DNAME.*\.$' dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index bfd4dcb..c3607fa 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5406,9 +5406,13 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
return (ISC_R_SUCCESS);
}
+/*%
+ * Construct the synthesised CNAME from the existing QNAME and
+ * the DNAME RR and store it in 'target'.
+ */
static inline isc_result_t
dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
- unsigned int nlabels, dns_fixedname_t *fixeddname)
+ unsigned int nlabels, dns_name_t *target)
{
isc_result_t result;
dns_rdata_t rdata = DNS_RDATA_INIT;
@@ -5428,14 +5432,33 @@ dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
dns_fixedname_init(&prefix);
dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
- dns_fixedname_init(fixeddname);
result = dns_name_concatenate(dns_fixedname_name(&prefix),
- &dname.dname,
- dns_fixedname_name(fixeddname), NULL);
+ &dname.dname, target, NULL);
dns_rdata_freestruct(&dname);
return (result);
}
+/*%
+ * Check if it was possible to construct 'qname' from 'lastcname'
+ * and 'rdataset'.
+ */
+static inline isc_result_t
+fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname,
+ unsigned int nlabels, const dns_name_t *qname)
+{
+ dns_fixedname_t fixed;
+ isc_result_t result;
+ dns_name_t *target;
+
+ dns_fixedname_init(&fixed);
+ target = dns_fixedname_name(&fixed);
+ result = dname_target(rdataset, lastcname, nlabels, target);
+ if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target))
+ return (ISC_R_NOTFOUND);
+
+ return (ISC_R_SUCCESS);
+}
+
static isc_boolean_t
is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
dns_rdataset_t *rdataset)
@@ -6039,12 +6062,12 @@ answer_response(fetchctx_t *fctx) {
isc_result_t result;
dns_message_t *message;
dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
- dns_name_t *cname = NULL;
+ dns_name_t *cname = NULL, *lastcname = NULL;
dns_rdataset_t *rdataset, *ns_rdataset;
- isc_boolean_t done, external, chaining, aa, found, want_chaining;
+ isc_boolean_t done, external, aa, found, want_chaining;
isc_boolean_t have_answer, found_cname, found_dname, found_type;
isc_boolean_t wanted_chaining;
- unsigned int aflag;
+ unsigned int aflag, chaining;
dns_rdatatype_t type;
dns_fixedname_t fdname, fqname;
dns_view_t *view;
@@ -6062,9 +6085,9 @@ answer_response(fetchctx_t *fctx) {
found_cname = ISC_FALSE;
found_dname = ISC_FALSE;
found_type = ISC_FALSE;
- chaining = ISC_FALSE;
have_answer = ISC_FALSE;
want_chaining = ISC_FALSE;
+ chaining = 0;
POST(want_chaining);
if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
aa = ISC_TRUE;
@@ -6075,14 +6098,15 @@ answer_response(fetchctx_t *fctx) {
view = fctx->res->view;
result = dns_message_firstname(message, DNS_SECTION_ANSWER);
while (!done && result == ISC_R_SUCCESS) {
- dns_namereln_t namereln;
- int order;
- unsigned int nlabels;
+ dns_namereln_t namereln, lastreln;
+ int order, lastorder;
+ unsigned int nlabels, lastnlabels;
name = NULL;
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+
if (namereln == dns_namereln_equal) {
wanted_chaining = ISC_FALSE;
for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6188,6 +6212,7 @@ answer_response(fetchctx_t *fctx) {
&fctx->domain)) {
return (DNS_R_SERVFAIL);
}
+ lastcname = name;
} else if (rdataset->type == dns_rdatatype_rrsig
&& rdataset->covers ==
dns_rdatatype_cname
@@ -6211,7 +6236,7 @@ answer_response(fetchctx_t *fctx) {
rdataset->attributes |=
DNS_RDATASETATTR_CACHE;
rdataset->trust = dns_trust_answer;
- if (!chaining) {
+ if (chaining == 0) {
/*
* This data is "the" answer
* to our question only if
@@ -6288,10 +6313,21 @@ answer_response(fetchctx_t *fctx) {
* cause us to ignore the signatures of
* CNAMEs.
*/
- if (wanted_chaining)
- chaining = ISC_TRUE;
+ if (wanted_chaining && chaining < 2U)
+ chaining++;
} else {
dns_rdataset_t *dnameset = NULL;
+ isc_boolean_t synthcname = ISC_FALSE;
+
+ if (lastcname != NULL) {
+ lastreln = dns_name_fullcompare(lastcname,
+ name,
+ &lastorder,
+ &lastnlabels);
+ if (lastreln == dns_namereln_subdomain &&
+ lastnlabels == dns_name_countlabels(name))
+ synthcname = ISC_TRUE;
+ }
/*
