d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vendor import of BIND 9.3.4

Browse Source
This commit is contained in:
Doug Barton 2007-01-29 18:31:57 +00:00
parent fcb35ad9ef
commit fa5fb0343e
9 changed files with 223 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
contrib/bind9/CHANGES
View File

@ -1,4 +1,11 @@
--- 9.3.4 released ---
2126. [security] Serialise validation of type ANY responses. [RT #16555]
2124. [security] It was possible to dereference a freed fetch
context. [RT #16584]
--- 9.3.3 released ---
2107. [bug] dighost.c: more cleanup of buffers. [RT #16499]

43
contrib/bind9/FAQ
View File

@ -1,5 +1,9 @@
Frequently Asked Questions about BIND 9
Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")
Copyright © 2000-2003 Internet Software Consortium.
-------------------------------------------------------------------------------
Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
@ -630,3 +634,42 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
See these man-pages for more information : selinux(8), named_selinux(8), chcon
(1), setsebool(8)
Q: I want to forward all DNS queries from my caching nameserver to another server.
But there are some domains which have to be served locally, via rbldnsd.
How do I achieve this ?
A: options {
forward only;
forwarders { <ip.of.primary.nameserver>; };
};
zone "sbl-xbl.spamhaus.org" {
type forward; forward only;
forwarders { <ip.of.rbldns.server> port 530; };
};
zone "list.dsbl.org" {
type forward; forward only;
forwarders { <ip.of.rbldns.server> port 530; };
};
Q: Will named be affected by the 2007 changes to daylight savings rules in the US.
A: No, so long as the machines internal clock (as reported by "date -u") remains
at UTC. The only visible change if you fail to upgrade your OS, if you are in a
affected area, will be that log messages will be a hour out during the period
where the old rules do not match the new rules.
For most OS's this change just means that you need to update the conversion
rules from UTC to local time. Normally this involves updating a file in /etc
(which sets the default timezone for the machine) and possibly a directory
which has all the conversion rules for the world (e.g. /usr/share/zoneinfo).
When updating the OS do not forget to update any chroot areas as well. See your
OS's documetation for more details.
The local timezone conversion rules can also be done on a individual basis by
setting the TZ envirionment variable appropriately. See your OS's documentation
for more details.

83
contrib/bind9/FAQ.xml
View File

@ -1,7 +1,7 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
<!--
- Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
@ -17,10 +17,26 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: FAQ.xml,v 1.4.6.5 2006/02/27 21:11:40 marka Exp $ -->
<!-- $Id: FAQ.xml,v 1.4.6.5.6.1 2007/01/12 02:28:00 marka Exp $ -->
<article class="faq">
<title>Frequently Asked Questions about BIND 9</title>
<articleinfo>
<copyright>
<year>2004</year>
<year>2005</year>
<year>2006</year>
<year>2007</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<holder>Internet Software Consortium.</holder>
</copyright>
</articleinfo>
<qandaset defaultlabel='qanda'>
<qandaentry>
<question>
@ -1193,5 +1209,68 @@ named_cache_t: for files modifiable by named - $ROOTDIR/var/{tmp,named/{slaves,d
</para>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
I want to forward all DNS queries from my caching nameserver to
another server. But there are some domains which have to be
served locally, via rbldnsd.
</para>
<para>
How do I achieve this ?
</para>
</question>
<answer>
<programlisting>
options {
forward only;
forwarders { &lt;ip.of.primary.nameserver&gt;; };
};
zone "sbl-xbl.spamhaus.org" {
type forward; forward only;
forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
};
zone "list.dsbl.org" {
type forward; forward only;
forwarders { &lt;ip.of.rbldns.server&gt; port 530; };
};
</programlisting>
</answer>
</qandaentry>
<qandaentry>
<question>
<para>
Will named be affected by the 2007 changes to daylight savings
rules in the US.
</para>
</question>
<answer>
<para>
No, so long as the machines internal clock (as reported
by "date -u") remains at UTC. The only visible change
if you fail to upgrade your OS, if you are in a affected
area, will be that log messages will be a hour out during
the period where the old rules do not match the new rules.
</para>
<para>
For most OS's this change just means that you need to
update the conversion rules from UTC to local time.
Normally this involves updating a file in /etc (which
sets the default timezone for the machine) and possibly
a directory which has all the conversion rules for the
world (e.g. /usr/share/zoneinfo). When updating the OS
do not forget to update any chroot areas as well.
See your OS's documetation for more details.
</para>
<para>
The local timezone conversion rules can also be done on
a individual basis by setting the TZ envirionment variable
appropriately. See your OS's documentation for more
details.
</para>
</answer>
</qandaentry>
</qandaset>
</article>

