Import rpm: c8s
This commit is contained in:
commit
29cf07efaf
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
SOURCES/bind-9.16.23.tar.xz
|
||||||
|
/bind-9.16.23.tar.xz
|
550
bind-9.10-dist-native-pkcs11.patch
Normal file
550
bind-9.10-dist-native-pkcs11.patch
Normal file
@ -0,0 +1,550 @@
|
|||||||
|
From 040227009453b3f0aa7914c7a6a94dc57ad5269b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Thu, 21 Jan 2021 10:46:20 +0100
|
||||||
|
Subject: [PATCH] Enable custom pkcs11 native build
|
||||||
|
|
||||||
|
Share common parts like libisc, libcc and others. But provide native
|
||||||
|
pkcs11 libraries as a new copy of libdns and libns.
|
||||||
|
---
|
||||||
|
bin/Makefile.in | 2 +-
|
||||||
|
bin/confgen/Makefile.in | 2 +-
|
||||||
|
bin/dnssec-pkcs11/Makefile.in | 39 +++++++++++++++++---------------
|
||||||
|
bin/named-pkcs11/Makefile.in | 33 ++++++++++++++-------------
|
||||||
|
configure.ac | 19 ++++++++++++++++
|
||||||
|
lib/Makefile.in | 2 +-
|
||||||
|
lib/dns-pkcs11/Makefile.in | 22 +++++++++---------
|
||||||
|
lib/dns-pkcs11/tests/Makefile.in | 8 +++----
|
||||||
|
lib/ns-pkcs11/Makefile.in | 26 ++++++++++-----------
|
||||||
|
lib/ns-pkcs11/tests/Makefile.in | 12 +++++-----
|
||||||
|
make/includes.in | 7 ++++++
|
||||||
|
11 files changed, 101 insertions(+), 71 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/Makefile.in b/bin/Makefile.in
|
||||||
|
index 9ad7f62..094775a 100644
|
||||||
|
--- a/bin/Makefile.in
|
||||||
|
+++ b/bin/Makefile.in
|
||||||
|
@@ -11,7 +11,7 @@ srcdir = @srcdir@
|
||||||
|
VPATH = @srcdir@
|
||||||
|
top_srcdir = @top_srcdir@
|
||||||
|
|
||||||
|
-SUBDIRS = named rndc dig delv dnssec tools nsupdate check confgen \
|
||||||
|
+SUBDIRS = named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \
|
||||||
|
@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ plugins tests
|
||||||
|
TARGETS =
|
||||||
|
|
||||||
|
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
|
||||||
|
index c126bf3..1b7512d 100644
|
||||||
|
--- a/bin/confgen/Makefile.in
|
||||||
|
+++ b/bin/confgen/Makefile.in
|
||||||
|
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
|
||||||
|
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
|
||||||
|
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
|
||||||
|
|
||||||
|
-CDEFINES = @USE_PKCS11@
|
||||||
|
+CDEFINES =
|
||||||
|
CWARNINGS =
|
||||||
|
|
||||||
|
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||||
|
diff --git a/bin/dnssec-pkcs11/Makefile.in b/bin/dnssec-pkcs11/Makefile.in
|
||||||
|
index ace0e5a..e0f6a00 100644
|
||||||
|
--- a/bin/dnssec-pkcs11/Makefile.in
|
||||||
|
+++ b/bin/dnssec-pkcs11/Makefile.in
|
||||||
|
@@ -15,18 +15,18 @@ VERSION=@BIND9_VERSION@
|
||||||
|
|
||||||
|
@BIND9_MAKE_INCLUDES@
|
||||||
|
|
||||||
|
-CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
|
||||||
|
+CINCLUDES = ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
|
||||||
|
${OPENSSL_CFLAGS}
|
||||||
|
|
||||||
|
-CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
|
||||||
|
+CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" -DUSE_PKCS11=1
|
||||||
|
CWARNINGS =
|
||||||
|
|
||||||
|
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||||
|
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||||
|
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||||
|
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||||
|
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||||
|
|
||||||
|
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||||
|
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
|
||||||
|
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||||
|
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||||
|
|
||||||
|
@@ -36,12 +36,15 @@ LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
|
||||||
|
|
||||||
|
NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
|
||||||
|
|
||||||
|
+# Add suffix to all targets
|
||||||
|
+EXEEXT = -pkcs11@EXEEXT@
|
||||||
|
+
|
||||||
|
# Alphabetically
|
||||||
|
-TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
|
||||||
|
- dnssec-importkey@EXEEXT@ dnssec-keyfromlabel@EXEEXT@ \
|
||||||
|
- dnssec-keygen@EXEEXT@ dnssec-revoke@EXEEXT@ \
|
||||||
|
- dnssec-settime@EXEEXT@ dnssec-signzone@EXEEXT@ \
|
||||||
|
- dnssec-verify@EXEEXT@
|
||||||
|
+TARGETS = dnssec-cds${EXEEXT} dnssec-dsfromkey${EXEEXT} \
|
||||||
|
+ dnssec-importkey${EXEEXT} dnssec-keyfromlabel${EXEEXT} \
|
||||||
|
+ dnssec-keygen${EXEEXT} dnssec-revoke${EXEEXT} \
|
||||||
|
+ dnssec-settime${EXEEXT} dnssec-signzone${EXEEXT} \
|
||||||
|
+ dnssec-verify${EXEEXT}
|
||||||
|
|
||||||
|
OBJS = dnssectool.@O@
|
||||||
|
|
||||||
|
@@ -52,19 +55,19 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
|
||||||
|
|
||||||
|
@BIND9_MAKE_RULES@
|
||||||
|
|
||||||
|
-dnssec-cds@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
+dnssec-cds-pkcs11@EXEEXT@: dnssec-cds.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
export BASEOBJS="dnssec-cds.@O@ ${OBJS}"; \
|
||||||
|
${FINALBUILDCMD}
|
||||||
|
|
||||||
|
-dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
+dnssec-dsfromkey-pkcs11@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
export BASEOBJS="dnssec-dsfromkey.@O@ ${OBJS}"; \
|
||||||
|
${FINALBUILDCMD}
|
||||||
|
|
||||||
|
-dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
+dnssec-keyfromlabel-pkcs11@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
export BASEOBJS="dnssec-keyfromlabel.@O@ ${OBJS}"; \
|
||||||
|
${FINALBUILDCMD}
|
||||||
|
|
||||||
|
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
+dnssec-keygen-pkcs11@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
export BASEOBJS="dnssec-keygen.@O@ ${OBJS}"; \
|
||||||
|
${FINALBUILDCMD}
|
||||||
|
|
||||||
|
@@ -72,7 +75,7 @@ dnssec-signzone.@O@: dnssec-signzone.c
|
||||||
|
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
|
||||||
|
-c ${srcdir}/dnssec-signzone.c
|
||||||
|
|
||||||
|
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
+dnssec-signzone-pkcs11@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
export BASEOBJS="dnssec-signzone.@O@ ${OBJS}"; \
|
||||||
|
${FINALBUILDCMD}
|
||||||
|
|
||||||
|
@@ -80,19 +83,19 @@ dnssec-verify.@O@: dnssec-verify.c
|
||||||
|
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
|
||||||
|
-c ${srcdir}/dnssec-verify.c
|
||||||
|
|
||||||
|
-dnssec-verify@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
+dnssec-verify-pkcs11@EXEEXT@: dnssec-verify.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
export BASEOBJS="dnssec-verify.@O@ ${OBJS}"; \
|
||||||
|
${FINALBUILDCMD}
|
||||||
|
|
||||||
|
-dnssec-revoke@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
+dnssec-revoke-pkcs11@EXEEXT@: dnssec-revoke.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||||
|
dnssec-revoke.@O@ ${OBJS} ${LIBS}
|
||||||
|
|
||||||
|
-dnssec-settime@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
+dnssec-settime-pkcs11@EXEEXT@: dnssec-settime.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||||
|
dnssec-settime.@O@ ${OBJS} ${LIBS}
|
||||||
|
|
||||||
|
-dnssec-importkey@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
+dnssec-importkey-pkcs11@EXEEXT@: dnssec-importkey.@O@ ${OBJS} ${DEPLIBS}
|
||||||
|
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
|
||||||
|
dnssec-importkey.@O@ ${OBJS} ${LIBS}
|
||||||
|
|
||||||
|
diff --git a/bin/named-pkcs11/Makefile.in b/bin/named-pkcs11/Makefile.in
|
||||||
|
index 98125dd..518a75f 100644
|
||||||
|
--- a/bin/named-pkcs11/Makefile.in
|
||||||
|
+++ b/bin/named-pkcs11/Makefile.in
|
||||||
|
@@ -37,13 +37,14 @@ DBDRIVER_LIBS =
|
||||||
|
|
||||||
|
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
|
||||||
|
|
||||||
|
-DLZDRIVER_OBJS = @DLZ_DRIVER_OBJS@
|
||||||
|
-DLZDRIVER_SRCS = @DLZ_DRIVER_SRCS@
|
||||||
|
-DLZDRIVER_INCLUDES = @DLZ_DRIVER_INCLUDES@
|
||||||
|
-DLZDRIVER_LIBS = @DLZ_DRIVER_LIBS@
|
||||||
|
+# Skip building on PKCS11 variant
|
||||||
|
+DLZDRIVER_OBJS =
|
||||||
|
+DLZDRIVER_SRCS =
|
||||||
|
+DLZDRIVER_INCLUDES =
|
||||||
|
+DLZDRIVER_LIBS =
|
||||||
|
|
||||||
|
CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
|
||||||
|
- ${NS_INCLUDES} ${DNS_INCLUDES} \
|
||||||
|
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} \
|
||||||
|
${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} \
|
||||||
|
${ISC_INCLUDES} ${DLZDRIVER_INCLUDES} \
|
||||||
|
${DBDRIVER_INCLUDES} \
|
||||||
|
@@ -56,24 +57,24 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
|
||||||
|
${LIBXML2_CFLAGS} \
|
||||||
|
${MAXMINDDB_CFLAGS}
|
||||||
|
|
||||||
|
-CDEFINES = @CONTRIB_DLZ@
|
||||||
|
+CDEFINES =
|
||||||
|
|
||||||
|
CWARNINGS =
|
||||||
|
|
||||||
|
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||||
|
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||||
|
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||||
|
ISCCCLIBS = ../../lib/isccc/libisccc.@A@
|
||||||
|
ISCLIBS = ../../lib/isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||||
|
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||||
|
BIND9LIBS = ../../lib/bind9/libbind9.@A@
|
||||||
|
-NSLIBS = ../../lib/ns/libns.@A@
|
||||||
|
+NSLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
|
||||||
|
|
||||||
|
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||||
|
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
|
||||||
|
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||||
|
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
|
||||||
|
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||||
|
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
|
||||||
|
-NSDEPLIBS = ../../lib/ns/libns.@A@
|
||||||
|
+NSDEPLIBS = ../../lib/ns-pkcs11/libns-pkcs11.@A@
|
||||||
|
|
||||||
|
DEPLIBS = ${NSDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
|
||||||
|
${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
|
||||||
|
@@ -93,7 +94,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||||
|
|
||||||
|
SUBDIRS = unix
|
||||||
|
|
||||||
|
-TARGETS = named@EXEEXT@ feature-test@EXEEXT@
|
||||||
|
+TARGETS = named-pkcs11@EXEEXT@ feature-test-pkcs11@EXEEXT@
|
||||||
|
|
||||||
|
GEOIP2LINKOBJS = geoip.@O@
|
||||||
|
|
||||||
|
@@ -151,7 +152,7 @@ server.@O@: server.c
|
||||||
|
-DPRODUCT=\"${PRODUCT}\" \
|
||||||
|
-DVERSION=\"${VERSION}\" -c ${srcdir}/server.c
|
||||||
|
|
||||||
|
-named@EXEEXT@: ${OBJS} ${DEPLIBS}
|
||||||
|
+named-pkcs11@EXEEXT@: ${OBJS} ${DEPLIBS}
|
||||||
|
export MAKE_SYMTABLE="yes"; \
|
||||||
|
export BASEOBJS="${OBJS} ${UOBJS}"; \
|
||||||
|
${FINALBUILDCMD}
|
||||||
|
@@ -161,7 +162,7 @@ feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
|
||||||
|
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||||
|
-c ${top_srcdir}/bin/tests/system/feature-test.c
|
||||||
|
|
||||||
|
-feature-test@EXEEXT@: feature-test.@O@
|
||||||
|
+feature-test-pkcs11@EXEEXT@: feature-test.@O@
|
||||||
|
${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
|
||||||
|
-o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
|
||||||
|
|
||||||
|
@@ -180,11 +181,11 @@ statschannel.@O@: bind9.xsl.h
|
||||||
|
installdirs:
|
||||||
|
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
|
||||||
|
|
||||||
|
-install:: named@EXEEXT@ installdirs
|
||||||
|
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
|
||||||
|
+install:: named-pkcs11@EXEEXT@ installdirs
|
||||||
|
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-pkcs11@EXEEXT@ ${DESTDIR}${sbindir}
|
||||||
|
|
||||||
|
uninstall::
|
||||||
|
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named@EXEEXT@
|
||||||
|
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${sbindir}/named-pkcs11@EXEEXT@
|
||||||
|
|
||||||
|
@DLZ_DRIVER_RULES@
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 032228b..64e3da0 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -1251,12 +1251,14 @@ AC_SUBST(USE_GSSAPI)
|
||||||
|
AC_SUBST(DST_GSSAPI_INC)
|
||||||
|
AC_SUBST(DNS_GSSAPI_LIBS)
|
||||||
|
DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS"
|
||||||
|
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Applications linking with libdns also need to link with these libraries.
|
||||||
|
#
|
||||||
|
|
||||||
|
AC_SUBST(DNS_CRYPTO_LIBS)
|
||||||
|
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
|
||||||
|
|
||||||
|
#
|
||||||
|
# was --with-lmdb specified?
|
||||||
|
@@ -2327,6 +2329,8 @@ AC_SUBST(BIND9_DNS_BUILDINCLUDE)
|
||||||
|
AC_SUBST(BIND9_NS_BUILDINCLUDE)
|
||||||
|
AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
|
||||||
|
AC_SUBST(BIND9_IRS_BUILDINCLUDE)
|
||||||
|
+AC_SUBST(BIND9_DNS_PKCS11_BUILDINCLUDE)
|
||||||
|
+AC_SUBST(BIND9_NS_PKCS11_BUILDINCLUDE)
|
||||||
|
if test "X$srcdir" != "X"; then
|
||||||
|
BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
|
||||||
|
BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
|
||||||
|
@@ -2335,6 +2339,8 @@ if test "X$srcdir" != "X"; then
|
||||||
|
BIND9_NS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns/include"
|
||||||
|
BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
|
||||||
|
BIND9_IRS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/irs/include"
|
||||||
|
+ BIND9_DNS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns-pkcs11/include"
|
||||||
|
+ BIND9_NS_PKCS11_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/ns-pkcs11/include"
|
||||||
|
else
|
||||||
|
BIND9_ISC_BUILDINCLUDE=""
|
||||||
|
BIND9_ISCCC_BUILDINCLUDE=""
|
||||||
|
@@ -2343,6 +2349,8 @@ else
|
||||||
|
BIND9_NS_BUILDINCLUDE=""
|
||||||
|
BIND9_BIND9_BUILDINCLUDE=""
|
||||||
|
BIND9_IRS_BUILDINCLUDE=""
|
||||||
|
+ BIND9_DNS_PKCS11_BUILDINCLUDE=""
|
||||||
|
+ BIND9_NS_PKCS11_BUILDINCLUDE=""