* Look for a DNAME (or its SIG). Anything else is
@@ -6320,7 +6356,7 @@ answer_response(fetchctx_t *fctx) {
* If we're not chaining, then the DNAME and
* its signature should not be external.
*/
- if (!chaining && external) {
+ if (chaining == 0 && external) {
char qbuf[DNS_NAME_FORMATSIZE];
char obuf[DNS_NAME_FORMATSIZE];
@@ -6338,16 +6374,9 @@ answer_response(fetchctx_t *fctx) {
/*
* If DNAME + synthetic CNAME then the
* namereln is dns_namereln_subdomain.
- *
- * If synthetic CNAME + DNAME then the
- * namereln is dns_namereln_commonancestor
- * and the number of label must match the
- * DNAME. This order is not RFC compliant.
*/
-
if (namereln != dns_namereln_subdomain &&
- (namereln != dns_namereln_commonancestor ||
- nlabels != dns_name_countlabels(name)))
+ !synthcname)
{
char qbuf[DNS_NAME_FORMATSIZE];
char obuf[DNS_NAME_FORMATSIZE];
@@ -6367,8 +6396,19 @@ answer_response(fetchctx_t *fctx) {
want_chaining = ISC_TRUE;
POST(want_chaining);
aflag = DNS_RDATASETATTR_ANSWER;
- result = dname_target(rdataset, qname,
- nlabels, &fdname);
+ dns_fixedname_init(&fdname);
+ dname = dns_fixedname_name(&fdname);
+ if (synthcname) {
+ result = fromdname(rdataset,
+ lastcname,
+ lastnlabels,
+ qname);
+ } else {
+ result = dname_target(rdataset,
+ qname,
+ nlabels,
+ dname);
+ }
if (result == ISC_R_NOSPACE) {
/*
* We can't construct the
@@ -6382,8 +6422,8 @@ answer_response(fetchctx_t *fctx) {
else
dnameset = rdataset;
- dname = dns_fixedname_name(&fdname);
- if (!is_answertarget_allowed(view,
+ if (!synthcname &&
+ !is_answertarget_allowed(view,
qname, rdataset->type,
dname, &fctx->domain))
{
@@ -6404,7 +6444,13 @@ answer_response(fetchctx_t *fctx) {
name->attributes |= DNS_NAMEATTR_CACHE;
rdataset->attributes |= DNS_RDATASETATTR_CACHE;
rdataset->trust = dns_trust_answer;
- if (!chaining) {
+ /*
+ * If we are not chaining or the first CNAME
+ * is a synthesised CNAME before the DNAME.
+ */
+ if ((chaining == 0) ||
+ (chaining == 1U && synthcname))
+ {
/*
* This data is "the" answer to
* our question only if we're
@@ -6414,9 +6460,12 @@ answer_response(fetchctx_t *fctx) {
if (aflag == DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE;
found_dname = ISC_TRUE;
- if (cname != NULL)
+ if (cname != NULL &&
+ synthcname)
+ {
cname->attributes &=
~DNS_NAMEATTR_ANSWER;
+ }
name->attributes |=
DNS_NAMEATTR_ANSWER;
}
@@ -6434,26 +6483,35 @@ answer_response(fetchctx_t *fctx) {
* DNAME chaining.
*/
if (dnameset != NULL) {
- /*
- * Copy the dname into the qname fixed name.
- *
- * Although we check for failure of the copy
- * operation, in practice it should never fail
- * since we already know that the result fits
- * in a fixedname.
- */
- dns_fixedname_init(&fqname);
- qname = dns_fixedname_name(&fqname);
- result = dns_name_copy(dname, qname, NULL);
- if (result != ISC_R_SUCCESS)
- return (result);
+ if (!synthcname) {
+ /*
+ * Copy the dname into the qname fixed
+ * name.
+ *
+ * Although we check for failure of the
+ * copy operation, in practice it
+ * should never fail since we already
+ * know that the result fits in a
+ * fixedname.
+ */
+ dns_fixedname_init(&fqname);
+ qname = dns_fixedname_name(&fqname);
+ result = dns_name_copy(dname, qname,
+ NULL);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ }
wanted_chaining = ISC_TRUE;
name->attributes |= DNS_NAMEATTR_CHAINING;
dnameset->attributes |=
DNS_RDATASETATTR_CHAINING;
}
- if (wanted_chaining)
- chaining = ISC_TRUE;
+ /*
+ * Ensure that we can't ever get chaining == 1
+ * above if we have processed a DNAME.
+ */
+ if (wanted_chaining && chaining < 2U)
+ chaining += 2;
}
result = dns_message_nextname(message, DNS_SECTION_ANSWER);
}
@@ -6478,7 +6536,7 @@ answer_response(fetchctx_t *fctx) {
/*
* Did chaining end before we got the final answer?
*/
- if (chaining) {
+ if (chaining != 0) {
/*
* Yes. This may be a negative reply, so hand off
* authority section processing to the noanswer code.
@@ -6527,7 +6585,7 @@ answer_response(fetchctx_t *fctx) {
DNS_NAMEATTR_CACHE;
rdataset->attributes |=
DNS_RDATASETATTR_CACHE;
- if (aa && !chaining)
+ if (aa && chaining == 0)
rdataset->trust =
dns_trust_authauthority;
else
--
2.9.3