8
contrib/bind9/README
View File

@ -42,6 +42,14 @@ BIND 9
Stichting NLnet - NLnet Foundation
Nominum, Inc.
BIND 9.3.4
BIND 9.3.4 is a security release.
BIND 9.3.3
BIND 9.3.3 is a maintenance release, containing fixes for
a number of bugs in 9.3.2.
BIND 9.3.2

6
contrib/bind9/lib/dns/api
View File

@ -1,3 +1,3 @@
LIBINTERFACE = 22
LIBREVISION = 7
LIBAGE = 0
LIBINTERFACE = 23
LIBREVISION = 0
LIBAGE = 1

12
contrib/bind9/lib/dns/include/dns/validator.h
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.h,v 1.18.12.11 2006/01/06 00:01:42 marka Exp $ */
/* $Id: validator.h,v 1.18.12.11.6.1 2007/01/11 04:51:39 marka Exp $ */
#ifndef DNS_VALIDATOR_H
#define DNS_VALIDATOR_H 1
@ -144,6 +144,7 @@ struct dns_validator {
* dns_validator_create() options.
*/
#define DNS_VALIDATOR_DLV 1U
#define DNS_VALIDATOR_DEFER 2U
ISC_LANG_BEGINDECLS
@ -191,6 +192,15 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
* the answer by looking for a appopriate DLV RRset.
*/
void
dns_validator_send(dns_validator_t *validator);
/*%<
* Send a deferred validation request
*
* Requires:
* 'validator' to points to a valid DNSSEC validator.
*/
void
dns_validator_cancel(dns_validator_t *validator);
/*%<

51
contrib/bind9/lib/dns/resolver.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: resolver.c,v 1.218.2.18.4.64 2006/08/31 03:57:11 marka Exp $ */
/* $Id: resolver.c,v 1.218.2.18.4.64.4.2 2007/01/11 05:05:10 marka Exp $ */
#include <config.h>
@ -218,6 +218,11 @@ struct fetchctx {
dns_name_t nsname;
dns_fetch_t * nsfetch;
dns_rdataset_t nsrrset;
/*%
* Number of queries that reference this context.
*/
unsigned int nqueries;
};
#define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!')
@ -351,6 +356,7 @@ static isc_result_t ncache_adderesult(dns_message_t *message,
dns_rdataset_t *ardataset,
isc_result_t *eresultp);
static void validated(isc_task_t *task, isc_event_t *event);
static void maybe_destroy(fetchctx_t *fctx);
static isc_result_t
valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
@ -369,6 +375,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
valarg->fctx = fctx;
valarg->addrinfo = addrinfo;
if (!ISC_LIST_EMPTY(fctx->validators))
INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
result = dns_validator_create(fctx->res->view, name, type, rdataset,
sigrdataset, fctx->rmessage,
valoptions, task, validated, valarg,
@ -515,6 +524,9 @@ resquery_destroy(resquery_t **queryp) {
INSIST(query->tcpsocket == NULL);
query->fctx->nqueries--;
if (SHUTTINGDOWN(query->fctx))
maybe_destroy(query->fctx); /* Locks bucket. */
query->magic = 0;
isc_mem_put(query->mctx, query, sizeof(*query));
*queryp = NULL;
@ -973,6 +985,8 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
if (result != ISC_R_SUCCESS)
return (result);
INSIST(ISC_LIST_EMPTY(fctx->validators));
dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
query = isc_mem_get(res->mctx, sizeof(*query));
@ -1088,6 +1102,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
}
ISC_LIST_APPEND(fctx->queries, query, link);
query->fctx->nqueries++;
return (ISC_R_SUCCESS);
@ -1540,7 +1555,7 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
want_done = ISC_TRUE;
}
} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
ISC_LIST_EMPTY(fctx->validators)) {
fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
bucketnum = fctx->bucketnum;
LOCK(&res->buckets[bucketnum].lock);
/*
@ -2394,8 +2409,8 @@ fctx_destroy(fetchctx_t *fctx) {
REQUIRE(ISC_LIST_EMPTY(fctx->finds));
REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
REQUIRE(fctx->pending == 0);
REQUIRE(ISC_LIST_EMPTY(fctx->validators));
REQUIRE(fctx->references == 0);
REQUIRE(ISC_LIST_EMPTY(fctx->validators));
FCTXTRACE("destroy");
@ -2569,7 +2584,7 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
}
if (fctx->references == 0 && fctx->pending == 0 &&
ISC_LIST_EMPTY(fctx->validators))
fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators))
bucket_empty = fctx_destroy(fctx);
UNLOCK(&res->buckets[bucketnum].lock);
@ -2610,6 +2625,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
* pending ADB finds and no pending validations.
*/
INSIST(fctx->pending == 0);
INSIST(fctx->nqueries == 0);
INSIST(ISC_LIST_EMPTY(fctx->validators));
if (fctx->references == 0) {
/*
@ -2771,6 +2787,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
fctx->restarts = 0;
fctx->timeouts = 0;
fctx->attributes = 0;
fctx->nqueries = 0;
dns_name_init(&fctx->nsname, NULL);
fctx->nsfetch = NULL;
@ -3093,12 +3110,21 @@ maybe_destroy(fetchctx_t *fctx) {
unsigned int bucketnum;
isc_boolean_t bucket_empty = ISC_FALSE;
dns_resolver_t *res = fctx->res;
dns_validator_t *validator;
REQUIRE(SHUTTINGDOWN(fctx));
if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
if (fctx->pending != 0 || fctx->nqueries != 0)
return;
for (validator = ISC_LIST_HEAD(fctx->validators);
validator != NULL;
validator = ISC_LIST_HEAD(fctx->validators)) {
ISC_LIST_UNLINK(fctx->validators, validator, link);
dns_validator_cancel(validator);
dns_validator_destroy(&validator);
}
bucketnum = fctx->bucketnum;
LOCK(&res->buckets[bucketnum].lock);
if (fctx->references == 0)
@ -3232,7 +3258,9 @@ validated(isc_task_t *task, isc_event_t *event) {
add_bad(fctx, &addrinfo->sockaddr, result);
isc_event_free(&event);
UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
if (sentresponse)
if (!ISC_LIST_EMPTY(fctx->validators))
dns_validator_send(ISC_LIST_HEAD(fctx->validators));
else if (sentresponse)
fctx_done(fctx, result); /* Locks bucket. */
else
fctx_try(fctx); /* Locks bucket. */
@ -3330,6 +3358,7 @@ validated(isc_task_t *task, isc_event_t *event) {
* be validated.
*/
UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
dns_validator_send(ISC_LIST_HEAD(fctx->validators));
goto cleanup_event;
}
@ -3640,6 +3669,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
rdataset,
sigrdataset,
valoptions, task);
/*
* Defer any further validations.
* This prevents multiple validators
* from manipulating fctx->rmessage
* simultaniously.
*/
valoptions |= DNS_VALIDATOR_DEFER;
}
} else if (CHAINING(rdataset)) {
if (rdataset->type == dns_rdatatype_cname)
@ -6371,7 +6407,8 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
/*
* No one cares about the result of this fetch anymore.
*/
if (fctx->pending == 0 && ISC_LIST_EMPTY(fctx->validators) &&
if (fctx->pending == 0 && fctx->nqueries == 0 &&
ISC_LIST_EMPTY(fctx->validators) &&
SHUTTINGDOWN(fctx)) {
/*
* This fctx is already shutdown; we were just