|
||||||
|
fi
|
||||||
|
|
||||||
|
AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
|
||||||
|
@@ -2798,8 +2806,11 @@ AC_CONFIG_FILES([
|
||||||
|
bin/delv/Makefile
|
||||||
|
bin/dig/Makefile
|
||||||
|
bin/dnssec/Makefile
|
||||||
|
+ bin/dnssec-pkcs11/Makefile
|
||||||
|
bin/named/Makefile
|
||||||
|
bin/named/unix/Makefile
|
||||||
|
+ bin/named-pkcs11/Makefile
|
||||||
|
+ bin/named-pkcs11/unix/Makefile
|
||||||
|
bin/nsupdate/Makefile
|
||||||
|
bin/pkcs11/Makefile
|
||||||
|
bin/plugins/Makefile
|
||||||
|
@@ -2861,6 +2872,10 @@ AC_CONFIG_FILES([
|
||||||
|
lib/dns/include/dns/Makefile
|
||||||
|
lib/dns/include/dst/Makefile
|
||||||
|
lib/dns/tests/Makefile
|
||||||
|
+ lib/dns-pkcs11/Makefile
|
||||||
|
+ lib/dns-pkcs11/include/Makefile
|
||||||
|
+ lib/dns-pkcs11/include/dns/Makefile
|
||||||
|
+ lib/dns-pkcs11/include/dst/Makefile
|
||||||
|
lib/irs/Makefile
|
||||||
|
lib/irs/include/Makefile
|
||||||
|
lib/irs/include/irs/Makefile
|
||||||
|
@@ -2893,6 +2908,10 @@ AC_CONFIG_FILES([
|
||||||
|
lib/ns/include/Makefile
|
||||||
|
lib/ns/include/ns/Makefile
|
||||||
|
lib/ns/tests/Makefile
|
||||||
|
+ lib/ns-pkcs11/Makefile
|
||||||
|
+ lib/ns-pkcs11/include/Makefile
|
||||||
|
+ lib/ns-pkcs11/include/ns/Makefile
|
||||||
|
+ lib/ns-pkcs11/tests/Makefile
|
||||||
|
make/Makefile
|
||||||
|
make/mkdep
|
||||||
|
unit/unittest.sh
|
||||||
|
diff --git a/lib/Makefile.in b/lib/Makefile.in
|
||||||
|
index 833964e..058ba2f 100644
|
||||||
|
--- a/lib/Makefile.in
|
||||||
|
+++ b/lib/Makefile.in
|
||||||
|
@@ -15,7 +15,7 @@ top_srcdir = @top_srcdir@
|
||||||
|
# Attempt to disable parallel processing.
|
||||||
|
.NOTPARALLEL:
|
||||||
|
.NO_PARALLEL:
|
||||||
|
-SUBDIRS = isc isccc dns ns isccfg bind9 irs
|
||||||
|
+SUBDIRS = isc isccc dns dns-pkcs11 ns ns-pkcs11 isccfg bind9 irs
|
||||||
|
TARGETS =
|
||||||
|
|
||||||
|
@BIND9_MAKE_RULES@
|
||||||
|
diff --git a/lib/dns-pkcs11/Makefile.in b/lib/dns-pkcs11/Makefile.in
|
||||||
|
index 58bda3c..d6a45df 100644
|
||||||
|
--- a/lib/dns-pkcs11/Makefile.in
|
||||||
|
+++ b/lib/dns-pkcs11/Makefile.in
|
||||||
|
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
|
||||||
|
|
||||||
|
@BIND9_MAKE_INCLUDES@
|
||||||
|
|
||||||
|
-CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
||||||
|
+CINCLUDES = -I. -I${top_srcdir}/lib/dns-pkcs11 -Iinclude ${DNS_PKCS11_INCLUDES} \
|
||||||
|
${ISC_INCLUDES} \
|
||||||
|
${FSTRM_CFLAGS} \
|
||||||
|
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
|
||||||
|
@@ -32,7 +32,7 @@ CINCLUDES = -I. -I${top_srcdir}/lib/dns -Iinclude ${DNS_INCLUDES} \
|
||||||
|
${LMDB_CFLAGS} \
|
||||||
|
${MAXMINDDB_CFLAGS}
|
||||||
|
|
||||||
|
-CDEFINES = @USE_GSSAPI@
|
||||||
|
+CDEFINES = @USE_GSSAPI@ @USE_PKCS11@
|
||||||
|
|
||||||
|
CWARNINGS =
|
||||||
|
|
||||||
|
@@ -135,15 +135,15 @@ version.@O@: version.c
|
||||||
|
-DMAPAPI=\"${MAPAPI}\" \
|
||||||
|
-c ${srcdir}/version.c
|
||||||
|
|
||||||
|
-libdns.@SA@: ${OBJS}
|
||||||
|
+libdns-pkcs11.@SA@: ${OBJS}
|
||||||
|
${AR} ${ARFLAGS} $@ ${OBJS}
|
||||||
|
${RANLIB} $@
|
||||||
|
|
||||||
|
-libdns.la: ${OBJS}
|
||||||
|
+libdns-pkcs11.la: ${OBJS}
|
||||||
|
${LIBTOOL_MODE_LINK} \
|
||||||
|
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
|
||||||
|
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns-pkcs11.la -rpath ${libdir} \
|
||||||
|
-release "${VERSION}" \
|
||||||
|
- ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
|
||||||
|
+ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
|
||||||
|
|
||||||
|
include: gen
|
||||||
|
${MAKE} include/dns/enumtype.h
|
||||||
|
@@ -174,22 +174,22 @@ gen: gen.c
|
||||||
|
${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c \
|
||||||
|
${BUILD_LIBS} ${LFS_LIBS}
|
||||||
|
|
||||||
|
-timestamp: include libdns.@A@
|
||||||
|
+timestamp: include libdns-pkcs11.@A@
|
||||||
|
touch timestamp
|
||||||
|
|
||||||
|
-testdirs: libdns.@A@
|
||||||
|
+testdirs: libdns-pkcs11.@A@
|
||||||
|
|
||||||
|
installdirs:
|
||||||
|
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
|
||||||
|
|
||||||
|
install:: timestamp installdirs
|
||||||
|
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns.@A@ ${DESTDIR}${libdir}
|
||||||
|
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libdns-pkcs11.@A@ ${DESTDIR}${libdir}
|
||||||
|
|
||||||
|
uninstall::
|
||||||
|
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns.@A@
|
||||||
|
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libdns-pkcs11.@A@
|
||||||
|
|
||||||
|
clean distclean::
|
||||||
|
- rm -f libdns.@A@ timestamp
|
||||||
|
+ rm -f libdns-pkcs11.@A@ timestamp
|
||||||
|
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
|
||||||
|
rm -f include/dns/rdatastruct.h
|
||||||
|
rm -f dnstap.pb-c.c dnstap.pb-c.h
|
||||||
|
diff --git a/lib/dns-pkcs11/tests/Makefile.in b/lib/dns-pkcs11/tests/Makefile.in
|
||||||
|
index 3bb5e01..c96fe7d 100644
|
||||||
|
--- a/lib/dns-pkcs11/tests/Makefile.in
|
||||||
|
+++ b/lib/dns-pkcs11/tests/Makefile.in
|
||||||
|
@@ -15,15 +15,15 @@ VERSION=@BIND9_VERSION@
|
||||||
|
|
||||||
|
@BIND9_MAKE_INCLUDES@
|
||||||
|
|
||||||
|
-CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} ${ISC_INCLUDES} \
|
||||||
|
+CINCLUDES = -I. -Iinclude ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
|
||||||
|
${FSTRM_CFLAGS} ${OPENSSL_CFLAGS} \
|
||||||
|
${PROTOBUF_C_CFLAGS} ${MAXMINDDB_CFLAGS} @CMOCKA_CFLAGS@
|
||||||
|
-CDEFINES = -DTESTS="\"${top_builddir}/lib/dns/tests/\""
|
||||||
|
+CDEFINES = @USE_PKCS11@ -DTESTS="\"${top_builddir}/lib/dns-pkcs11/tests/\""
|
||||||
|
|
||||||
|
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||||
|
ISCDEPLIBS = ../../isc/libisc.@A@
|
||||||
|
-DNSLIBS = ../libdns.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||||
|
-DNSDEPLIBS = ../libdns.@A@
|
||||||
|
+DNSLIBS = ../libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||||
|
+DNSDEPLIBS = ../libdns-pkcs11.@A@
|
||||||
|
|
||||||
|
LIBS = @LIBS@ @CMOCKA_LIBS@
|
||||||
|
|
||||||
|
diff --git a/lib/ns-pkcs11/Makefile.in b/lib/ns-pkcs11/Makefile.in
|
||||||
|
index bc683ce..7a9d2f2 100644
|
||||||
|
--- a/lib/ns-pkcs11/Makefile.in
|
||||||
|
+++ b/lib/ns-pkcs11/Makefile.in
|
||||||
|
@@ -16,12 +16,12 @@ VERSION=@BIND9_VERSION@
|
||||||
|
|
||||||
|
@BIND9_MAKE_INCLUDES@
|
||||||
|
|
||||||
|
-CINCLUDES = -I. -I${top_srcdir}/lib/ns -Iinclude \
|
||||||
|
- ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
|
||||||
|
+CINCLUDES = -I. -I${top_srcdir}/lib/ns-pkcs11 -Iinclude \
|
||||||
|
+ ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
|
||||||
|
${OPENSSL_CFLAGS} @DST_GSSAPI_INC@ \
|
||||||
|
${FSTRM_CFLAGS}
|
||||||
|
|
||||||
|
-CDEFINES = -DNAMED_PLUGINDIR=\"${plugindir}\"
|
||||||
|
+CDEFINES = @USE_PKCS11@ -DNAMED_PLUGINDIR=\"${plugindir}\"
|
||||||
|
|
||||||
|
CWARNINGS =
|
||||||
|
|
||||||
|
@@ -29,9 +29,9 @@ ISCLIBS = ../../lib/isc/libisc.@A@
|
||||||
|
|
||||||
|
ISCDEPLIBS = ../../lib/isc/libisc.@A@
|
||||||
|
|
||||||
|
-DNSLIBS = ../../lib/dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||||
|
+DNSLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||||
|
|
||||||
|
-DNSDEPLIBS = ../../lib/dns/libdns.@A@
|
||||||
|
+DNSDEPLIBS = ../../lib/dns-pkcs11/libdns-pkcs11.@A@
|
||||||
|
|
||||||
|
LIBS = @LIBS@
|
||||||
|
|
||||||
|
@@ -60,28 +60,28 @@ version.@O@: version.c
|
||||||
|
-DMAJOR=\"${MAJOR}\" \
|
||||||
|
-c ${srcdir}/version.c
|
||||||
|
|
||||||
|
-libns.@SA@: ${OBJS}
|
||||||
|
+libns-pkcs11.@SA@: ${OBJS}
|
||||||
|
${AR} ${ARFLAGS} $@ ${OBJS}
|
||||||
|
${RANLIB} $@
|
||||||
|
|
||||||
|
-libns.la: ${OBJS}
|
||||||
|
+libns-pkcs11.la: ${OBJS}
|
||||||
|
${LIBTOOL_MODE_LINK} \
|
||||||
|
- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns.la -rpath ${libdir} \
|
||||||
|
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libns-pkcs11.la -rpath ${libdir} \
|
||||||
|
-release "${VERSION}" \
|
||||||
|
- ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
|
||||||
|
+ ${OBJS} ${ISCLIBS} ${DNSLIBS} @DNS_CRYPTO_PK11_LIBS@ ${LIBS}
|
||||||
|
|
||||||
|
-timestamp: libns.@A@
|
||||||
|
+timestamp: libns-pkcs11.@A@
|
||||||
|
touch timestamp
|
||||||
|
|
||||||
|
installdirs:
|
||||||
|
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
|
||||||
|
|
||||||
|
install:: timestamp installdirs
|
||||||
|
- ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns.@A@ \
|
||||||
|
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_LIBRARY} libns-pkcs11.@A@ \
|
||||||
|
${DESTDIR}${libdir}
|
||||||
|
|
||||||
|
uninstall::
|
||||||
|
- ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns.@A@
|
||||||
|
+ ${LIBTOOL_MODE_UNINSTALL} rm -f ${DESTDIR}${libdir}/libns-pkcs11.@A@
|
||||||
|
|
||||||
|
clean distclean::
|
||||||
|
- rm -f libns.@A@ timestamp
|
||||||
|
+ rm -f libns-pkcs11.@A@ timestamp
|
||||||
|
diff --git a/lib/ns-pkcs11/tests/Makefile.in b/lib/ns-pkcs11/tests/Makefile.in
|
||||||
|
index 4c3e694..c1b6d99 100644
|
||||||
|
--- a/lib/ns-pkcs11/tests/Makefile.in
|
||||||
|
+++ b/lib/ns-pkcs11/tests/Makefile.in
|
||||||
|
@@ -17,17 +17,17 @@ VERSION=@BIND9_VERSION@
|
||||||
|
|
||||||
|
WRAP_OPTIONS = -Wl,--wrap=isc__nmhandle_detach -Wl,--wrap=isc__nmhandle_attach
|
||||||
|
|
||||||
|
-CINCLUDES = -I. -Iinclude ${NS_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
|
||||||
|
+CINCLUDES = -I. -Iinclude ${NS_PKCS11_INCLUDES} ${DNS_PKCS11_INCLUDES} ${ISC_INCLUDES} \
|
||||||
|
${OPENSSL_CFLAGS} \
|
||||||
|
@CMOCKA_CFLAGS@
|
||||||
|
-CDEFINES = -DTESTS="\"${top_builddir}/lib/ns/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\"
|
||||||
|
+CDEFINES = -DTESTS="\"${top_builddir}/lib/ns-pkcs11/tests/\"" -DNAMED_PLUGINDIR=\"${plugindir}\" @USE_PKCS11@
|
||||||
|
|
||||||
|
ISCLIBS = ../../isc/libisc.@A@ @NO_LIBTOOL_ISCLIBS@
|
||||||
|
ISCDEPLIBS = ../../isc/libisc.@A@
|
||||||
|
-DNSLIBS = ../../dns/libdns.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||||
|
-DNSDEPLIBS = ../../dns/libdns.@A@
|
||||||
|
-NSLIBS = ../libns.@A@
|
||||||
|
-NSDEPLIBS = ../libns.@A@
|
||||||
|
+DNSLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@ @NO_LIBTOOL_DNSLIBS@
|
||||||
|
+DNSDEPLIBS = ../../dns-pkcs11/libdns-pkcs11.@A@
|
||||||
|
+NSLIBS = ../libns-pkcs11.@A@
|
||||||
|
+NSDEPLIBS = ../libns-pkcs11.@A@
|
||||||
|
|
||||||
|
LIBS = @LIBS@ @CMOCKA_LIBS@
|
||||||
|
|
||||||
|
diff --git a/make/includes.in b/make/includes.in
|
||||||
|
index b8317d3..b73b0c4 100644
|
||||||
|
--- a/make/includes.in
|
||||||
|
+++ b/make/includes.in
|
||||||
|
@@ -39,3 +39,10 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
|
||||||
|
|
||||||
|
TEST_INCLUDES = \
|
||||||
|
-I${top_srcdir}/lib/tests/include
|
||||||
|
+
|
||||||
|
+DNS_PKCS11_INCLUDES = @BIND9_DNS_PKCS11_BUILDINCLUDE@ \
|
||||||
|
+ -I${top_srcdir}/lib/dns-pkcs11/include
|
||||||
|
+
|
||||||
|
+NS_PKCS11_INCLUDES = @BIND9_NS_PKCS11_BUILDINCLUDE@ \
|
||||||
|
+ -I${top_srcdir}/lib/ns-pkcs11/include
|
||||||
|
+
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
59
bind-9.11-feature-test-named.patch
Normal file
59
bind-9.11-feature-test-named.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
From e645046202006750f87531e21e3ff7c26fba3466 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Wed, 30 Jan 2019 14:37:17 +0100
|
||||||
|
Subject: [PATCH] Create feature-test in source directory
|
||||||
|
|
||||||
|
Feature-test tool is used in system tests to test compiled in changes.
|
||||||
|
Because we build more variants of named with different configuration,
|
||||||
|
compile feature-test for each of them this way.
|
||||||
|
---
|
||||||
|
bin/named/Makefile.in | 12 +++++++++++-
|
||||||
|
bin/tests/system/conf.sh.in | 2 +-
|
||||||
|
2 files changed, 12 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
|
||||||
|
index 37053a7..ed9add2 100644
|
||||||
|
--- a/bin/named/Makefile.in
|
||||||
|
+++ b/bin/named/Makefile.in
|
||||||
|
@@ -91,7 +91,7 @@ NOSYMLIBS = ${NSLIBS} ${DNSLIBS} ${BIND9LIBS} \
|
||||||
|
|
||||||
|
SUBDIRS = unix
|
||||||
|
|
||||||
|
-TARGETS = named@EXEEXT@
|
||||||
|
+TARGETS = named@EXEEXT@ feature-test@EXEEXT@
|
||||||
|
|
||||||
|
GEOIP2LINKOBJS = geoip.@O@
|
||||||
|
|
||||||
|
@@ -154,6 +154,16 @@ named@EXEEXT@: ${OBJS} ${DEPLIBS}
|
||||||
|
export BASEOBJS="${OBJS} ${UOBJS}"; \
|
||||||
|
${FINALBUILDCMD}
|
||||||
|
|
||||||
|
+# Bit of hack, do not produce intermediate .o object for featuretest
|
||||||
|
+feature-test.@O@: ${top_srcdir}/bin/tests/system/feature-test.c
|
||||||
|
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||||
|
+ -c ${top_srcdir}/bin/tests/system/feature-test.c
|
||||||
|
+
|
||||||
|
+feature-test@EXEEXT@: feature-test.@O@
|
||||||
|
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} \
|
||||||
|
+ -o $@ feature-test.@O@ ${ISCLIBS} ${LIBS}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
clean distclean maintainer-clean::
|
||||||
|
rm -f ${TARGETS} ${OBJS}
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
|
||||||
|
index 7934930..e84fde2 100644
|
||||||
|
--- a/bin/tests/system/conf.sh.in
|
||||||
|
+++ b/bin/tests/system/conf.sh.in
|
||||||
|
@@ -37,7 +37,7 @@ DELV=$TOP/bin/delv/delv
|
||||||
|
DIG=$TOP/bin/dig/dig
|
||||||
|
DNSTAPREAD=$TOP/bin/tools/dnstap-read
|
||||||
|
DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
|
||||||
|
-FEATURETEST=$TOP/bin/tests/system/feature-test
|
||||||
|
+FEATURETEST=$TOP/bin/named/feature-test
|
||||||
|
FSTRM_CAPTURE=@FSTRM_CAPTURE@
|
||||||
|
HOST=$TOP/bin/dig/host
|
||||||
|
IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
959
bind-9.11-fips-tests.patch
Normal file
959
bind-9.11-fips-tests.patch
Normal file
@ -0,0 +1,959 @@
|
|||||||
|
From 3f04cf343dbeb8819197702ce1be737e26e0638a Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Thu, 2 Aug 2018 23:46:45 +0200
|
||||||
|
Subject: [PATCH] FIPS tests changes
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Squashed commit of the following:
|
||||||
|
|
||||||
|
commit 09e5eb48698d4fef2fc1031870de86c553b6bfaa
|
||||||
|
Author: Petr Menšík <pemensik@redhat.com>
|
||||||
|
Date: Wed Mar 7 20:35:13 2018 +0100
|
||||||
|
|
||||||
|
Fix nsupdate test. Do not use md5 by default for rndc, skip gracefully md5 if not available.