BIN
SOURCES/config-15.tar.bz2

Binary file not shown.

148
SOURCES/dnszone.schema

@ -0,0 +1,148 @@ @@ -0,0 +1,148 @@
# A schema for storing DNS zones in LDAP
#
attributetype ( 1.3.6.1.4.1.2428.20.0.0 NAME 'dNSTTL'
DESC 'An integer denoting time to live'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.2428.20.0.1 NAME 'dNSClass'
DESC 'The class of a resource record'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.0.2 NAME 'zoneName'
DESC 'The name of a zone, i.e. the name of the highest node in the zone'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.0.3 NAME 'relativeDomainName'
DESC 'The starting labels of a domain name'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.12 NAME 'pTRRecord'
DESC 'domain name pointer, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.13 NAME 'hInfoRecord'
DESC 'host information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.14 NAME 'mInfoRecord'
DESC 'mailbox or mail list information, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.16 NAME 'tXTRecord'
DESC 'text string, RFC 1035'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.18 NAME 'aFSDBRecord'
DESC 'for AFS Data Base location, RFC 1183'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.24 NAME 'SigRecord'
DESC 'Signature, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.25 NAME 'KeyRecord'
DESC 'Key, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.28 NAME 'aAAARecord'
DESC 'IPv6 address, RFC 1886'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.29 NAME 'LocRecord'
DESC 'Location, RFC 1876'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.30 NAME 'nXTRecord'
DESC 'non-existant, RFC 2535'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.33 NAME 'sRVRecord'
DESC 'service location, RFC 2782'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.35 NAME 'nAPTRRecord'
DESC 'Naming Authority Pointer, RFC 2915'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.36 NAME 'kXRecord'
DESC 'Key Exchange Delegation, RFC 2230'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.37 NAME 'certRecord'
DESC 'certificate, RFC 2538'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.38 NAME 'a6Record'
DESC 'A6 Record Type, RFC 2874'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.39 NAME 'dNameRecord'
DESC 'Non-Terminal DNS Name Redirection, RFC 2672'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.43 NAME 'dSRecord'
DESC 'Delegation Signer, RFC 3658'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.46 NAME 'rRSIGRecord'
DESC 'RRSIG, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.2428.20.1.47 NAME 'nSECRecord'
DESC 'NSEC, RFC 3755'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.2428.20.3 NAME 'dNSZone'
SUP top STRUCTURAL
MUST ( zoneName $ relativeDomainName )
MAY ( DNSTTL $ DNSClass $
ARecord $ MDRecord $ MXRecord $ NSRecord $
SOARecord $ CNAMERecord $ PTRRecord $ HINFORecord $
MINFORecord $ TXTRecord $ SIGRecord $ KEYRecord $
AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $
NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $
DNAMERecord ) )