26
contrib/bind9/lib/dns/validator.c
View File

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.91.2.5.8.27 2006/02/26 23:03:52 marka Exp $ */
/* $Id: validator.c,v 1.91.2.5.8.27.6.1 2007/01/11 04:51:39 marka Exp $ */
#include <config.h>
@ -2825,7 +2825,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
ISC_LINK_INIT(val, link);
val->magic = VALIDATOR_MAGIC;
isc_task_send(task, ISC_EVENT_PTR(&event));
if ((options & DNS_VALIDATOR_DEFER) == 0)
isc_task_send(task, ISC_EVENT_PTR(&event));
*validatorp = val;
@ -2842,6 +2843,21 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
return (result);
}
void
dns_validator_send(dns_validator_t *validator) {
isc_event_t *event;
REQUIRE(VALID_VALIDATOR(validator));
LOCK(&validator->lock);
INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
event = (isc_event_t *)validator->event;
validator->options &= ~DNS_VALIDATOR_DEFER;
UNLOCK(&validator->lock);
isc_task_send(validator->task, ISC_EVENT_PTR(&event));
}
void
dns_validator_cancel(dns_validator_t *validator) {
REQUIRE(VALID_VALIDATOR(validator));
@ -2856,6 +2872,12 @@ dns_validator_cancel(dns_validator_t *validator) {
if (validator->subvalidator != NULL)
dns_validator_cancel(validator->subvalidator);
if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
isc_task_t *task = validator->event->ev_sender;
validator->options &= ~DNS_VALIDATOR_DEFER;
isc_event_free((isc_event_t **)&validator->event);
isc_task_detach(&task);
}
}
UNLOCK(&validator->lock);
}

4
contrib/bind9/version
View File

@ -1,10 +1,10 @@
# $Id: version,v 1.26.2.17.2.26 2006/11/28 00:52:38 marka Exp $
# $Id: version,v 1.26.2.17.2.26.4.1 2007/01/11 05:06:25 marka Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
#
MAJORVER=9
MINORVER=3
PATCHVER=3
PATCHVER=4
RELEASETYPE=
RELEASEVER=