|
||||||
|
|
||||||
|
commit ab303db70082db76ecf36493d0b82ef3e8750cad
|
||||||
|
Author: Petr Menšík <pemensik@redhat.com>
|
||||||
|
Date: Wed Mar 7 18:11:10 2018 +0100
|
||||||
|
|
||||||
|
Changed root key to be RSASHA256
|
||||||
|
|
||||||
|
Change bad trusted key to be the same algorithm.
|
||||||
|
|
||||||
|
commit 88ab07c0e14cc71247e1f9d11a1ea832b64c1ee8
|
||||||
|
Author: Petr Menšík <pemensik@redhat.com>
|
||||||
|
Date: Wed Mar 7 16:56:17 2018 +0100
|
||||||
|
|
||||||
|
Change used key to not use hmac-md5
|
||||||
|
|
||||||
|
Fix upforwd test, do not use hmac-md5
|
||||||
|
|
||||||
|
commit aec891571626f053acfb4d0a247240cbc21a84e9
|
||||||
|
Author: Petr Menšík <pemensik@redhat.com>
|
||||||
|
Date: Wed Mar 7 15:54:11 2018 +0100
|
||||||
|
|
||||||
|
Increase bitsize of DSA key to pass FIPS 140-2 mode.
|
||||||
|
|
||||||
|
commit bca8e164fa0d9aff2f946b8b4eb0f1f7e0bf6696
|
||||||
|
Author: Petr Menšík <pemensik@redhat.com>
|
||||||
|
Date: Wed Mar 7 15:41:08 2018 +0100
|
||||||
|
|
||||||
|
Fix tsig and rndc tests for disabled md5
|
||||||
|
|
||||||
|
Use hmac-sha256 instead of hmac-md5.
|
||||||
|
|
||||||
|
commit 0d314c1ab6151aa13574a21ad22f28d3b7f42a67
|
||||||
|
Author: Petr Menšík <pemensik@redhat.com>
|
||||||
|
Date: Wed Mar 7 13:21:00 2018 +0100
|
||||||
|
|
||||||
|
Add md5 availability detection to featuretest
|
||||||
|
|
||||||
|
commit f389a918803e2853e4b55fed62765dc4a492e34f
|
||||||
|
Author: Petr Menšík <pemensik@redhat.com>
|
||||||
|
Date: Wed Mar 7 10:44:23 2018 +0100
|
||||||
|
|
||||||
|
Change tests to not use hmac-md5 algorithms if not required
|
||||||
|
|
||||||
|
Use hmac-sha256 instead of default hmac-md5 for allow-query
|
||||||
|
---
|
||||||
|
bin/tests/system/acl/ns2/named1.conf.in | 4 +-
|
||||||
|
bin/tests/system/acl/ns2/named2.conf.in | 4 +-
|
||||||
|
bin/tests/system/acl/ns2/named3.conf.in | 6 +-
|
||||||
|
bin/tests/system/acl/ns2/named4.conf.in | 4 +-
|
||||||
|
bin/tests/system/acl/ns2/named5.conf.in | 4 +-
|
||||||
|
bin/tests/system/acl/tests.sh | 32 ++++-----
|
||||||
|
.../system/allow-query/ns2/named10.conf.in | 2 +-
|
||||||
|
.../system/allow-query/ns2/named11.conf.in | 4 +-
|
||||||
|
.../system/allow-query/ns2/named12.conf.in | 2 +-
|
||||||
|
.../system/allow-query/ns2/named30.conf.in | 2 +-
|
||||||
|
.../system/allow-query/ns2/named31.conf.in | 4 +-
|
||||||
|
.../system/allow-query/ns2/named32.conf.in | 2 +-
|
||||||
|
.../system/allow-query/ns2/named40.conf.in | 4 +-
|
||||||
|
bin/tests/system/allow-query/tests.sh | 18 ++---
|
||||||
|
bin/tests/system/catz/ns1/named.conf.in | 2 +-
|
||||||
|
bin/tests/system/catz/ns2/named.conf.in | 2 +-
|
||||||
|
bin/tests/system/checkconf/bad-tsig.conf | 2 +-
|
||||||
|
bin/tests/system/checkconf/good.conf | 2 +-
|
||||||
|
bin/tests/system/feature-test.c | 14 ++++
|
||||||
|
bin/tests/system/notify/ns5/named.conf.in | 6 +-
|
||||||
|
bin/tests/system/notify/tests.sh | 6 +-
|
||||||
|
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +-
|
||||||
|
bin/tests/system/nsupdate/ns2/named.conf.in | 2 +-
|
||||||
|
bin/tests/system/nsupdate/setup.sh | 6 +-
|
||||||
|
bin/tests/system/nsupdate/tests.sh | 15 +++--
|
||||||
|
bin/tests/system/rndc/setup.sh | 2 +-
|
||||||
|
bin/tests/system/rndc/tests.sh | 23 ++++---
|
||||||
|
bin/tests/system/tsig/ns1/named.conf.in | 10 +--
|
||||||
|
bin/tests/system/tsig/ns1/rndc5.conf.in | 10 +++
|
||||||
|
bin/tests/system/tsig/setup.sh | 5 ++
|
||||||
|
bin/tests/system/tsig/tests.sh | 65 ++++++++++++-------
|
||||||
|
bin/tests/system/upforwd/ns1/named.conf.in | 2 +-
|
||||||
|
bin/tests/system/upforwd/tests.sh | 2 +-
|
||||||
|
33 files changed, 162 insertions(+), 108 deletions(-)
|
||||||
|
create mode 100644 bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/acl/ns2/named1.conf.in b/bin/tests/system/acl/ns2/named1.conf.in
|
||||||
|
index 60f22e1..249f672 100644
|
||||||
|
--- a/bin/tests/system/acl/ns2/named1.conf.in
|
||||||
|
+++ b/bin/tests/system/acl/ns2/named1.conf.in
|
||||||
|
@@ -33,12 +33,12 @@ options {
|
||||||
|
};
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
key two {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/acl/ns2/named2.conf.in b/bin/tests/system/acl/ns2/named2.conf.in
|
||||||
|
index ada97bc..f82d858 100644
|
||||||
|
--- a/bin/tests/system/acl/ns2/named2.conf.in
|
||||||
|
+++ b/bin/tests/system/acl/ns2/named2.conf.in
|
||||||
|
@@ -33,12 +33,12 @@ options {
|
||||||
|
};
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
key two {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/acl/ns2/named3.conf.in b/bin/tests/system/acl/ns2/named3.conf.in
|
||||||
|
index 97684e4..de6a2e9 100644
|
||||||
|
--- a/bin/tests/system/acl/ns2/named3.conf.in
|
||||||
|
+++ b/bin/tests/system/acl/ns2/named3.conf.in
|
||||||
|
@@ -33,17 +33,17 @@ options {
|
||||||
|
};
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
key two {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
key three {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/acl/ns2/named4.conf.in b/bin/tests/system/acl/ns2/named4.conf.in
|
||||||
|
index 462b3fa..994b35c 100644
|
||||||
|
--- a/bin/tests/system/acl/ns2/named4.conf.in
|
||||||
|
+++ b/bin/tests/system/acl/ns2/named4.conf.in
|
||||||
|
@@ -33,12 +33,12 @@ options {
|
||||||
|
};
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
key two {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/acl/ns2/named5.conf.in b/bin/tests/system/acl/ns2/named5.conf.in
|
||||||
|
index 728da58..8f00d09 100644
|
||||||
|
--- a/bin/tests/system/acl/ns2/named5.conf.in
|
||||||
|
+++ b/bin/tests/system/acl/ns2/named5.conf.in
|
||||||
|
@@ -35,12 +35,12 @@ options {
|
||||||
|
};
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
key two {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/acl/tests.sh b/bin/tests/system/acl/tests.sh
|
||||||
|
index be59d64..13d5bdc 100644
|
||||||
|
--- a/bin/tests/system/acl/tests.sh
|
||||||
|
+++ b/bin/tests/system/acl/tests.sh
|
||||||
|
@@ -22,14 +22,14 @@ echo_i "testing basic ACL processing"
|
||||||
|
# key "one" should fail
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
|
||||||
|
# any other key should be fine
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
copy_setports ns2/named2.conf.in ns2/named.conf
|
||||||
|
@@ -39,18 +39,18 @@ sleep 5
|
||||||
|
# prefix 10/8 should fail
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
# any other address should work, as long as it sends key "one"
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 127.0.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
echo_i "testing nested ACL processing"
|
||||||
|
@@ -62,31 +62,31 @@ sleep 5
|
||||||
|
# should succeed
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
# should succeed
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
# should succeed
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
# should succeed
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
# but only one or the other should fail
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 127.0.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
t=`expr $t + 1`
|
||||||
|
@@ -97,7 +97,7 @@ grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $tt failed" ; status=1
|
||||||
|
# and other values? right out
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 127.0.0.1 axfr -y three:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 127.0.0.1 axfr -y hmac-sha256:three:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
# now we only allow 10.53.0.1 *and* key one, or 10.53.0.2 *and* key two
|
||||||
|
@@ -108,31 +108,31 @@ sleep 5
|
||||||
|
# should succeed
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.2 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
# should succeed
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.1 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
# should fail
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.2 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.2 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
# should fail
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.1 axfr -y two:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.1 axfr -y hmac-sha256:two:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
# should fail
|
||||||
|
t=`expr $t + 1`
|
||||||
|
$DIG $DIGOPTS tsigzone. \
|
||||||
|
- @10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 > dig.out.${t}
|
||||||
|
+ @10.53.0.2 -b 10.53.0.3 axfr -y hmac-sha256:one:1234abcd8765 > dig.out.${t}
|
||||||
|
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
|
||||||
|
|
||||||
|
echo_i "testing allow-query-on ACL processing"
|
||||||
|
diff --git a/bin/tests/system/allow-query/ns2/named10.conf.in b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||||
|
index 7d43e36..f7b25f9 100644
|
||||||
|
--- a/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||||
|
+++ b/bin/tests/system/allow-query/ns2/named10.conf.in
|
||||||
|
@@ -10,7 +10,7 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/allow-query/ns2/named11.conf.in b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||||
|
index 2952518..121557e 100644
|
||||||
|
--- a/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||||
|
+++ b/bin/tests/system/allow-query/ns2/named11.conf.in
|
||||||
|
@@ -10,12 +10,12 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
key two {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234efgh8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/allow-query/ns2/named12.conf.in b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||||
|
index 0c01071..ceabbb5 100644
|
||||||
|
--- a/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||||
|
+++ b/bin/tests/system/allow-query/ns2/named12.conf.in
|
||||||
|
@@ -10,7 +10,7 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/allow-query/ns2/named30.conf.in b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||||
|
index 4c17292..9cd9d1f 100644
|
||||||
|
--- a/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||||
|
+++ b/bin/tests/system/allow-query/ns2/named30.conf.in
|
||||||
|
@@ -10,7 +10,7 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/allow-query/ns2/named31.conf.in b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||||
|
index a2690a4..f488730 100644
|
||||||
|
--- a/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||||
|
+++ b/bin/tests/system/allow-query/ns2/named31.conf.in
|
||||||
|
@@ -10,12 +10,12 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
key two {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234efgh8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/allow-query/ns2/named32.conf.in b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||||
|
index a0708c8..51fa457 100644
|
||||||
|
--- a/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||||
|
+++ b/bin/tests/system/allow-query/ns2/named32.conf.in
|
||||||
|
@@ -10,7 +10,7 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/allow-query/ns2/named40.conf.in b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||||
|
index 687768e..d24d6d2 100644
|
||||||
|
--- a/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||||
|
+++ b/bin/tests/system/allow-query/ns2/named40.conf.in
|
||||||
|
@@ -14,12 +14,12 @@ acl accept { 10.53.0.2; };
|
||||||
|
acl badaccept { 10.53.0.1; };
|
||||||
|
|
||||||
|
key one {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
key two {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "1234efgh8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/allow-query/tests.sh b/bin/tests/system/allow-query/tests.sh
|
||||||
|
index fe40635..543c663 100644
|
||||||
|
--- a/bin/tests/system/allow-query/tests.sh
|
||||||
|
+++ b/bin/tests/system/allow-query/tests.sh
|
||||||
|
@@ -182,7 +182,7 @@ rndc_reload ns2 10.53.0.2
|
||||||
|
|
||||||
|
echo_i "test $n: key allowed - query allowed"
|
||||||
|
ret=0
|
||||||
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
@@ -195,7 +195,7 @@ rndc_reload ns2 10.53.0.2
|
||||||
|
|
||||||
|
echo_i "test $n: key not allowed - query refused"
|
||||||
|
ret=0
|
||||||
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
@@ -208,7 +208,7 @@ rndc_reload ns2 10.53.0.2
|
||||||
|
|
||||||
|
echo_i "test $n: key disallowed - query refused"
|
||||||
|
ret=0
|
||||||
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
@@ -341,7 +341,7 @@ rndc_reload ns2 10.53.0.2
|
||||||
|
|
||||||
|
echo_i "test $n: views key allowed - query allowed"
|
||||||
|
ret=0
|
||||||
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
@@ -354,7 +354,7 @@ rndc_reload ns2 10.53.0.2
|
||||||
|
|
||||||
|
echo_i "test $n: views key not allowed - query refused"
|
||||||
|
ret=0
|
||||||
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
@@ -367,7 +367,7 @@ rndc_reload ns2 10.53.0.2
|
||||||
|
|
||||||
|
echo_i "test $n: views key disallowed - query refused"
|
||||||
|
ret=0
|
||||||
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.normal.example a > dig.out.ns2.$n || ret=1
|
||||||
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
@@ -500,7 +500,7 @@ status=`expr $status + $ret`
|
||||||
|
n=`expr $n + 1`
|
||||||
|
echo_i "test $n: zone key allowed - query allowed"
|
||||||
|
ret=0
|
||||||
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||||
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||||