20
SOURCES/generate-rndc-key.sh

@ -0,0 +1,20 @@ @@ -0,0 +1,20 @@
#!/bin/bash

. /etc/rc.d/init.d/functions

# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf

if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
echo -n $"Generating /etc/rndc.key:"
if /usr/sbin/rndc-confgen -a -A hmac-sha256 -r /dev/urandom > /dev/null 2>&1
then
chmod 640 /etc/rndc.key
chown root:named /etc/rndc.key
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
success $"/etc/rndc.key generation"
echo
else
failure $"/etc/rndc.key generation"
echo
fi
fi

BIN
SOURCES/geoip-testing-data.tar.xz

Binary file not shown.

41
SOURCES/ldap2zone.1

@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
.\" Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\" Manpage written by Jan Gorig
.TH ldap2zone 1 "15 March 2010" "BIND9"
.SH NAME
ldap2zone - Creates zone file from LDAP dnszone information
.SH SYNOPSIS
.B ldap2zone zone-name LDAP-URL default-ttl [serial]
.SH DESCRIPTION
ldap2zone is a tool that reads info for a zone from LDAP and constructs a standard plain ascii zone file that is written to the standard output. The LDAP information has to be stored using the dnszone schema. The schema is used by BIND with LDAP back-end.

\fBzone-name\fR
.RS 4
Name of the zone, eg "mydomain.net."
.RE
.PP
\fBLDAP-URL\fR
.RS 4
LDAP URL to dnszone information
.RE
.PP
\fBdefault-ttl\fR
.RS 4
Default TTL value to be used in zone
.RE
.PP
\fBserial\fR
.RS 4
(optional) Program checks this number to be different than SOA serial number.
.RE

.SH "EXIT STATUS"
Exits with 0 on success or 1 on failure.
.SH "SEE ALSO"
named(8) ldap(3)
http://www.venaas.no/dns/ldap2zone/
.SH "COPYRIGHT"
Copyright (C) 2004, 2005 Stig Venaas

411
SOURCES/ldap2zone.c

@ -0,0 +1,411 @@ @@ -0,0 +1,411 @@
/*
* Copyright (C) 2004, 2005 Stig Venaas <venaas@uninett.no>
* $Id: ldap2zone.c,v 1.1 2007/07/24 15:18:00 atkac Exp $
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*/

#define LDAP_DEPRECATED 1

#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>

#include <ldap.h>

struct string {
void *data;
size_t len;
};

struct assstack_entry {
struct string key;
struct string val;
struct assstack_entry *next;
};

struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key);
void assstack_push(struct assstack_entry **stack, struct assstack_entry *item);
void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item);
void printsoa(struct string *soa);
void printrrs(char *defaultttl, struct assstack_entry *item);
void print_zone(char *defaultttl, struct assstack_entry *stack);
void usage(char *name);
void err(char *name, const char *msg);
int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val);

struct assstack_entry *assstack_find(struct assstack_entry *stack, struct string *key) {
for (; stack; stack = stack->next)
if (stack->key.len == key->len && !memcmp(stack->key.data, key->data, key->len))
return stack;
return NULL;
}

void assstack_push(struct assstack_entry **stack, struct assstack_entry *item) {
item->next = *stack;
*stack = item;
}

void assstack_insertbottom(struct assstack_entry **stack, struct assstack_entry *item) {
struct assstack_entry *p;
item->next = NULL;
if (!*stack) {
*stack = item;
return;
}
/* find end, should keep track of end somewhere */
/* really a queue, not a stack */
p = *stack;
while (p->next)
p = p->next;
p->next = item;
}

void printsoa(struct string *soa) {
char *s;
size_t i;
s = (char *)soa->data;
i = 0;
while (i < soa->len) {
putchar(s[i]);
if (s[i++] == ' ')
break;
}
while (i < soa->len) {
putchar(s[i]);
if (s[i++] == ' ')
break;
}
printf("(\n\t\t\t\t");
while (i < soa->len) {
putchar(s[i]);
if (s[i++] == ' ')
break;
}
printf("; Serialnumber\n\t\t\t\t");
while (i < soa->len) {
if (s[i] == ' ')
break;
putchar(s[i++]);
}
i++;
printf("\t; Refresh\n\t\t\t\t");
while (i < soa->len) {
if (s[i] == ' ')
break;
putchar(s[i++]);
}
i++;
printf("\t; Retry\n\t\t\t\t");
while (i < soa->len) {
if (s[i] == ' ')
break;
putchar(s[i++]);
}
i++;
printf("\t; Expire\n\t\t\t\t");
while (i < soa->len) {
putchar(s[i++]);
}
printf(" )\t; Minimum TTL\n");
}

void printrrs(char *defaultttl, struct assstack_entry *item) {
struct assstack_entry *stack;
char *s;
int first;
size_t i;
char *ttl, *type;
int top;
s = (char *)item->key.data;

if (item->key.len == 1 && *s == '@') {
top = 1;
printf("@\t");
} else {
top = 0;
for (i = 0; i < item->key.len; i++)
putchar(s[i]);
if (item->key.len < 8)
putchar('\t');
putchar('\t');
}
first = 1;
for (stack = (struct assstack_entry *) item->val.data; stack; stack = stack->next) {
ttl = (char *)stack->key.data;
s = strchr(ttl, ' ');
*s++ = '\0';
type = s;
if (first)
first = 0;
else
printf("\t\t");
if (strcmp(defaultttl, ttl))
printf("%s", ttl);
putchar('\t');
if (top) {
top = 0;
printf("IN\t%s\t", type);
/* Should always be SOA here */
if (!strcmp(type, "SOA")) {
printsoa(&stack->val);
continue;
}
} else
printf("%s\t", type);

s = (char *)stack->val.data;
for (i = 0; i < stack->val.len; i++)
putchar(s[i]);
putchar('\n');
}
}

void print_zone(char *defaultttl, struct assstack_entry *stack) {
printf("$TTL %s\n", defaultttl);
for (; stack; stack = stack->next)
printrrs(defaultttl, stack);
};

void usage(char *name) {
fprintf(stderr, "Usage:%s zone-name LDAP-URL default-ttl [serial]\n", name);
exit(1);
};

void err(char *name, const char *msg) {
fprintf(stderr, "%s: %s\n", name, msg);
exit(1);
};

int putrr(struct assstack_entry **stack, struct berval *name, char *type, char *ttl, struct berval *val) {
struct string key;
struct assstack_entry *rr, *rrdata;
/* Do nothing if name or value have 0 length */
if (!name->bv_len || !val->bv_len)
return 0;

/* see if already have an entry for this name */
key.len = name->bv_len;
key.data = name->bv_val;

rr = assstack_find(*stack, &key);
if (!rr) {
/* Not found, create and push new entry */
rr = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
if (!rr)
return -1;
rr->key.len = name->bv_len;
rr->key.data = (void *) malloc(rr->key.len);
if (!rr->key.data) {
free(rr);
return -1;
}
memcpy(rr->key.data, name->bv_val, name->bv_len);
rr->val.len = sizeof(void *);
rr->val.data = NULL;
if (name->bv_len == 1 && *(char *)name->bv_val == '@')
assstack_push(stack, rr);
else
assstack_insertbottom(stack, rr);
}