|
grep 'status: NOERROR' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
@@ -510,7 +510,7 @@ status=`expr $status + $ret`
|
||||||
|
n=`expr $n + 1`
|
||||||
|
echo_i "test $n: zone key not allowed - query refused"
|
||||||
|
ret=0
|
||||||
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||||
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:two:1234efgh8765 a.keyallow.example a > dig.out.ns2.$n || ret=1
|
||||||
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
grep '^a.keyallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
@@ -520,7 +520,7 @@ status=`expr $status + $ret`
|
||||||
|
n=`expr $n + 1`
|
||||||
|
echo_i "test $n: zone key disallowed - query refused"
|
||||||
|
ret=0
|
||||||
|
-$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
||||||
|
+$DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 -y hmac-sha256:one:1234abcd8765 a.keydisallow.example a > dig.out.ns2.$n || ret=1
|
||||||
|
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
|
||||||
|
grep '^a.keydisallow.example' dig.out.ns2.$n > /dev/null && ret=1
|
||||||
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
|
||||||
|
index 1218669..e62715e 100644
|
||||||
|
--- a/bin/tests/system/catz/ns1/named.conf.in
|
||||||
|
+++ b/bin/tests/system/catz/ns1/named.conf.in
|
||||||
|
@@ -61,5 +61,5 @@ zone "catalog4.example" {
|
||||||
|
|
||||||
|
key tsig_key. {
|
||||||
|
secret "LSAnCU+Z";
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
};
|
||||||
|
diff --git a/bin/tests/system/catz/ns2/named.conf.in b/bin/tests/system/catz/ns2/named.conf.in
|
||||||
|
index 30333e6..4005152 100644
|
||||||
|
--- a/bin/tests/system/catz/ns2/named.conf.in
|
||||||
|
+++ b/bin/tests/system/catz/ns2/named.conf.in
|
||||||
|
@@ -70,5 +70,5 @@ zone "catalog4.example" {
|
||||||
|
|
||||||
|
key tsig_key. {
|
||||||
|
secret "LSAnCU+Z";
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
};
|
||||||
|
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
|
||||||
|
index 21be03e..e57c308 100644
|
||||||
|
--- a/bin/tests/system/checkconf/bad-tsig.conf
|
||||||
|
+++ b/bin/tests/system/checkconf/bad-tsig.conf
|
||||||
|
@@ -11,7 +11,7 @@
|
||||||
|
|
||||||
|
/* Bad secret */
|
||||||
|
key "badtsig" {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha256;
|
||||||
|
secret "jEdD+BPKg==";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
||||||
|
index e09b9e8..2e824b3 100644
|
||||||
|
--- a/bin/tests/system/checkconf/good.conf
|
||||||
|
+++ b/bin/tests/system/checkconf/good.conf
|
||||||
|
@@ -210,6 +210,6 @@ dyndb "name" "library.so" {
|
||||||
|
system;
|
||||||
|
};
|
||||||
|
key "mykey" {
|
||||||
|
- algorithm "hmac-md5";
|
||||||
|
+ algorithm "hmac-sha256";
|
||||||
|
secret "qwertyuiopasdfgh";
|
||||||
|
};
|
||||||
|
diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c
|
||||||
|
index 877504f..577660a 100644
|
||||||
|
--- a/bin/tests/system/feature-test.c
|
||||||
|
+++ b/bin/tests/system/feature-test.c
|
||||||
|
@@ -14,6 +14,7 @@
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
+#include <isc/md.h>
|
||||||
|
#include <isc/net.h>
|
||||||
|
#include <isc/print.h>
|
||||||
|
#include <isc/util.h>
|
||||||
|
@@ -186,6 +187,19 @@ main(int argc, char **argv) {
|
||||||
|
#endif /* ifdef DLZ_FILESYSTEM */
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (strcmp(argv[1], "--md5") == 0) {
|
||||||
|
+ unsigned char digest[ISC_MAX_MD_SIZE];
|
||||||
|
+ const unsigned char test[] = "test";
|
||||||
|
+ unsigned int size = sizeof(digest);
|
||||||
|
+
|
||||||
|
+ if (isc_md(ISC_MD_MD5, test, sizeof(test),
|
||||||
|
+ digest, &size) == ISC_R_SUCCESS) {
|
||||||
|
+ return (0);
|
||||||
|
+ } else {
|
||||||
|
+ return (1);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (strcmp(argv[1], "--with-idn") == 0) {
|
||||||
|
#ifdef HAVE_LIBIDN2
|
||||||
|
return (0);
|
||||||
|
diff --git a/bin/tests/system/notify/ns5/named.conf.in b/bin/tests/system/notify/ns5/named.conf.in
|
||||||
|
index 1ee8df4..2b75d9a 100644
|
||||||
|
--- a/bin/tests/system/notify/ns5/named.conf.in
|
||||||
|
+++ b/bin/tests/system/notify/ns5/named.conf.in
|
||||||
|
@@ -10,17 +10,17 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
key "a" {
|
||||||
|
- algorithm "hmac-md5";
|
||||||
|
+ algorithm "hmac-sha256";
|
||||||
|
secret "aaaaaaaaaaaaaaaaaaaa";
|
||||||
|
};
|
||||||
|
|
||||||
|
key "b" {
|
||||||
|
- algorithm "hmac-md5";
|
||||||
|
+ algorithm "hmac-sha256";
|
||||||
|
secret "bbbbbbbbbbbbbbbbbbbb";
|
||||||
|
};
|
||||||
|
|
||||||
|
key "c" {
|
||||||
|
- algorithm "hmac-md5";
|
||||||
|
+ algorithm "hmac-sha256";
|
||||||
|
secret "cccccccccccccccccccc";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
|
||||||
|
index 3d7e0b7..ec4d9a7 100644
|
||||||
|
--- a/bin/tests/system/notify/tests.sh
|
||||||
|
+++ b/bin/tests/system/notify/tests.sh
|
||||||
|
@@ -212,16 +212,16 @@ ret=0
|
||||||
|
$NSUPDATE << EOF
|
||||||
|
server 10.53.0.5 ${PORT}
|
||||||
|
zone x21
|
||||||
|
-key a aaaaaaaaaaaaaaaaaaaa
|
||||||
|
+key hmac-sha256:a aaaaaaaaaaaaaaaaaaaa
|
||||||
|
update add added.x21 0 in txt "test string"
|
||||||
|
send
|
||||||
|
EOF
|
||||||
|
|
||||||
|
for i in 1 2 3 4 5 6 7 8 9
|
||||||
|
do
|
||||||
|
- $DIG $DIGOPTS added.x21. -y b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
||||||
|
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:b:bbbbbbbbbbbbbbbbbbbb @10.53.0.5 \
|
||||||
|
txt > dig.out.b.ns5.test$n || ret=1
|
||||||
|
- $DIG $DIGOPTS added.x21. -y c:cccccccccccccccccccc @10.53.0.5 \
|
||||||
|
+ $DIG $DIGOPTS added.x21. -y hmac-sha256:c:cccccccccccccccccccc @10.53.0.5 \
|
||||||
|
txt > dig.out.c.ns5.test$n || ret=1
|
||||||
|
grep "test string" dig.out.b.ns5.test$n > /dev/null &&
|
||||||
|
grep "test string" dig.out.c.ns5.test$n > /dev/null &&
|
||||||
|
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
index b51e700..436c97d 100644
|
||||||
|
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
@@ -37,7 +37,7 @@ controls {
|
||||||
|
};
|
||||||
|
|
||||||
|
key altkey {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha512;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/nsupdate/ns2/named.conf.in b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||||
|
index da6b3b4..c547e47 100644
|
||||||
|
--- a/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||||
|
+++ b/bin/tests/system/nsupdate/ns2/named.conf.in
|
||||||
|
@@ -32,7 +32,7 @@ controls {
|
||||||
|
};
|
||||||
|
|
||||||
|
key altkey {
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
+ algorithm hmac-sha512;
|
||||||
|
secret "1234abcd8765";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
|
||||||
|
index c055da3..4e1242b 100644
|
||||||
|
--- a/bin/tests/system/nsupdate/setup.sh
|
||||||
|
+++ b/bin/tests/system/nsupdate/setup.sh
|
||||||
|
@@ -56,7 +56,11 @@ EOF
|
||||||
|
|
||||||
|
$DDNSCONFGEN -q -z example.nil > ns1/ddns.key
|
||||||
|
|
||||||
|
-$DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
||||||
|
+if $FEATURETEST --md5; then
|
||||||
|
+ $DDNSCONFGEN -q -a hmac-md5 -k md5-key -z keytests.nil > ns1/md5.key
|
||||||
|
+else
|
||||||
|
+ echo -n > ns1/md5.key
|
||||||
|
+fi
|
||||||
|
$DDNSCONFGEN -q -a hmac-sha1 -k sha1-key -z keytests.nil > ns1/sha1.key
|
||||||
|
$DDNSCONFGEN -q -a hmac-sha224 -k sha224-key -z keytests.nil > ns1/sha224.key
|
||||||
|
$DDNSCONFGEN -q -a hmac-sha256 -k sha256-key -z keytests.nil > ns1/sha256.key
|
||||||
|
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||||
|
index b35d797..41c128e 100755
|
||||||
|
--- a/bin/tests/system/nsupdate/tests.sh
|
||||||
|
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||||
|
@@ -797,7 +797,14 @@ fi
|
||||||
|
n=`expr $n + 1`
|
||||||
|
ret=0
|
||||||
|
echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
|
||||||
|
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||||
|
+if $FEATURETEST --md5
|
||||||
|
+then
|
||||||
|
+ ALGS="md5 sha1 sha224 sha256 sha384 sha512"
|
||||||
|
+else
|
||||||
|
+ ALGS="sha1 sha224 sha256 sha384 sha512"
|
||||||
|
+ echo_i "skipping disabled md5 algorithm"
|
||||||
|
+fi
|
||||||
|
+for alg in $ALGS; do
|
||||||
|
$NSUPDATE -k ns1/${alg}.key <<END > /dev/null || ret=1
|
||||||
|
server 10.53.0.1 ${PORT}
|
||||||
|
update add ${alg}.keytests.nil. 600 A 10.10.10.3
|
||||||
|
@@ -805,7 +812,7 @@ send
|
||||||
|
END
|
||||||
|
done
|
||||||
|
sleep 2
|
||||||
|
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||||
|
+for alg in $ALGS; do
|
||||||
|
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.3 > /dev/null 2>&1 || ret=1
|
||||||
|
done
|
||||||
|
if [ $ret -ne 0 ]; then
|
||||||
|
@@ -816,7 +823,7 @@ fi
|
||||||
|
n=`expr $n + 1`
|
||||||
|
ret=0
|
||||||
|
echo_i "check TSIG key algorithms (nsupdate -y) ($n)"
|
||||||
|
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||||
|
+for alg in $ALGS; do
|
||||||
|
secret=$(sed -n 's/.*secret "\(.*\)";.*/\1/p' ns1/${alg}.key)
|
||||||
|
$NSUPDATE -y "hmac-${alg}:${alg}-key:$secret" <<END > /dev/null || ret=1
|
||||||
|
server 10.53.0.1 ${PORT}
|
||||||
|
@@ -825,7 +832,7 @@ send
|
||||||
|
END
|
||||||
|
done
|
||||||
|
sleep 2
|
||||||
|
-for alg in md5 sha1 sha224 sha256 sha384 sha512; do
|
||||||
|
+for alg in $ALGS; do
|
||||||
|
$DIG $DIGOPTS +short @10.53.0.1 ${alg}.keytests.nil | grep 10.10.10.50 > /dev/null 2>&1 || ret=1
|
||||||
|
done
|
||||||
|
if [ $ret -ne 0 ]; then
|
||||||
|
diff --git a/bin/tests/system/rndc/setup.sh b/bin/tests/system/rndc/setup.sh
|
||||||
|
index b59e7a7..04d5f5a 100644
|
||||||
|
--- a/bin/tests/system/rndc/setup.sh
|
||||||
|
+++ b/bin/tests/system/rndc/setup.sh
|
||||||
|
@@ -33,7 +33,7 @@ make_key () {
|
||||||
|
sed 's/allow { 10.53.0.4/allow { any/' >> ns4/named.conf
|
||||||
|
}
|
||||||
|
|
||||||
|
-make_key 1 ${EXTRAPORT1} hmac-md5
|
||||||
|
+$FEATURETEST --md5 && make_key 1 ${EXTRAPORT1} hmac-md5
|
||||||
|
make_key 2 ${EXTRAPORT2} hmac-sha1
|
||||||
|
make_key 3 ${EXTRAPORT3} hmac-sha224
|
||||||
|
make_key 4 ${EXTRAPORT4} hmac-sha256
|
||||||
|
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
|
||||||
|
index 9fd84ed..d0b188f 100644
|
||||||
|
--- a/bin/tests/system/rndc/tests.sh
|
||||||
|
+++ b/bin/tests/system/rndc/tests.sh
|
||||||
|
@@ -348,15 +348,20 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
status=`expr $status + $ret`
|
||||||
|
|
||||||
|
n=`expr $n + 1`
|
||||||
|
-echo_i "testing rndc with hmac-md5 ($n)"
|
||||||
|
-ret=0
|
||||||
|
-$RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||||||
|
-for i in 2 3 4 5 6
|
||||||
|
-do
|
||||||
|
- $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||||
|
-done
|
||||||
|
-if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
-status=`expr $status + $ret`
|
||||||
|
+if $FEATURETEST --md5
|
||||||
|
+then
|
||||||
|
+ echo_i "testing rndc with hmac-md5 ($n)"
|
||||||
|
+ ret=0
|
||||||
|
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key1.conf status > /dev/null 2>&1 || ret=1
|
||||||
|
+ for i in 2 3 4 5 6
|
||||||
|
+ do
|
||||||
|
+ $RNDC -s 10.53.0.4 -p ${EXTRAPORT1} -c ns4/key${i}.conf status > /dev/null 2>&1 && ret=1
|
||||||
|
+ done
|
||||||
|
+ if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||||
|
+ status=`expr $status + $ret`
|
||||||
|
+else
|
||||||
|
+ echo_i "skipping rndc with hmac-md5 ($n)"
|
||||||
|
+fi
|
||||||
|
|
||||||
|
n=`expr $n + 1`
|
||||||
|
echo_i "testing rndc with hmac-sha1 ($n)"
|
||||||
|
diff --git a/bin/tests/system/tsig/ns1/named.conf.in b/bin/tests/system/tsig/ns1/named.conf.in
|
||||||
|
index 3470c4f..cf539cd 100644
|
||||||
|
--- a/bin/tests/system/tsig/ns1/named.conf.in
|
||||||
|
+++ b/bin/tests/system/tsig/ns1/named.conf.in
|
||||||
|
@@ -21,10 +21,7 @@ options {
|
||||||
|
notify no;
|
||||||
|
};
|
||||||
|
|
||||||
|
-key "md5" {
|
||||||
|
- secret "97rnFx24Tfna4mHPfgnerA==";
|
||||||
|
- algorithm hmac-md5;
|
||||||
|
-};
|
||||||
|
+# md5 key appended by setup.sh at the end
|
||||||
|
|
||||||
|
key "sha1" {
|
||||||
|
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||||
|
@@ -51,10 +48,7 @@ key "sha512" {
|
||||||
|
algorithm hmac-sha512;
|
||||||
|
};
|
||||||
|
|
||||||
|
-key "md5-trunc" {
|
||||||
|
- secret "97rnFx24Tfna4mHPfgnerA==";
|
||||||
|
- algorithm hmac-md5-80;
|
||||||
|
-};
|
||||||
|
+# md5-trunc key appended by setup.sh at the end
|
||||||
|
|
||||||
|
key "sha1-trunc" {
|
||||||
|
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
|
||||||
|
diff --git a/bin/tests/system/tsig/ns1/rndc5.conf.in b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..0682194
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/bin/tests/system/tsig/ns1/rndc5.conf.in
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+# Conditionally included when support for MD5 is available
|
||||||
|
+key "md5" {
|
||||||
|
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||||
|
+ algorithm hmac-md5;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+key "md5-trunc" {
|
||||||
|
+ secret "97rnFx24Tfna4mHPfgnerA==";
|
||||||
|
+ algorithm hmac-md5-80;
|
||||||
|
+};
|
||||||
|
diff --git a/bin/tests/system/tsig/setup.sh b/bin/tests/system/tsig/setup.sh
|
||||||
|
index e3b4a45..ae21d04 100644
|
||||||
|
--- a/bin/tests/system/tsig/setup.sh
|
||||||
|
+++ b/bin/tests/system/tsig/setup.sh
|
||||||
|
@@ -15,3 +15,8 @@ SYSTEMTESTTOP=..