rrdata = (struct assstack_entry *) malloc(sizeof(struct assstack_entry));
if (!rrdata) {
free(rr->key.data);
free(rr);
return -1;
}
rrdata->key.len = strlen(type) + strlen(ttl) + 1;
rrdata->key.data = (void *) malloc(rrdata->key.len);
if (!rrdata->key.data) {
free(rrdata);
free(rr->key.data);
free(rr);
return -1;
}
sprintf((char *)rrdata->key.data, "%s %s", ttl, type);
rrdata->val.len = val->bv_len;
rrdata->val.data = (void *) malloc(val->bv_len);
if (!rrdata->val.data) {
free(rrdata->key.data);
free(rrdata);
free(rr->key.data);
free(rr);
return -1;
}
memcpy(rrdata->val.data, val->bv_val, val->bv_len);

if (!strcmp(type, "SOA"))
assstack_push((struct assstack_entry **) &(rr->val.data), rrdata);
else
assstack_insertbottom((struct assstack_entry **) &(rr->val.data), rrdata);
return 0;
}

int main(int argc, char **argv) {
char *s, *hostporturl, *base = NULL;
char *ttl, *defaultttl;
LDAP *ld;
char *fltr = NULL;
LDAPMessage *res, *e;
char *a, **ttlvals, **soavals, *serial;
struct berval **vals, **names;
char type[64];
BerElement *ptr;
int i, j, rc, msgid;
struct assstack_entry *zone = NULL;
if (argc < 4 || argc > 5)
usage(argv[0]);

hostporturl = argv[2];

if (hostporturl != strstr( hostporturl, "ldap"))
err(argv[0], "Not an LDAP URL");

s = strchr(hostporturl, ':');

if (!s || strlen(s) < 3 || s[1] != '/' || s[2] != '/')
err(argv[0], "Not an LDAP URL");

s = strchr(s+3, '/');
if (s) {
*s++ = '\0';
base = s;
s = strchr(base, '?');
if (s)
err(argv[0], "LDAP URL can only contain host, port and base");
}

defaultttl = argv[3];
rc = ldap_initialize(&ld, hostporturl);
if (rc != LDAP_SUCCESS)
err(argv[0], "ldap_initialize() failed");

if (argc == 5) {
/* serial number specified, check if different from one in SOA */
fltr = (char *)malloc(strlen(argv[1]) + strlen("(&(relativeDomainName=@)(zoneName=))") + 1);
sprintf(fltr, "(&(relativeDomainName=@)(zoneName=%s))", argv[1]);
msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
if (msgid == -1)
err(argv[0], "ldap_search() failed");

while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
/* not supporting continuation references at present */
if (rc != LDAP_RES_SEARCH_ENTRY)
err(argv[0], "ldap_result() returned cont.ref? Exiting");

/* only one entry per result message */
e = ldap_first_entry(ld, res);
if (e == NULL) {
ldap_msgfree(res);
err(argv[0], "ldap_first_entry() failed");
}
soavals = ldap_get_values(ld, e, "SOARecord");
if (soavals)
break;
}

ldap_msgfree(res);
if (!soavals) {
err(argv[0], "No SOA Record found");
}
/* We have a SOA, compare serial numbers */
/* Only checkinf first value, should be only one */
s = strchr(soavals[0], ' ');
s++;
s = strchr(s, ' ');
s++;
serial = s;
s = strchr(s, ' ');
*s = '\0';
if (!strcmp(serial, argv[4])) {
ldap_value_free(soavals);
err(argv[0], "serial numbers match");
}
ldap_value_free(soavals);
}

if (!fltr)
fltr = (char *)malloc(strlen(argv[1]) + strlen("(zoneName=)") + 1);
if (!fltr)
err(argv[0], "Malloc failed");
sprintf(fltr, "(zoneName=%s)", argv[1]);

msgid = ldap_search(ld, base, LDAP_SCOPE_SUBTREE, fltr, NULL, 0);
if (msgid == -1)
err(argv[0], "ldap_search() failed");

while ((rc = ldap_result(ld, msgid, 0, NULL, &res)) != LDAP_RES_SEARCH_RESULT ) {
/* not supporting continuation references at present */
if (rc != LDAP_RES_SEARCH_ENTRY)
err(argv[0], "ldap_result() returned cont.ref? Exiting");