|
||||||
|
$SHELL clean.sh
|
||||||
|
|
||||||
|
copy_setports ns1/named.conf.in ns1/named.conf
|
||||||
|
+
|
||||||
|
+if $FEATURETEST --md5
|
||||||
|
+then
|
||||||
|
+ cat ns1/rndc5.conf.in >> ns1/named.conf
|
||||||
|
+fi
|
||||||
|
diff --git a/bin/tests/system/tsig/tests.sh b/bin/tests/system/tsig/tests.sh
|
||||||
|
index 38d842a..668aa6f 100644
|
||||||
|
--- a/bin/tests/system/tsig/tests.sh
|
||||||
|
+++ b/bin/tests/system/tsig/tests.sh
|
||||||
|
@@ -26,20 +26,25 @@ sha512="jI/Pa4qRu96t76Pns5Z/Ndxbn3QCkwcxLOgt9vgvnJw5wqTRvNyk3FtD6yIMd1dWVlqZ+Y4f
|
||||||
|
|
||||||
|
status=0
|
||||||
|
|
||||||
|
-echo_i "fetching using hmac-md5 (old form)"
|
||||||
|
-ret=0
|
||||||
|
-$DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
||||||
|
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
||||||
|
-if [ $ret -eq 1 ] ; then
|
||||||
|
- echo_i "failed"; status=1
|
||||||
|
-fi
|
||||||
|
+if $FEATURETEST --md5
|
||||||
|
+then
|
||||||
|
+ echo_i "fetching using hmac-md5 (old form)"
|
||||||
|
+ ret=0
|
||||||
|
+ $DIG $DIGOPTS example.nil. -y "md5:$md5" @10.53.0.1 soa > dig.out.md5.old || ret=1
|
||||||
|
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.old > /dev/null || ret=1
|
||||||
|
+ if [ $ret -eq 1 ] ; then
|
||||||
|
+ echo_i "failed"; status=1
|
||||||
|
+ fi
|
||||||
|
|
||||||
|
-echo_i "fetching using hmac-md5 (new form)"
|
||||||
|
-ret=0
|
||||||
|
-$DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||||
|
-grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||||
|
-if [ $ret -eq 1 ] ; then
|
||||||
|
- echo_i "failed"; status=1
|
||||||
|
+ echo_i "fetching using hmac-md5 (new form)"
|
||||||
|
+ ret=0
|
||||||
|
+ $DIG $DIGOPTS example.nil. -y "hmac-md5:md5:$md5" @10.53.0.1 soa > dig.out.md5.new || ret=1
|
||||||
|
+ grep -i "md5.*TSIG.*NOERROR" dig.out.md5.new > /dev/null || ret=1
|
||||||
|
+ if [ $ret -eq 1 ] ; then
|
||||||
|
+ echo_i "failed"; status=1
|
||||||
|
+ fi
|
||||||
|
+else
|
||||||
|
+ echo_i "skipping using hmac-md5"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo_i "fetching using hmac-sha1"
|
||||||
|
@@ -87,12 +92,17 @@ fi
|
||||||
|
# Truncated TSIG
|
||||||
|
#
|
||||||
|
#
|
||||||
|
-echo_i "fetching using hmac-md5 (trunc)"
|
||||||
|
-ret=0
|
||||||
|
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
||||||
|
-grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
||||||
|
-if [ $ret -eq 1 ] ; then
|
||||||
|
- echo_i "failed"; status=1
|
||||||
|
+if $FEATURETEST --md5
|
||||||
|
+then
|
||||||
|
+ echo_i "fetching using hmac-md5 (trunc)"
|
||||||
|
+ ret=0
|
||||||
|
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5-trunc:$md5" @10.53.0.1 soa > dig.out.md5.trunc || ret=1
|
||||||
|
+ grep -i "md5-trunc.*TSIG.*NOERROR" dig.out.md5.trunc > /dev/null || ret=1
|
||||||
|
+ if [ $ret -eq 1 ] ; then
|
||||||
|
+ echo_i "failed"; status=1
|
||||||
|
+ fi
|
||||||
|
+else
|
||||||
|
+ echo_i "skipping using hmac-md5 (trunc)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo_i "fetching using hmac-sha1 (trunc)"
|
||||||
|
@@ -141,12 +151,17 @@ fi
|
||||||
|
# Check for bad truncation.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
-echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
||||||
|
-ret=0
|
||||||
|
-$DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
||||||
|
-grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
||||||
|
-if [ $ret -eq 1 ] ; then
|
||||||
|
- echo_i "failed"; status=1
|
||||||
|
+if $FEATURETEST --md5
|
||||||
|
+then
|
||||||
|
+ echo_i "fetching using hmac-md5-80 (BADTRUNC)"
|
||||||
|
+ ret=0
|
||||||
|
+ $DIG $DIGOPTS example.nil. -y "hmac-md5-80:md5:$md5" @10.53.0.1 soa > dig.out.md5-80 || ret=1
|
||||||
|
+ grep -i "md5.*TSIG.*BADTRUNC" dig.out.md5-80 > /dev/null || ret=1
|
||||||
|
+ if [ $ret -eq 1 ] ; then
|
||||||
|
+ echo_i "failed"; status=1
|
||||||
|
+ fi
|
||||||
|
+else
|
||||||
|
+ echo_i "skipping using hmac-md5-80 (BADTRUNC)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo_i "fetching using hmac-sha1-80 (BADTRUNC)"
|
||||||
|
diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||||
|
index 3873c7c..b359a5a 100644
|
||||||
|
--- a/bin/tests/system/upforwd/ns1/named.conf.in
|
||||||
|
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
|
||||||
|
@@ -10,7 +10,7 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
key "update.example." {
|
||||||
|
- algorithm "hmac-md5";
|
||||||
|
+ algorithm "hmac-sha256";
|
||||||
|
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||||
|
index a50c896..8062d68 100644
|
||||||
|
--- a/bin/tests/system/upforwd/tests.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/tests.sh
|
||||||
|
@@ -79,7 +79,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||||
|
|
||||||
|
echo_i "updating zone (signed) ($n)"
|
||||||
|
ret=0
|
||||||
|
-$NSUPDATE -y update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||||
|
+$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
update add updated.example. 600 A 10.10.10.1
|
||||||
|
update add updated.example. 600 TXT Foo
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
58
bind-9.11-kyua-pkcs11.patch
Normal file
58
bind-9.11-kyua-pkcs11.patch
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
From 1241f2005d08673c28a595c5a6cd61350b95a929 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Tue, 2 Jan 2018 18:13:07 +0100
|
||||||
|
Subject: [PATCH] Fix pkcs11 variants atf tests
|
||||||
|
|
||||||
|
Add dns-pkcs11 tests Makefile to configure
|
||||||
|
|
||||||
|
Add pkcs11 Kyuafile, fix dh_test to pass in pkcs11 mode
|
||||||
|
---
|
||||||
|
configure.ac | 1 +
|
||||||
|
lib/Kyuafile | 2 ++
|
||||||
|
lib/dns-pkcs11/tests/dh_test.c | 3 ++-
|
||||||
|
3 files changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index d80ae31..0fb9328 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -3090,6 +3090,7 @@ AC_CONFIG_FILES([
|
||||||
|
lib/dns-pkcs11/include/Makefile
|
||||||
|
lib/dns-pkcs11/include/dns/Makefile
|
||||||
|
lib/dns-pkcs11/include/dst/Makefile
|
||||||
|
+ lib/dns-pkcs11/tests/Makefile
|
||||||
|
lib/irs/Makefile
|
||||||
|
lib/irs/include/Makefile
|
||||||
|
lib/irs/include/irs/Makefile
|
||||||
|
diff --git a/lib/Kyuafile b/lib/Kyuafile
|
||||||
|
index 39ce986..037e5ef 100644
|
||||||
|
--- a/lib/Kyuafile
|
||||||
|
+++ b/lib/Kyuafile
|
||||||
|
@@ -2,8 +2,10 @@ syntax(2)
|
||||||
|
test_suite('bind9')
|
||||||
|
|
||||||
|
include('dns/Kyuafile')
|
||||||
|
+include('dns-pkcs11/Kyuafile')
|
||||||
|
include('irs/Kyuafile')
|
||||||
|
include('isc/Kyuafile')
|
||||||
|
include('isccc/Kyuafile')
|
||||||
|
include('isccfg/Kyuafile')
|
||||||
|
include('ns/Kyuafile')
|
||||||
|
+include('ns-pkcs11/Kyuafile')
|
||||||
|
diff --git a/lib/dns-pkcs11/tests/dh_test.c b/lib/dns-pkcs11/tests/dh_test.c
|
||||||
|
index 934e8fd..658d1af 100644
|
||||||
|
--- a/lib/dns-pkcs11/tests/dh_test.c
|
||||||
|
+++ b/lib/dns-pkcs11/tests/dh_test.c
|
||||||
|
@@ -87,7 +87,8 @@ dh_computesecret(void **state) {
|
||||||
|
result = dst_key_computesecret(key, key, &buf);
|
||||||
|
assert_int_equal(result, DST_R_NOTPRIVATEKEY);
|
||||||
|
result = key->func->computesecret(key, key, &buf);
|
||||||
|
- assert_int_equal(result, DST_R_COMPUTESECRETFAILURE);
|
||||||
|
+ /* PKCS11 variant gives different result, accept both */
|
||||||
|
+ assert_true(result == DST_R_COMPUTESECRETFAILURE || result == DST_R_INVALIDPRIVATEKEY);
|
||||||
|
|
||||||
|
dst_key_free(&key);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
29
bind-9.11-rh1666814.patch
Normal file
29
bind-9.11-rh1666814.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From 0f03071080e7fa68433b322359d46abaca2cc5ad Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Wed, 16 Jan 2019 16:27:33 +0100
|
||||||
|
Subject: [PATCH] Fix possible crash when loading corrupted file
|
||||||
|
|
||||||
|
Some values passes internal triggers by coincidence. Fix the check and
|
||||||
|
check also first_node_offset before even passing it further.
|
||||||
|
---
|
||||||
|
lib/dns/rbt.c | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
|
||||||
|
index 5aee5f6..7f2c2d2 100644
|
||||||
|
--- a/lib/dns/rbt.c
|
||||||
|
+++ b/lib/dns/rbt.c
|
||||||
|
@@ -945,7 +945,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
|
||||||
|
rbt->root = (dns_rbtnode_t *)((char *)base_address + header_offset +
|
||||||
|
header->first_node_offset);
|
||||||
|
|
||||||
|
- if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize) {
|
||||||
|
+ if ((header->nodecount * sizeof(dns_rbtnode_t)) > filesize
|
||||||
|
+ || header->first_node_offset > filesize) {
|
||||||
|
+
|
||||||
|
result = ISC_R_INVALIDFILE;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
65
bind-9.11-tests-variants.patch
Normal file
65
bind-9.11-tests-variants.patch
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
From 607cec78382b016aad0fe041f2e1895b6896c647 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Fri, 1 Mar 2019 15:48:20 +0100
|
||||||
|
Subject: [PATCH] Make alternative named builds testable in system tests
|
||||||
|
|
||||||
|
Red Hat has alternative variant builds of named, which are not ever
|
||||||
|
tested by system tests. New variables make it relatively easy to test
|
||||||
|
alternative variants.
|
||||||
|
|
||||||
|
For sdb variant use:
|
||||||
|
export NAMED_VARIANT=-sdb DNSSEC_VARIANT=
|
||||||
|
|
||||||
|
For pkcs variant use:
|
||||||
|
export NAMED_VARIANT=-pkcs11 DNSSEC_VARIANT=-pkcs11
|
||||||
|
---
|
||||||
|
bin/tests/system/conf.sh.in | 18 +++++++++---------
|
||||||
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
|
||||||
|
index d859909..9152f07 100644
|
||||||
|
--- a/bin/tests/system/conf.sh.in
|
||||||
|
+++ b/bin/tests/system/conf.sh.in
|
||||||
|
@@ -37,17 +37,17 @@ DDNSCONFGEN=$TOP/bin/confgen/ddns-confgen
|
||||||
|
DELV=$TOP/bin/delv/delv
|
||||||
|
DIG=$TOP/bin/dig/dig
|
||||||
|
DNSTAPREAD=$TOP/bin/tools/dnstap-read
|
||||||
|
-DSFROMKEY=$TOP/bin/dnssec/dnssec-dsfromkey
|
||||||
|
-FEATURETEST=$TOP/bin/named/feature-test
|
||||||
|
+DSFROMKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-dsfromkey${DNSSEC_VARIANT}
|
||||||
|
+FEATURETEST=$TOP/bin/named${NAMED_VARIANT}/feature-test${NAMED_VARIANT}
|
||||||
|
FSTRM_CAPTURE=@FSTRM_CAPTURE@
|
||||||
|
HOST=$TOP/bin/dig/host
|
||||||
|
-IMPORTKEY=$TOP/bin/dnssec/dnssec-importkey
|
||||||
|
+IMPORTKEY=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-importkey${DNSSEC_VARIANT}
|
||||||
|
JOURNALPRINT=$TOP/bin/tools/named-journalprint
|
||||||
|
-KEYFRLAB=$TOP/bin/dnssec/dnssec-keyfromlabel
|
||||||
|
-KEYGEN=$TOP/bin/dnssec/dnssec-keygen
|
||||||
|
+KEYFRLAB=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keyfromlabel${DNSSEC_VARIANT}
|
||||||
|
+KEYGEN=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-keygen${DNSSEC_VARIANT}
|
||||||
|
KEYMGR=$TOP/bin/python/dnssec-keymgr
|
||||||
|
MDIG=$TOP/bin/tools/mdig
|
||||||
|
-NAMED=$TOP/bin/named/named
|
||||||
|
+NAMED=$TOP/bin/named${NAMED_VARIANT}/named${NAMED_VARIANT}
|
||||||
|
NSEC3HASH=$TOP/bin/tools/nsec3hash
|
||||||
|
NSLOOKUP=$TOP/bin/dig/nslookup
|
||||||
|
NSUPDATE=$TOP/bin/nsupdate/nsupdate
|
||||||
|
@@ -56,12 +56,12 @@ PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p ${HSMPIN:-1234} -w 0"
|
||||||
|
PK11GEN="$TOP/bin/pkcs11/pkcs11-keygen -q -s ${SLOT:-0} -p ${HSMPIN:-1234}"
|
||||||
|
PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p ${HSMPIN:-1234}"
|
||||||
|
RESOLVE=$TOP/bin/tests/system/resolve
|
||||||
|
-REVOKE=$TOP/bin/dnssec/dnssec-revoke
|
||||||
|
+REVOKE=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-revoke${DNSSEC_VARIANT}
|
||||||
|
RNDC=$TOP/bin/rndc/rndc
|
||||||
|
RNDCCONFGEN=$TOP/bin/confgen/rndc-confgen
|
||||||
|
RRCHECKER=$TOP/bin/tools/named-rrchecker
|
||||||
|
-SETTIME=$TOP/bin/dnssec/dnssec-settime
|
||||||
|
-SIGNER=$TOP/bin/dnssec/dnssec-signzone
|
||||||
|
+SETTIME=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-settime${DNSSEC_VARIANT}
|
||||||
|
+SIGNER=$TOP/bin/dnssec${DNSSEC_VARIANT}/dnssec-signzone${DNSSEC_VARIANT}
|
||||||
|
TSIGKEYGEN=$TOP/bin/confgen/tsig-keygen
|
||||||
|
VERIFY=$TOP/bin/dnssec/dnssec-verify
|
||||||
|
WIRETEST=$TOP/bin/tests/wire_test
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
83
bind-9.14-config-pkcs11.patch
Normal file
83
bind-9.14-config-pkcs11.patch
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
From e6ab9c67f0a14adc23c1067e03a106da1b1651b7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Fri, 18 Oct 2019 21:30:52 +0200
|
||||||
|
Subject: [PATCH] Move USE_PKCS11 and USE_OPENSSL out of config.h
|
||||||
|
|
||||||
|
Building two variants with the same common code requires to unset
|
||||||
|
USE_PKCS11 on part of build. That is not possible with config.h value.
|
||||||
|
Move it as normal define to CDEFINES.
|
||||||
|
---
|
||||||
|
bin/confgen/Makefile.in | 2 +-
|
||||||
|
configure.ac | 8 ++++++--
|
||||||
|
lib/dns/dst_internal.h | 12 +++++++++---
|
||||||
|
3 files changed, 16 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
|
||||||
|
index 1b7512d..c126bf3 100644
|
||||||
|
--- a/bin/confgen/Makefile.in
|
||||||
|
+++ b/bin/confgen/Makefile.in
|
||||||
|
@@ -22,7 +22,7 @@ VERSION=@BIND9_VERSION@
|
||||||
|
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
|
||||||
|
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
|
||||||
|
|
||||||
|
-CDEFINES =
|
||||||
|
+CDEFINES = @USE_PKCS11@
|
||||||
|
CWARNINGS =
|
||||||
|
|
||||||
|
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index f5483fe..08a7d8a 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -935,10 +935,14 @@ AC_SUBST([PKCS11_TEST])
|
||||||
|
AC_SUBST([PKCS11_TOOLS])
|
||||||
|
AC_SUBST([PKCS11_MANS])
|
||||||
|
|
||||||
|
+USE_PKCS11='-DUSE_PKCS11=0'
|
||||||
|
+USE_OPENSSL='-DUSE_OPENSSL=0'
|
||||||
|
AC_SUBST([CRYPTO])
|
||||||
|
AS_CASE([$CRYPTO],
|
||||||
|
- [pkcs11],[AC_DEFINE([USE_PKCS11], [1], [define if PKCS11 is used for Public-Key Cryptography])],
|
||||||
|
- [AC_DEFINE([USE_OPENSSL], [1], [define if OpenSSL is used for Public-Key Cryptography])])
|
||||||
|
+ [pkcs11],[USE_PKCS11='-DUSE_PKCS11=1'],
|
||||||
|
+ [USE_OPENSSL='-DUSE_OPENSSL=1'])
|
||||||
|
+AC_SUBST(USE_PKCS11)
|
||||||
|
+AC_SUBST(USE_OPENSSL)
|
||||||
|
|
||||||
|
# preparation for automake
|
||||||
|
# AM_CONDITIONAL([PKCS11_TOOLS], [test "$with_native_pkcs11" = "yes"])
|
||||||
|
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
|
||||||
|
index 2c3b4a3..55e9dc4 100644
|
||||||
|
--- a/lib/dns/dst_internal.h
|
||||||
|
+++ b/lib/dns/dst_internal.h
|
||||||
|
@@ -38,6 +38,13 @@
|
||||||
|
#include <isc/stdtime.h>
|
||||||
|
#include <isc/types.h>
|
||||||
|
|
||||||
|
+#ifndef USE_PKCS11
|
||||||
|
+#define USE_PKCS11 0
|
||||||
|
+#endif
|
||||||
|
+#ifndef USE_OPENSSL
|
||||||
|
+#define USE_OPENSSL (! USE_PKCS11)
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
#if USE_PKCS11
|
||||||
|
#include <pk11/pk11.h>
|
||||||
|
#include <pk11/site.h>
|
||||||
|
@@ -116,11 +123,10 @@ struct dst_key {
|
||||||
|
void *generic;
|
||||||
|
dns_gss_ctx_id_t gssctx;
|
||||||
|
DH *dh;
|
||||||
|
-#if USE_OPENSSL
|
||||||
|
- EVP_PKEY *pkey;
|
||||||
|
-#endif /* if USE_OPENSSL */
|
||||||
|
#if USE_PKCS11
|
||||||
|
pk11_object_t *pkey;
|
||||||
|
+#else
|
||||||
|
+ EVP_PKEY *pkey;
|
||||||
|
#endif /* if USE_PKCS11 */
|
||||||
|
dst_hmac_key_t *hmac_key;
|
||||||
|
} keydata; /*%< pointer to key in crypto pkg fmt */
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
1144
bind-9.16-CVE-2021-25220-test.patch
Normal file
1144
bind-9.16-CVE-2021-25220-test.patch
Normal file
File diff suppressed because it is too large
Load Diff
251
bind-9.16-CVE-2021-25220.patch
Normal file
251
bind-9.16-CVE-2021-25220.patch
Normal file
@ -0,0 +1,251 @@
|
|||||||
|
From 5b2798e01346cd77741873091babf6c4a3128449 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Andrews <marka@isc.org>
|
||||||
|
Date: Wed, 19 Jan 2022 17:38:18 +1100
|
||||||
|
Subject: [PATCH] Add additional name checks when using a forwarder
|
||||||
|
|
||||||
|
When using a forwarder, check that the owner name of response
|
||||||
|
records are within the bailiwick of the forwarded name space.
|
||||||
|
|
||||||
|
(cherry picked from commit 24155213be59faad17f0215ecf73ea49ab781e5b)
|
||||||
|
|
||||||
|
Check that the forward declaration is unchanged and not overridden
|
||||||
|
|
||||||
|
If we are using a fowarder, in addition to checking that names to
|
||||||
|
be cached are subdomains of the forwarded namespace, we must also
|
||||||
|
check that there are no subsidiary forwarded namespaces which would
|
||||||
|
take precedence. To be safe, we don't cache any responses if the
|
||||||
|
forwarding configuration has changed since the query was sent.
|
||||||
|
|
||||||
|
(cherry picked from commit 3fc7accd88cd0890f8f57bb13765876774298ba3)
|
||||||
|
|
||||||
|
Check cached names for possible "forward only" clause
|
||||||
|
|
||||||
|
When caching additional and glue data *not* from a forwarder, we must
|
||||||
|
check that there is no "forward only" clause covering the owner name
|
||||||
|
that would take precedence. Such names would normally be allowed by
|
||||||
|
baliwick rules, but a "forward only" zone introduces a new baliwick
|
||||||
|
scope.
|
||||||
|
|
||||||
|
(cherry picked from commit ea06552a3d1fed56f7d3a13710e084ec79797b78)
|
||||||
|
|
||||||
|
Look for zones deeper than the current domain or forward name
|
||||||
|
|
||||||
|
When caching glue, we need to ensure that there is no closer
|
||||||
|
source of truth for the name. If the owner name for the glue
|
||||||
|
record would be answered by a locally configured zone, do not
|
||||||
|
cache.
|
||||||
|
|
||||||
|
(cherry picked from commit 71b24210542730355149130770deea3e58d8527a)
|
||||||
|
---
|
||||||
|
lib/dns/resolver.c | 128 +++++++++++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 123 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||||
|
index a7bc661bb7..7603a07b7b 100644
|
||||||
|
--- a/lib/dns/resolver.c
|
||||||
|
+++ b/lib/dns/resolver.c
|
||||||
|
@@ -63,6 +63,8 @@
|
||||||
|
#include <dns/stats.h>
|
||||||
|
#include <dns/tsig.h>
|
||||||
|
#include <dns/validator.h>
|
||||||
|
+#include <dns/zone.h>
|
||||||
|
+
|
||||||
|
#ifdef WANT_QUERYTRACE
|
||||||
|
#define RTRACE(m) \
|
||||||
|
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, \
|
||||||
|
@@ -337,6 +339,8 @@ struct fetchctx {
|
||||||
|
dns_fetch_t *qminfetch;
|
||||||
|
dns_rdataset_t qminrrset;
|
||||||
|
dns_name_t qmindcname;
|
||||||
|
+ dns_fixedname_t fwdfname;
|
||||||
|
+ dns_name_t *fwdname;
|
||||||
|
|
||||||
|
/*%
|
||||||
|
* The number of events we're waiting for.
|
||||||
|
@@ -3764,6 +3768,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||||
|
if (result == ISC_R_SUCCESS) {
|
||||||
|
fwd = ISC_LIST_HEAD(forwarders->fwdrs);
|
||||||
|
fctx->fwdpolicy = forwarders->fwdpolicy;
|
||||||
|
+ dns_name_copynf(domain, fctx->fwdname);
|
||||||
|
if (fctx->fwdpolicy == dns_fwdpolicy_only &&
|
||||||
|
isstrictsubdomain(domain, &fctx->domain))
|
||||||
|
{
|
||||||
|
@@ -5153,6 +5158,9 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
|
||||||
|
fctx->restarts = 0;
|
||||||
|
fctx->querysent = 0;
|
||||||
|
fctx->referrals = 0;
|
||||||
|
+
|
||||||
|
+ fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname);
|
||||||
|
+
|
||||||
|
TIME_NOW(&fctx->start);
|
||||||
|
fctx->timeouts = 0;
|
||||||
|
fctx->lamecount = 0;
|
||||||
|
@@ -5215,6 +5223,7 @@ fctx_create(dns_resolver_t *res, const dns_name_t *name, dns_rdatatype_t type,
|
||||||
|
fname, &forwarders);
|
||||||
|
if (result == ISC_R_SUCCESS) {
|
||||||
|
fctx->fwdpolicy = forwarders->fwdpolicy;
|
||||||
|
+ dns_name_copynf(fname, fctx->fwdname);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (fctx->fwdpolicy != dns_fwdpolicy_only) {
|
||||||
|
@@ -7118,6 +7127,107 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Returns true if 'name' is external to the namespace for which
|
||||||
|
+ * the server being queried can answer, either because it's not a
|
||||||
|
+ * subdomain or because it's below a forward declaration or a
|
||||||
|
+ * locally served zone.
|
||||||
|
+ */
|
||||||
|
+static inline bool
|
||||||
|
+name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
|
||||||
|
+ isc_result_t result;
|
||||||
|
+ dns_forwarders_t *forwarders = NULL;
|
||||||
|
+ dns_fixedname_t fixed, zfixed;
|
||||||
|
+ dns_name_t *fname = dns_fixedname_initname(&fixed);
|
||||||
|
+ dns_name_t *zfname = dns_fixedname_initname(&zfixed);
|
||||||
|
+ dns_name_t *apex = NULL;
|
||||||
|
+ dns_name_t suffix;
|
||||||
|
+ dns_zone_t *zone = NULL;
|
||||||
|
+ unsigned int labels;
|
||||||
|
+ dns_namereln_t rel;
|
||||||
|
+
|
||||||
|
+ apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * The name is outside the queried namespace.
|
||||||
|
+ */
|
||||||
|
+ rel = dns_name_fullcompare(name, apex, &(int){ 0 },
|
||||||
|
+ &(unsigned int){ 0U });
|
||||||
|
+ if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) {
|
||||||
|
+ return (true);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * If the record lives in the parent zone, adjust the name so we
|
||||||
|
+ * look for the correct zone or forward clause.
|
||||||
|
+ */
|
||||||
|
+ labels = dns_name_countlabels(name);
|
||||||
|
+ if (dns_rdatatype_atparent(type) && labels > 1U) {
|
||||||
|
+ dns_name_init(&suffix, NULL);
|
||||||
|
+ dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
|
||||||
|
+ name = &suffix;
|
||||||
|
+ } else if (rel == dns_namereln_equal) {
|
||||||
|
+ /* If 'name' is 'apex', no further checking is needed. */
|
||||||
|
+ return (false);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * If there is a locally served zone between 'apex' and 'name'
|
||||||
|
+ * then don't cache.
|
||||||
|
+ */
|
||||||
|
+ LOCK(&fctx->res->view->lock);
|
||||||
|
+ if (fctx->res->view->zonetable != NULL) {
|
||||||
|
+ unsigned int options = DNS_ZTFIND_NOEXACT | DNS_ZTFIND_MIRROR;
|
||||||
|
+ result = dns_zt_find(fctx->res->view->zonetable, name, options,
|
||||||
|
+ zfname, &zone);
|
||||||
|
+ if (zone != NULL) {
|
||||||
|
+ dns_zone_detach(&zone);
|
||||||
|
+ }
|
||||||
|
+ if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
|
||||||
|
+ if (dns_name_fullcompare(zfname, apex, &(int){ 0 },
|
||||||
|
+ &(unsigned int){ 0U }) ==
|
||||||
|
+ dns_namereln_subdomain)
|
||||||
|
+ {
|
||||||
|
+ UNLOCK(&fctx->res->view->lock);
|
||||||
|
+ return (true);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ UNLOCK(&fctx->res->view->lock);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Look for a forward declaration below 'name'.
|
||||||
|
+ */
|
||||||
|
+ result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname,
|
||||||
|
+ &forwarders);
|
||||||
|
+
|
||||||
|
+ if (ISFORWARDER(fctx->addrinfo)) {
|
||||||
|
+ /*
|
||||||
|
+ * See if the forwarder declaration is better.
|
||||||
|
+ */
|
||||||
|
+ if (result == ISC_R_SUCCESS) {
|
||||||
|
+ return (!dns_name_equal(fname, fctx->fwdname));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * If the lookup failed, the configuration must have
|
||||||
|
+ * changed: play it safe and don't cache.
|
||||||
|
+ */
|
||||||
|
+ return (true);
|
||||||
|
+ } else if (result == ISC_R_SUCCESS &&
|
||||||
|
+ forwarders->fwdpolicy == dns_fwdpolicy_only &&
|
||||||
|
+ !ISC_LIST_EMPTY(forwarders->fwdrs))
|
||||||
|
+ {
|
||||||
|
+ /*
|
||||||
|
+ * If 'name' is covered by a 'forward only' clause then we
|
||||||
|
+ * can't cache this repsonse.
|
||||||
|
+ */
|
||||||
|
+ return (true);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return (false);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static isc_result_t
|
||||||
|
check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
|
||||||
|
dns_section_t section) {
|
||||||
|
@@ -7144,7 +7254,7 @@ check_section(void *arg, const dns_name_t *addname, dns_rdatatype_t type,
|
||||||
|
result = dns_message_findname(rctx->query->rmessage, section, addname,
|
||||||
|
dns_rdatatype_any, 0, &name, NULL);
|
||||||
|
if (result == ISC_R_SUCCESS) {
|
||||||
|
- external = !dns_name_issubdomain(name, &fctx->domain);
|
||||||
|
+ external = name_external(name, type, fctx);
|
||||||
|
if (type == dns_rdatatype_a) {
|
||||||
|
for (rdataset = ISC_LIST_HEAD(name->list);
|
||||||
|
rdataset != NULL;
|
||||||
|
@@ -8768,6 +8878,13 @@ rctx_answer_scan(respctx_t *rctx) {
|
||||||
|
break;
|
||||||
|
|
||||||
|
case dns_namereln_subdomain:
|
||||||
|
+ /*
|
||||||
|
+ * Don't accept DNAME from parent namespace.
|
||||||
|
+ */
|
||||||
|
+ if (name_external(name, dns_rdatatype_dname, fctx)) {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* In-scope DNAME records must have at least
|
||||||
|
* as many labels as the domain being queried.
|
||||||
|
@@ -9081,13 +9198,11 @@ rctx_authority_positive(respctx_t *rctx) {
|
||||||
|
DNS_SECTION_AUTHORITY);
|
||||||
|
while (!done && result == ISC_R_SUCCESS) {
|
||||||
|
dns_name_t *name = NULL;
|
||||||
|
- bool external;
|
||||||
|
|
||||||
|
dns_message_currentname(rctx->query->rmessage,
|
||||||
|
DNS_SECTION_AUTHORITY, &name);
|
||||||
|
- external = !dns_name_issubdomain(name, &fctx->domain);
|
||||||
|
|
||||||
|
- if (!external) {
|
||||||
|
+ if (!name_external(name, dns_rdatatype_ns, fctx)) {
|
||||||
|
dns_rdataset_t *rdataset = NULL;
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -9474,7 +9589,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!dns_name_issubdomain(name, &fctx->domain)) {
|
||||||
|
- /* Invalid name found; preserve it for logging later */
|
||||||
|
+ /*
|
||||||
|
+ * Invalid name found; preserve it for logging
|
||||||
|
+ * later.
|
||||||
|
+ */
|
||||||
|
rctx->found_name = name;
|
||||||
|
rctx->found_type = ISC_LIST_HEAD(name->list)->type;
|
||||||
|
continue;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
81
bind-9.16-CVE-2022-0396.patch
Normal file
81
bind-9.16-CVE-2022-0396.patch
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
From 33064cd077cf6fa386f0a5a840c2161868da7b3a Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
||||||
|
Date: Tue, 8 Feb 2022 12:42:34 +0100
|
||||||
|
Subject: [PATCH] Run .closehandle_cb asynchrounosly in nmhandle_detach_cb()
|
||||||
|
|
||||||
|
When sock->closehandle_cb is set, we need to run nmhandle_detach_cb()
|
||||||
|
asynchronously to ensure correct order of multiple packets processing in
|
||||||
|
the isc__nm_process_sock_buffer(). When not run asynchronously, it
|
||||||
|
would cause:
|
||||||
|
|
||||||
|
a) out-of-order processing of the return codes from processbuffer();
|
||||||
|
|
||||||
|
b) stack growth because the next TCP DNS message read callback will
|
||||||
|
be called from within the current TCP DNS message read callback.
|
||||||
|
|
||||||
|
The sock->closehandle_cb is set to isc__nm_resume_processing() for TCP
|
||||||
|
sockets which calls isc__nm_process_sock_buffer(). If the read callback
|
||||||
|
(called from isc__nm_process_sock_buffer()->processbuffer()) doesn't
|
||||||
|
attach to the nmhandle (f.e. because it wants to drop the processing or
|
||||||
|
we send the response directly via uv_try_write()), the
|
||||||
|
isc__nm_resume_processing() (via .closehandle_cb) would call
|
||||||
|
isc__nm_process_sock_buffer() recursively.
|
||||||
|
|
||||||
|
The below shortened code path shows how the stack can grow:
|
||||||
|
|
||||||
|
1: ns__client_request(handle, ...);
|
||||||
|
2: isc_nm_tcpdns_sequential(handle);
|
||||||
|
3: ns_query_start(client, handle);
|
||||||
|
4: query_lookup(qctx);
|
||||||
|
5: query_send(qctcx->client);
|
||||||
|
6: isc__nmhandle_detach(&client->reqhandle);
|
||||||
|
7: nmhandle_detach_cb(&handle);
|
||||||
|
8: sock->closehandle_cb(sock); // isc__nm_resume_processing
|
||||||
|
9: isc__nm_process_sock_buffer(sock);
|
||||||
|
10: processbuffer(sock); // isc__nm_tcpdns_processbuffer
|
||||||
|
11: isc_nmhandle_attach(req->handle, &handle);
|
||||||
|
12: isc__nm_readcb(sock, req, ISC_R_SUCCESS);
|
||||||
|
13: isc__nm_async_readcb(NULL, ...);
|
||||||
|
14: uvreq->cb.recv(...); // ns__client_request
|
||||||
|
|
||||||
|
Instead, if 'sock->closehandle_cb' is set, we need to run detach the
|
||||||
|
handle asynchroniously in 'isc__nmhandle_detach', so that on line 8 in
|
||||||
|
the code flow above does not start this recursion. This ensures the
|
||||||
|
correct order when processing multiple packets in the function
|
||||||
|
'isc__nm_process_sock_buffer()' and prevents the stack growth.
|
||||||
|
|
||||||
|
When not run asynchronously, the out-of-order processing leaves the
|
||||||
|
first TCP socket open until all requests on the stream have been
|
||||||
|
processed.
|
||||||
|
|
||||||
|
If the pipelining is disabled on the TCP via `keep-response-order`
|
||||||
|
configuration option, named would keep the first socket in lingering
|
||||||
|
CLOSE_WAIT state when the client sends an incomplete packet and then
|
||||||
|
closes the connection from the client side.
|
||||||
|
|
||||||
|
(cherry picked from commit afee2b5a7bc933a2d987907fc327a9f118fdbd17)
|
||||||
|
---
|
||||||
|
lib/isc/netmgr/netmgr.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
|
||||||
|
index 3283eb6e4f..0ed3182fb6 100644
|
||||||
|
--- a/lib/isc/netmgr/netmgr.c
|
||||||
|
+++ b/lib/isc/netmgr/netmgr.c
|
||||||
|
@@ -1746,8 +1746,12 @@ isc__nmhandle_detach(isc_nmhandle_t **handlep FLARG) {
|
||||||
|
handle = *handlep;
|
||||||
|
*handlep = NULL;
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * If the closehandle_cb is set, it needs to run asynchronously to
|
||||||
|
+ * ensure correct ordering of the isc__nm_process_sock_buffer().
|
||||||
|
+ */
|
||||||
|
sock = handle->sock;
|
||||||
|
- if (sock->tid == isc_nm_tid()) {
|
||||||
|
+ if (sock->tid == isc_nm_tid() && sock->closehandle_cb == NULL) {
|
||||||
|
nmhandle_detach_cb(&handle FLARG_PASS);
|
||||||
|
} else {
|
||||||
|
isc__netievent_detach_t *event =
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
60
bind-9.16-CVE-2022-2795.patch
Normal file
60
bind-9.16-CVE-2022-2795.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
||||||
|
Date: Thu, 8 Sep 2022 11:11:30 +0200
|
||||||
|
Subject: [PATCH] Bound the amount of work performed for delegations
|
||||||
|
|
||||||
|
Limit the amount of database lookups that can be triggered in
|
||||||
|
fctx_getaddresses() (i.e. when determining the name server addresses to
|
||||||
|
query next) by setting a hard limit on the number of NS RRs processed
|
||||||
|
for any delegation encountered. Without any limit in place, named can
|
||||||
|
be forced to perform large amounts of database lookups per each query
|
||||||
|
received, which severely impacts resolver performance.
|
||||||
|
|
||||||
|
The limit used (20) is an arbitrary value that is considered to be big
|
||||||
|
enough for any sane DNS delegation.
|
||||||
|
|
||||||
|
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
|
||||||
|
---
|
||||||
|
lib/dns/resolver.c | 12 ++++++++++++
|
||||||
|
1 file changed, 12 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||||
|
index d2cf14bbc8..73a0ee9f77 100644
|
||||||
|
--- a/lib/dns/resolver.c
|
||||||
|
+++ b/lib/dns/resolver.c
|
||||||
|
@@ -195,6 +195,12 @@
|
||||||
|
*/
|
||||||
|
#define NS_FAIL_LIMIT 4
|
||||||
|
#define NS_RR_LIMIT 5
|
||||||
|
+/*
|
||||||
|
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
|
||||||
|
+ * any NS RRset encountered, to avoid excessive resource use while processing
|
||||||
|
+ * large delegations.
|
||||||
|
+ */
|
||||||
|
+#define NS_PROCESSING_LIMIT 20
|
||||||
|
|
||||||
|
/* Number of hash buckets for zone counters */
|
||||||
|
#ifndef RES_DOMAIN_BUCKETS
|
||||||
|
@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||||
|
bool need_alternate = false;
|
||||||
|
bool all_spilled = true;
|
||||||
|
unsigned int no_addresses = 0;
|
||||||
|
+ unsigned int ns_processed = 0;
|
||||||
|
|
||||||
|
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
||||||
|
|
||||||
|
@@ -3902,6 +3909,11 @@ normal_nses:
|
||||||
|
|
||||||
|
dns_rdata_reset(&rdata);
|
||||||
|
dns_rdata_freestruct(&ns);
|
||||||
|
+
|
||||||
|
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
|
||||||
|
+ result = ISC_R_NOMORE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
if (result != ISC_R_NOMORE) {
|
||||||
|
return (result);
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
116
bind-9.16-CVE-2022-3080.patch
Normal file
116
bind-9.16-CVE-2022-3080.patch
Normal file
@ -0,0 +1,116 @@
|
|||||||
|
From 3bcd32572504ac9b92e3c6ec1e2cee3df3b68309 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Tue, 20 Sep 2022 11:34:42 +0200
|
||||||
|
Subject: [PATCH 2/4] Fix CVE-2022-3080
|
||||||
|
|
||||||
|
5960. [security] Fix serve-stale crash that could happen when
|
||||||
|
stale-answer-client-timeout was set to 0 and there was
|
||||||
|
a stale CNAME in the cache for an incoming query.