/* only one entry per result message */
e = ldap_first_entry(ld, res);
if (e == NULL) {
ldap_msgfree(res);
err(argv[0], "ldap_first_entry() failed");
}
names = ldap_get_values_len(ld, e, "relativeDomainName");
if (!names)
continue;
ttlvals = ldap_get_values(ld, e, "dNSTTL");
ttl = ttlvals ? ttlvals[0] : defaultttl;

for (a = ldap_first_attribute(ld, e, &ptr); a != NULL; a = ldap_next_attribute(ld, e, ptr)) {
char *s;

for (s = a; *s; s++)
*s = toupper(*s);
s = strstr(a, "RECORD");
if ((s == NULL) || (s == a) || (s - a >= (signed int)sizeof(type))) {
ldap_memfree(a);
continue;
}
strncpy(type, a, s - a);
type[s - a] = '\0';
vals = ldap_get_values_len(ld, e, a);
if (vals) {
for (i = 0; vals[i]; i++)
for (j = 0; names[j]; j++)
if (putrr(&zone, names[j], type, ttl, vals[i]))
err(argv[0], "malloc failed");
ldap_value_free_len(vals);
}
ldap_memfree(a);
}

if (ptr)
ber_free(ptr, 0);
if (ttlvals)
ldap_value_free(ttlvals);
ldap_value_free_len(names);
/* free this result */
ldap_msgfree(res);
}

/* free final result */
ldap_msgfree(res);

print_zone(defaultttl, zone);
return 0;
}

12
SOURCES/named-chroot-setup.service

@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
[Unit]
Description=Set-up/destroy chroot environment for named (DNS)
BindsTo=named-chroot.service
Wants=named-setup-rndc.service
After=named-setup-rndc.service


[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off

30
SOURCES/named-chroot.service

@ -0,0 +1,30 @@ @@ -0,0 +1,30 @@
# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
# broken when rsyslogd daemon is restarted (due update, for example).

[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Requires=named-chroot-setup.service
Before=nss-lookup.target
After=network.target
After=named-chroot-setup.service

[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/var/named/chroot/run/named/named.pid

ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS

ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'

ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

PrivateTmp=false

[Install]
WantedBy=multi-user.target

26
SOURCES/named-pkcs11.service

@ -0,0 +1,26 @@ @@ -0,0 +1,26 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
After=named-setup-rndc.service

[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid

ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS

ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'

ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

PrivateTmp=true

[Install]
WantedBy=multi-user.target

12
SOURCES/named-sdb-chroot-setup.service

@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
[Unit]
Description=Set-up/destroy chroot environment for named-sdb
BindsTo=named-sdb-chroot.service
Wants=named-setup-rndc.service
After=named-setup-rndc.service


[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb on
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot_sdb off

30
SOURCES/named-sdb-chroot.service

@ -0,0 +1,30 @@ @@ -0,0 +1,30 @@
# Don't forget to add "$AddUnixListenSocket /var/named/chroot_sdb/dev/log"
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
# broken when rsyslogd daemon is restarted (due update, for example).

[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target
Requires=named-sdb-chroot-setup.service
Before=nss-lookup.target
After=network.target
After=named-sdb-chroot-setup.service

[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/var/named/chroot_sdb/run/named/named.pid

ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot_sdb -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-sdb -u named -c ${NAMEDCONF} -t /var/named/chroot_sdb $OPTIONS

ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'

ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'

PrivateTmp=false

[Install]
WantedBy=multi-user.target

1
SOURCES/named-sdb.8

@ -0,0 +1 @@ @@ -0,0 +1 @@
.so man8/named.8.gz

Some files were not shown because too many files have changed in this diff Show More

Loading…
Cancel
Save