|
||||||
|
(CVE-2022-3080) [GL #3517]
|
||||||
|
---
|
||||||
|
lib/ns/include/ns/query.h | 1 +
|
||||||
|
lib/ns/query.c | 42 ++++++++++++++++++++++++---------------
|
||||||
|
2 files changed, 27 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h
|
||||||
|
index 4d48cf6..34b3070 100644
|
||||||
|
--- a/lib/ns/include/ns/query.h
|
||||||
|
+++ b/lib/ns/include/ns/query.h
|
||||||
|
@@ -145,6 +145,7 @@ struct query_ctx {
|
||||||
|
bool authoritative; /* authoritative query? */
|
||||||
|
bool want_restart; /* CNAME chain or other
|
||||||
|
* restart needed */
|
||||||
|
+ bool refresh_rrset; /* stale RRset refresh needed */
|
||||||
|
bool need_wildcardproof; /* wildcard proof needed */
|
||||||
|
bool nxrewrite; /* negative answer from RPZ */
|
||||||
|
bool findcoveringnsec; /* lookup covering NSEC */
|
||||||
|
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||||
|
index 249321c..a450cb7 100644
|
||||||
|
--- a/lib/ns/query.c
|
||||||
|
+++ b/lib/ns/query.c
|
||||||
|
@@ -5686,7 +5686,6 @@ query_lookup(query_ctx_t *qctx) {
|
||||||
|
bool dbfind_stale = false;
|
||||||
|
bool stale_timeout = false;
|
||||||
|
bool stale_found = false;
|
||||||
|
- bool refresh_rrset = false;
|
||||||
|
bool stale_refresh_window = false;
|
||||||
|
|
||||||
|
CCTRACE(ISC_LOG_DEBUG(3), "query_lookup");
|
||||||
|
@@ -5868,8 +5867,7 @@ query_lookup(query_ctx_t *qctx) {
|
||||||
|
"%s stale answer used, an attempt to "
|
||||||
|
"refresh the RRset will still be made",
|
||||||
|
namebuf);
|
||||||
|
- refresh_rrset = STALE(qctx->rdataset);
|
||||||
|
- qctx->client->nodetach = refresh_rrset;
|
||||||
|
+ qctx->refresh_rrset = STALE(qctx->rdataset);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
/*
|
||||||
|
@@ -5907,17 +5905,6 @@ query_lookup(query_ctx_t *qctx) {
|
||||||
|
|
||||||
|
result = query_gotanswer(qctx, result);
|
||||||
|
|
||||||
|
- if (refresh_rrset) {
|
||||||
|
- /*
|
||||||
|
- * If we reached this point then it means that we have found a
|
||||||
|
- * stale RRset entry in cache and BIND is configured to allow
|
||||||
|
- * queries to be answered with stale data if no active RRset
|
||||||
|
- * is available, i.e. "stale-anwer-client-timeout 0". But, we
|
||||||
|
- * still need to refresh the RRset.
|
||||||
|
- */
|
||||||
|
- query_refresh_rrset(qctx);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
cleanup:
|
||||||
|
return (result);
|
||||||
|
}
|
||||||
|
@@ -7737,11 +7724,14 @@ query_addanswer(query_ctx_t *qctx) {
|
||||||
|
|
||||||
|
/*
|
||||||
|
* On normal lookups, clear any rdatasets that were added on a
|
||||||
|
- * lookup due to stale-answer-client-timeout.
|
||||||
|
+ * lookup due to stale-answer-client-timeout. Do not clear if we
|
||||||
|
+ * are going to refresh the RRset, because the stale contents are
|
||||||
|
+ * prioritized.
|
||||||
|
*/
|
||||||
|
if (QUERY_STALEOK(&qctx->client->query) &&
|
||||||
|
- !QUERY_STALETIMEOUT(&qctx->client->query))
|
||||||
|
+ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset)
|
||||||
|
{
|
||||||
|
+ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale");
|
||||||
|
query_clear_stale(qctx->client);
|
||||||
|
/*
|
||||||
|
* We can clear the attribute to prevent redundant clearing
|
||||||
|
@@ -11457,9 +11447,29 @@ ns_query_done(query_ctx_t *qctx) {
|
||||||
|
/*
|
||||||
|
* Client may have been detached after query_send(), so
|
||||||
|
* we test and store the flag state here, for safety.
|
||||||
|
+ * If we are refreshing the RRSet, we must not detach from the client
|
||||||
|
+ * in the query_send(), so we need to override the flag.
|
||||||
|
*/
|
||||||
|
+ if (qctx->refresh_rrset) {
|
||||||
|
+ qctx->client->nodetach = true;
|
||||||
|
+ }
|
||||||
|
nodetach = qctx->client->nodetach;
|
||||||
|
query_send(qctx->client);
|
||||||
|
+
|
||||||
|
+ if (qctx->refresh_rrset) {
|
||||||
|
+ /*
|
||||||
|
+ * If we reached this point then it means that we have found a
|
||||||
|
+ * stale RRset entry in cache and BIND is configured to allow
|
||||||
|
+ * queries to be answered with stale data if no active RRset
|
||||||
|
+ * is available, i.e. "stale-anwer-client-timeout 0". But, we
|
||||||
|
+ * still need to refresh the RRset. To prevent adding duplicate
|
||||||
|
+ * RRsets, clear the RRsets from the message before doing the
|
||||||
|
+ * refresh.
|
||||||
|
+ */
|
||||||
|
+ message_clearrdataset(qctx->client->message, 0);
|
||||||
|
+ query_refresh_rrset(qctx);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (!nodetach) {
|
||||||
|
qctx->detach_client = true;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
241
bind-9.16-CVE-2022-3094-1.patch
Normal file
241
bind-9.16-CVE-2022-3094-1.patch
Normal file
@ -0,0 +1,241 @@
|
|||||||
|
From 0c0dc08d3ef26b7411cfe089e8144454831e8af5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evan Hunt <each@isc.org>
|
||||||
|
Date: Thu, 1 Sep 2022 16:05:04 -0700
|
||||||
|
Subject: [PATCH] add an update quota
|
||||||
|
|
||||||
|
limit the number of simultaneous DNS UPDATE events that can be
|
||||||
|
processed by adding a quota for update and update forwarding.
|
||||||
|
this quota currently, arbitrarily, defaults to 100.
|
||||||
|
|
||||||
|
also add a statistics counter to record when the update quota
|
||||||
|
has been exceeded.
|
||||||
|
|
||||||
|
(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826)
|
||||||
|
---
|
||||||
|
bin/named/bind9.xsl | 4 +++-
|
||||||
|
bin/named/bind9.xsl.h | 6 +++++-
|
||||||
|
bin/named/statschannel.c | 5 +++--
|
||||||
|
doc/arm/reference.rst | 5 +++++
|
||||||
|
lib/ns/include/ns/server.h | 1 +
|
||||||
|
lib/ns/include/ns/stats.h | 4 +++-
|
||||||
|
lib/ns/server.c | 2 ++
|
||||||
|
lib/ns/update.c | 38 +++++++++++++++++++++++++++++++++++++-
|
||||||
|
8 files changed, 59 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
|
||||||
|
index 5078115..194625b 100644
|
||||||
|
--- a/bin/named/bind9.xsl
|
||||||
|
+++ b/bin/named/bind9.xsl
|
||||||
|
@@ -12,7 +12,9 @@
|
||||||
|
|
||||||
|
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
|
||||||
|
<xsl:output method="html" indent="yes" version="4.0"/>
|
||||||
|
- <xsl:template match="statistics[@version="3.11"]">
|
||||||
|
+ <!-- the version number **below** must match version in bin/named/statschannel.c -->
|
||||||
|
+ <!-- don't forget to update "/xml/v<STATS_XML_VERSION_MAJOR>" in the HTTP endpoints listed below -->
|
||||||
|
+ <xsl:template match="statistics[@version="3.11.1"]">
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
|
||||||
|
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
|
||||||
|
index e30f7f5..b182742 100644
|
||||||
|
--- a/bin/named/bind9.xsl.h
|
||||||
|
+++ b/bin/named/bind9.xsl.h
|
||||||
|
@@ -20,7 +20,11 @@ static char xslmsg[] =
|
||||||
|
"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" "
|
||||||
|
"xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
|
||||||
|
" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
|
||||||
|
- " <xsl:template match=\"statistics[@version="3.11"]\">\n"
|
||||||
|
+ " <!-- the version number **below** must match version in "
|
||||||
|
+ "bin/named/statschannel.c -->\n"
|
||||||
|
+ " <!-- don't forget to update \"/xml/v<STATS_XML_VERSION_MAJOR>\" in "
|
||||||
|
+ "the HTTP endpoints listed below -->\n"
|
||||||
|
+ " <xsl:template match=\"statistics[@version="3.11.1"]\">\n"
|
||||||
|
" <html>\n"
|
||||||
|
" <head>\n"
|
||||||
|
" <script type=\"text/javascript\" "
|
||||||
|
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
|
||||||
|
index 832ce93..7361ead 100644
|
||||||
|
--- a/bin/named/statschannel.c
|
||||||
|
+++ b/bin/named/statschannel.c
|
||||||
|
@@ -335,6 +335,7 @@ init_desc(void) {
|
||||||
|
SET_NSSTATDESC(reclimitdropped,
|
||||||
|
"queries dropped due to recursive client limit",
|
||||||
|
"RecLimitDropped");
|
||||||
|
+ SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota");
|
||||||
|
|
||||||
|
INSIST(i == ns_statscounter_max);
|
||||||
|
|
||||||
|
@@ -2007,7 +2008,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen,
|
||||||
|
"href=\"/bind9.xsl\""));
|
||||||
|
TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
|
||||||
|
TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
|
||||||
|
- ISC_XMLCHAR "3.11"));
|
||||||
|
+ ISC_XMLCHAR "3.11.1"));
|
||||||
|
|
||||||
|
/* Set common fields for statistics dump */
|
||||||
|
dumparg.type = isc_statsformat_xml;
|
||||||
|
@@ -2876,7 +2877,7 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg,
|
||||||
|
/*
|
||||||
|
* These statistics are included no matter which URL we use.
|
||||||
|
*/
|
||||||
|
- obj = json_object_new_string("1.5");
|
||||||
|
+ obj = json_object_new_string("1.5.1");
|
||||||
|
CHECKMEM(obj);
|
||||||
|
json_object_object_add(bindstats, "json-stats-version", obj);
|
||||||
|
|
||||||
|
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
|
||||||
|
index 2d05aec..25c20d7 100644
|
||||||
|
--- a/doc/arm/reference.rst
|
||||||
|
+++ b/doc/arm/reference.rst
|
||||||
|
@@ -6705,6 +6705,11 @@ Name Server Statistics Counters
|
||||||
|
``UpdateBadPrereq``
|
||||||
|
This indicates the number of dynamic updates rejected due to a prerequisite failure.
|
||||||
|
|
||||||
|
+``UpdateQuota``
|
||||||
|
+ This indicates the number of times a dynamic update or update
|
||||||
|
+ forwarding request was rejected because the number of pending
|
||||||
|
+ requests exceeded the update quota.
|
||||||
|
+
|
||||||
|
``RateDropped``
|
||||||
|
This indicates the number of responses dropped due to rate limits.
|
||||||
|
|
||||||
|
diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
|
||||||
|
index 6a1f345..0abb579 100644
|
||||||
|
--- a/lib/ns/include/ns/server.h
|
||||||
|
+++ b/lib/ns/include/ns/server.h
|
||||||
|
@@ -84,6 +84,7 @@ struct ns_server {
|
||||||
|
isc_quota_t recursionquota;
|
||||||
|
isc_quota_t tcpquota;
|
||||||
|
isc_quota_t xfroutquota;
|
||||||
|
+ isc_quota_t updquota;
|
||||||
|
|
||||||
|
/*% Test options and other configurables */
|
||||||
|
uint32_t options;
|
||||||
|
diff --git a/lib/ns/include/ns/stats.h b/lib/ns/include/ns/stats.h
|
||||||
|
index 3c08799..95b15d0 100644
|
||||||
|
--- a/lib/ns/include/ns/stats.h
|
||||||
|
+++ b/lib/ns/include/ns/stats.h
|
||||||
|
@@ -106,7 +106,9 @@ enum {
|
||||||
|
|
||||||
|
ns_statscounter_reclimitdropped = 66,
|
||||||
|
|
||||||
|
- ns_statscounter_max = 67,
|
||||||
|
+ ns_statscounter_updatequota = 67,
|
||||||
|
+
|
||||||
|
+ ns_statscounter_max = 68,
|
||||||
|
};
|
||||||
|
|
||||||
|
void
|
||||||
|
diff --git a/lib/ns/server.c b/lib/ns/server.c
|
||||||
|
index a970a28..540bc2e 100644
|
||||||
|
--- a/lib/ns/server.c
|
||||||
|
+++ b/lib/ns/server.c
|
||||||
|
@@ -52,6 +52,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
|
||||||
|
isc_quota_init(&sctx->xfroutquota, 10);
|
||||||
|
isc_quota_init(&sctx->tcpquota, 10);
|
||||||
|
isc_quota_init(&sctx->recursionquota, 100);
|
||||||
|
+ isc_quota_init(&sctx->updquota, 100);
|
||||||
|
|
||||||
|
CHECKFATAL(dns_tkeyctx_create(mctx, &sctx->tkeyctx));
|
||||||
|
|
||||||
|
@@ -131,6 +132,7 @@ ns_server_detach(ns_server_t **sctxp) {
|
||||||
|
isc_mem_put(sctx->mctx, altsecret, sizeof(*altsecret));
|
||||||
|
}
|
||||||
|
|
||||||
|
+ isc_quota_destroy(&sctx->updquota);
|
||||||
|
isc_quota_destroy(&sctx->recursionquota);
|
||||||
|
isc_quota_destroy(&sctx->tcpquota);
|
||||||
|
isc_quota_destroy(&sctx->xfroutquota);
|
||||||
|
diff --git a/lib/ns/update.c b/lib/ns/update.c
|
||||||
|
index 546b70a..9a8c309 100644
|
||||||
|
--- a/lib/ns/update.c
|
||||||
|
+++ b/lib/ns/update.c
|
||||||
|
@@ -1544,6 +1544,19 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
update_event_t *event = NULL;
|
||||||
|
isc_task_t *zonetask = NULL;
|
||||||
|
|
||||||
|
+ result = isc_quota_attach(&client->manager->sctx->updquota,
|
||||||
|
+ &(isc_quota_t *){ NULL });
|
||||||
|
+ if (result != ISC_R_SUCCESS) {
|
||||||
|
+ update_log(client, zone, LOGLEVEL_PROTOCOL,
|
||||||
|
+ "update failed: too many DNS UPDATEs queued (%s)",
|
||||||
|
+ isc_result_totext(result));
|
||||||
|
+ ns_stats_increment(client->manager->sctx->nsstats,
|
||||||
|
+ ns_statscounter_updatequota);
|
||||||
|
+ ns_client_drop(client, result);
|
||||||
|
+ isc_nmhandle_detach(&client->reqhandle);
|
||||||
|
+ return (DNS_R_DROP);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
event = (update_event_t *)isc_event_allocate(
|
||||||
|
client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL,
|
||||||
|
sizeof(*event));
|
||||||
|
@@ -1676,12 +1689,19 @@ failure:
|
||||||
|
dns_zone_gettype(zone) == dns_zone_mirror);
|
||||||
|
inc_stats(client, zone, ns_statscounter_updaterej);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* We failed without having sent an update event to the zone.
|
||||||
|
* We are still in the client task context, so we can
|
||||||
|
* simply give an error response without switching tasks.
|
||||||
|
*/
|
||||||
|
- respond(client, result);
|
||||||
|
+ if (result == DNS_R_DROP) {
|
||||||
|
+ ns_client_drop(client, result);
|
||||||
|
+ isc_nmhandle_detach(&client->reqhandle);
|
||||||
|
+ } else {
|
||||||
|
+ respond(client, result);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (zone != NULL) {
|
||||||
|
dns_zone_detach(&zone);
|
||||||
|
}
|
||||||
|
@@ -3489,6 +3509,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
|
||||||
|
|
||||||
|
respond(client, uev->result);
|
||||||
|
|
||||||
|
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
|
||||||
|
isc_event_free(&event);
|
||||||
|
isc_nmhandle_detach(&client->updatehandle);
|
||||||
|
}
|
||||||
|
@@ -3505,6 +3526,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
|
||||||
|
INSIST(client->nupdates > 0);
|
||||||
|
client->nupdates--;
|
||||||
|
respond(client, DNS_R_SERVFAIL);
|
||||||
|
+
|
||||||
|
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
|
||||||
|
isc_event_free(&event);
|
||||||
|
isc_nmhandle_detach(&client->updatehandle);
|
||||||
|
}
|
||||||
|
@@ -3542,6 +3565,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
|
||||||
|
client->nupdates--;
|
||||||
|
ns_client_sendraw(client, uev->answer);
|
||||||
|
dns_message_detach(&uev->answer);
|
||||||
|
+
|
||||||
|
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
|
||||||
|
isc_event_free(&event);
|
||||||
|
isc_nmhandle_detach(&client->updatehandle);
|
||||||
|
}
|
||||||
|
@@ -3576,6 +3601,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
update_event_t *event = NULL;
|
||||||
|
isc_task_t *zonetask = NULL;
|
||||||
|
|
||||||
|
+ result = isc_quota_attach(&client->manager->sctx->updquota,
|
||||||
|
+ &(isc_quota_t *){ NULL });
|
||||||
|
+ if (result != ISC_R_SUCCESS) {
|
||||||
|
+ update_log(client, zone, LOGLEVEL_PROTOCOL,
|
||||||
|
+ "update failed: too many DNS UPDATEs queued (%s)",
|
||||||
|
+ isc_result_totext(result));
|
||||||
|
+ ns_stats_increment(client->manager->sctx->nsstats,
|
||||||
|
+ ns_statscounter_updatequota);
|
||||||
|
+ return (DNS_R_DROP);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
event = (update_event_t *)isc_event_allocate(
|
||||||
|
client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL,
|
||||||
|
sizeof(*event));
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
266
bind-9.16-CVE-2022-3094-2.patch
Normal file
266
bind-9.16-CVE-2022-3094-2.patch
Normal file
@ -0,0 +1,266 @@
|
|||||||
|
From 7fe2204a2e8952bf892e4a70fea2ef5167e1f509 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evan Hunt <each@isc.org>
|
||||||
|
Date: Thu, 1 Sep 2022 16:22:46 -0700
|
||||||
|
Subject: [PATCH] add a configuration option for the update quota
|
||||||
|
|
||||||
|
add an "update-quota" option to configure the update quota.
|
||||||
|
|
||||||
|
(cherry picked from commit f57758a7303ad0034ff2ff08eaaf2ef899630f19)
|
||||||
|
---
|
||||||
|
bin/named/config.c | 1 +
|
||||||
|
bin/named/named.conf.rst | 9 +++++----
|
||||||
|
bin/named/server.c | 1 +
|
||||||
|
bin/tests/system/checkconf/good.conf | 1 +
|
||||||
|
doc/arm/reference.rst | 7 ++++++-
|
||||||
|
doc/man/named.conf.5in | 9 +++++----
|
||||||
|
doc/misc/master.zoneopt.rst | 2 +-
|
||||||
|
doc/misc/options | 1 +
|
||||||
|
doc/misc/options.active | 1 +
|
||||||
|
doc/misc/options.grammar.rst | 3 ++-
|
||||||
|
doc/misc/slave.zoneopt.rst | 2 +-
|
||||||
|
lib/isccfg/namedconf.c | 1 +
|
||||||
|
12 files changed, 26 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/bin/named/config.c b/bin/named/config.c
|
||||||
|
index 5fedee84d9..494147015f 100644
|
||||||
|
--- a/bin/named/config.c
|
||||||
|
+++ b/bin/named/config.c
|
||||||
|
@@ -130,6 +130,7 @@ options {\n\
|
||||||
|
transfers-out 10;\n\
|
||||||
|
transfers-per-ns 2;\n\
|
||||||
|
trust-anchor-telemetry yes;\n\
|
||||||
|
+ update-quota 100;\n\
|
||||||
|
\n\
|
||||||
|
/* view */\n\
|
||||||
|
allow-new-zones no;\n\
|
||||||
|
diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
|
||||||
|
index 27eed5ca3e..4c9f9a7370 100644
|
||||||
|
--- a/bin/named/named.conf.rst
|
||||||
|
+++ b/bin/named/named.conf.rst
|
||||||
|
@@ -179,7 +179,7 @@ OPTIONS
|
||||||
|
answer-cookie boolean;
|
||||||
|
attach-cache string;
|
||||||
|
auth-nxdomain boolean; // default changed
|
||||||
|
- auto-dnssec ( allow | maintain | off );
|
||||||
|
+ auto-dnssec ( allow | maintain | off );// deprecated
|
||||||
|
automatic-interface-scan boolean;
|
||||||
|
avoid-v4-udp-ports { portrange; ... };
|
||||||
|
avoid-v6-udp-ports { portrange; ... };
|
||||||
|
@@ -446,6 +446,7 @@ OPTIONS
|
||||||
|
trust-anchor-telemetry boolean; // experimental
|
||||||
|
try-tcp-refresh boolean;
|
||||||
|
update-check-ksk boolean;
|
||||||
|
+ update-quota integer;
|
||||||
|
use-alt-transfer-source boolean;
|
||||||
|
use-v4-udp-ports { portrange; ... };
|
||||||
|
use-v6-udp-ports { portrange; ... };
|
||||||
|
@@ -584,7 +585,7 @@ VIEW
|
||||||
|
* ) ] [ dscp integer ];
|
||||||
|
attach-cache string;
|
||||||
|
auth-nxdomain boolean; // default changed
|
||||||
|
- auto-dnssec ( allow | maintain | off );
|
||||||
|
+ auto-dnssec ( allow | maintain | off );// deprecated
|
||||||
|
cache-file quoted_string;// deprecated
|
||||||
|
catalog-zones { zone string [ default-masters [ port integer ]
|
||||||
|
[ dscp integer ] { ( remote-servers | ipv4_address [ port
|
||||||
|
@@ -859,7 +860,7 @@ VIEW
|
||||||
|
integer | * ) ] [ dscp integer ];
|
||||||
|
alt-transfer-source-v6 ( ipv6_address | * ) [ port (
|
||||||
|
integer | * ) ] [ dscp integer ];
|
||||||
|
- auto-dnssec ( allow | maintain | off );
|
||||||
|
+ auto-dnssec ( allow | maintain | off );// deprecated
|
||||||
|
check-dup-records ( fail | warn | ignore );
|
||||||
|
check-integrity boolean;
|
||||||
|
check-mx ( fail | warn | ignore );
|
||||||
|
@@ -977,7 +978,7 @@ ZONE
|
||||||
|
] [ dscp integer ];
|
||||||
|
alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer |
|
||||||
|
* ) ] [ dscp integer ];
|
||||||
|
- auto-dnssec ( allow | maintain | off );
|
||||||
|
+ auto-dnssec ( allow | maintain | off );// deprecated
|
||||||
|
check-dup-records ( fail | warn | ignore );
|
||||||
|
check-integrity boolean;
|
||||||
|
check-mx ( fail | warn | ignore );
|
||||||
|
diff --git a/bin/named/server.c b/bin/named/server.c
|
||||||
|
index 20443ff8a9..78a21d62a2 100644
|
||||||
|
--- a/bin/named/server.c
|
||||||
|
+++ b/bin/named/server.c
|
||||||
|
@@ -8542,6 +8542,7 @@ load_configuration(const char *filename, named_server_t *server,
|
||||||
|
configure_server_quota(maps, "tcp-clients", &server->sctx->tcpquota);
|
||||||
|
configure_server_quota(maps, "recursive-clients",
|
||||||
|
&server->sctx->recursionquota);
|
||||||
|
+ configure_server_quota(maps, "update-quota", &server->sctx->updquota);
|
||||||
|
|
||||||
|
max = isc_quota_getmax(&server->sctx->recursionquota);
|
||||||
|
if (max > 1000) {
|
||||||
|
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
||||||
|
index b1f7059acf..0ecdb68e95 100644
|
||||||
|
--- a/bin/tests/system/checkconf/good.conf
|
||||||
|
+++ b/bin/tests/system/checkconf/good.conf
|
||||||
|
@@ -75,6 +75,7 @@ options {
|
||||||
|
recursive-clients 3000;
|
||||||
|
serial-query-rate 100;
|
||||||
|
server-id none;
|
||||||
|
+ update-quota 200;
|
||||||
|
check-names primary warn;
|
||||||
|
check-names secondary ignore;
|
||||||
|
max-cache-size 20000000000000;
|
||||||
|
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
|
||||||
|
index 2603d60251..703663d0ba 100644
|
||||||
|
--- a/doc/arm/reference.rst
|
||||||
|
+++ b/doc/arm/reference.rst
|
||||||
|
@@ -3151,6 +3151,11 @@ system.
|
||||||
|
value as ``tcp-keepalive-timeout``. This value can be updated at
|
||||||
|
runtime by using ``rndc tcp-timeouts``.
|
||||||
|
|
||||||
|
+``update-quota``
|
||||||
|
+ This is the maximum number of simultaneous DNS UPDATE messages that
|
||||||
|
+ the server will accept for updating local authoritiative zones or
|
||||||
|
+ forwarding to a primary server. The default is ``100``.
|
||||||
|
+
|
||||||
|
.. _intervals:
|
||||||
|
|
||||||
|
Periodic Task Intervals
|
||||||
|
@@ -6840,7 +6845,7 @@ Name Server Statistics Counters
|
||||||
|
``UpdateQuota``
|
||||||
|
This indicates the number of times a dynamic update or update
|
||||||
|
forwarding request was rejected because the number of pending
|
||||||
|
- requests exceeded the update quota.
|
||||||
|
+ requests exceeded ``update-quota``.
|
||||||
|
|
||||||
|
``RateDropped``
|
||||||
|
This indicates the number of responses dropped due to rate limits.
|
||||||
|
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
|
||||||
|
index 4c46f47592..c87afa2881 100644
|
||||||
|
--- a/doc/man/named.conf.5in
|
||||||
|
+++ b/doc/man/named.conf.5in
|
||||||
|
@@ -231,7 +231,7 @@ options {
|
||||||
|
answer\-cookie boolean;
|
||||||
|
attach\-cache string;
|
||||||
|
auth\-nxdomain boolean; // default changed
|
||||||
|
- auto\-dnssec ( allow | maintain | off );
|
||||||
|
+ auto\-dnssec ( allow | maintain | off );// deprecated
|
||||||
|
automatic\-interface\-scan boolean;
|
||||||
|
avoid\-v4\-udp\-ports { portrange; ... };
|
||||||
|
avoid\-v6\-udp\-ports { portrange; ... };
|
||||||
|
@@ -498,6 +498,7 @@ options {
|
||||||
|
trust\-anchor\-telemetry boolean; // experimental
|
||||||
|
try\-tcp\-refresh boolean;
|
||||||
|
update\-check\-ksk boolean;
|
||||||
|
+ update\-quota integer;
|
||||||
|
use\-alt\-transfer\-source boolean;
|
||||||
|
use\-v4\-udp\-ports { portrange; ... };
|
||||||
|
use\-v6\-udp\-ports { portrange; ... };
|
||||||
|
@@ -668,7 +669,7 @@ view string [ class ] {
|
||||||
|
* ) ] [ dscp integer ];
|
||||||
|
attach\-cache string;
|
||||||
|
auth\-nxdomain boolean; // default changed
|
||||||
|
- auto\-dnssec ( allow | maintain | off );
|
||||||
|
+ auto\-dnssec ( allow | maintain | off );// deprecated
|
||||||
|
cache\-file quoted_string;// deprecated
|
||||||
|
catalog\-zones { zone string [ default\-masters [ port integer ]
|
||||||
|
[ dscp integer ] { ( remote\-servers | ipv4_address [ port
|
||||||
|
@@ -943,7 +944,7 @@ view string [ class ] {
|
||||||
|
integer | * ) ] [ dscp integer ];
|
||||||
|
alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port (
|
||||||
|
integer | * ) ] [ dscp integer ];
|
||||||
|
- auto\-dnssec ( allow | maintain | off );
|
||||||
|
+ auto\-dnssec ( allow | maintain | off );// deprecated
|
||||||
|
check\-dup\-records ( fail | warn | ignore );
|
||||||
|
check\-integrity boolean;
|
||||||
|
check\-mx ( fail | warn | ignore );
|
||||||
|
@@ -1065,7 +1066,7 @@ zone string [ class ] {
|
||||||
|
] [ dscp integer ];
|
||||||
|
alt\-transfer\-source\-v6 ( ipv6_address | * ) [ port ( integer |
|
||||||
|
* ) ] [ dscp integer ];
|
||||||
|
- auto\-dnssec ( allow | maintain | off );
|
||||||
|
+ auto\-dnssec ( allow | maintain | off );// deprecated
|
||||||
|
check\-dup\-records ( fail | warn | ignore );
|
||||||
|
check\-integrity boolean;
|
||||||
|
check\-mx ( fail | warn | ignore );
|
||||||
|
diff --git a/doc/misc/master.zoneopt.rst b/doc/misc/master.zoneopt.rst
|
||||||
|
index 8fc7e1b4f0..346d59813e 100644
|
||||||
|
--- a/doc/misc/master.zoneopt.rst
|
||||||
|
+++ b/doc/misc/master.zoneopt.rst
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
|
||||||
|
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||||
|
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||||
|
- auto-dnssec ( allow | maintain | off );
|
||||||
|
+ auto-dnssec ( allow | maintain | off ); // deprecated
|
||||||
|
check-dup-records ( fail | warn | ignore );
|
||||||
|
check-integrity <boolean>;
|
||||||
|
check-mx ( fail | warn | ignore );
|
||||||
|
diff --git a/doc/misc/options b/doc/misc/options
|
||||||
|
index f57399499a..0dbcf101e1 100644
|
||||||
|
--- a/doc/misc/options
|
||||||
|
+++ b/doc/misc/options
|
||||||
|
@@ -404,6 +404,7 @@ options {
|
||||||
|
trust-anchor-telemetry <boolean>; // experimental
|
||||||
|
try-tcp-refresh <boolean>;
|
||||||
|
update-check-ksk <boolean>;
|
||||||
|
+ update-quota <integer>;
|
||||||
|
use-alt-transfer-source <boolean>;
|
||||||
|
use-id-pool <boolean>; // ancient
|
||||||
|
use-ixfr <boolean>; // obsolete
|
||||||
|
diff --git a/doc/misc/options.active b/doc/misc/options.active
|
||||||
|
index 5fc1ab29f4..eb75a86eae 100644
|
||||||
|
--- a/doc/misc/options.active
|
||||||
|
+++ b/doc/misc/options.active
|
||||||
|
@@ -363,6 +363,7 @@ options {
|
||||||
|
trust-anchor-telemetry <boolean>; // experimental
|
||||||
|
try-tcp-refresh <boolean>;
|
||||||
|
update-check-ksk <boolean>;
|
||||||
|
+ update-quota <integer>;
|
||||||
|
use-alt-transfer-source <boolean>;
|
||||||
|
use-v4-udp-ports { <portrange>; ... };
|
||||||
|
use-v6-udp-ports { <portrange>; ... };
|
||||||
|
diff --git a/doc/misc/options.grammar.rst b/doc/misc/options.grammar.rst
|
||||||
|
index 438072c95c..beef35341a 100644
|
||||||
|
--- a/doc/misc/options.grammar.rst
|
||||||
|
+++ b/doc/misc/options.grammar.rst
|
||||||
|
@@ -33,7 +33,7 @@
|
||||||
|
answer-cookie <boolean>;
|
||||||
|
attach-cache <string>;
|
||||||
|
auth-nxdomain <boolean>; // default changed
|
||||||
|
- auto-dnssec ( allow | maintain | off );
|
||||||
|
+ auto-dnssec ( allow | maintain | off ); // deprecated
|
||||||
|
automatic-interface-scan <boolean>;
|
||||||
|
avoid-v4-udp-ports { <portrange>; ... };
|
||||||
|
avoid-v6-udp-ports { <portrange>; ... };
|
||||||
|
@@ -300,6 +300,7 @@
|
||||||
|
trust-anchor-telemetry <boolean>; // experimental
|
||||||
|
try-tcp-refresh <boolean>;
|
||||||
|
update-check-ksk <boolean>;
|
||||||
|
+ update-quota <integer>;
|
||||||
|
use-alt-transfer-source <boolean>;
|
||||||
|
use-v4-udp-ports { <portrange>; ... };
|
||||||
|
use-v6-udp-ports { <portrange>; ... };
|
||||||
|
diff --git a/doc/misc/slave.zoneopt.rst b/doc/misc/slave.zoneopt.rst
|
||||||
|
index cc72dcbf67..468a7f4d9a 100644
|
||||||
|
--- a/doc/misc/slave.zoneopt.rst
|
||||||
|
+++ b/doc/misc/slave.zoneopt.rst
|
||||||
|
@@ -21,7 +21,7 @@
|
||||||
|
also-notify [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... };
|
||||||
|
alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||||
|
alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
|
||||||
|
- auto-dnssec ( allow | maintain | off );
|
||||||
|
+ auto-dnssec ( allow | maintain | off ); // deprecated
|
||||||
|
check-names ( fail | warn | ignore );
|
||||||
|
database <string>;
|
||||||
|
dialup ( notify | notify-passive | passive | refresh | <boolean> );
|
||||||
|
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
|
||||||
|
index 45de0196bf..6e63d86816 100644
|
||||||
|
--- a/lib/isccfg/namedconf.c
|
||||||
|
+++ b/lib/isccfg/namedconf.c
|
||||||
|
@@ -1267,6 +1267,7 @@ static cfg_clausedef_t options_clauses[] = {
|
||||||
|
{ "transfers-out", &cfg_type_uint32, 0 },
|
||||||
|
{ "transfers-per-ns", &cfg_type_uint32, 0 },
|
||||||
|
{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
|
||||||
|
+ { "update-quota", &cfg_type_uint32, 0 },
|
||||||
|
{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_ANCIENT },
|
||||||
|
{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
||||||
|
{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
470
bind-9.16-CVE-2022-3094-3.patch
Normal file
470
bind-9.16-CVE-2022-3094-3.patch
Normal file
@ -0,0 +1,470 @@
|
|||||||
|
From 93b8bd39145566053ad8b22cef597146e9175ea4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evan Hunt <each@isc.org>
|
||||||
|
Date: Tue, 8 Nov 2022 17:32:41 -0800
|
||||||
|
Subject: [PATCH] move update ACL and update-policy checks before quota
|
||||||
|
|
||||||
|
check allow-update, update-policy, and allow-update-forwarding before
|
||||||
|
consuming quota slots, so that unauthorized clients can't fill the
|
||||||
|
quota.
|
||||||
|
|
||||||
|
(this moves the access check before the prerequisite check, which
|
||||||
|
violates the precise wording of RFC 2136. however, RFC co-author Paul
|
||||||
|
Vixie has stated that the RFC is mistaken on this point; it should have
|
||||||
|
said that access checking must happen *no later than* the completion of
|
||||||
|
prerequisite checks, not that it must happen exactly then.)
|
||||||
|
|
||||||
|
(cherry picked from commit 964f559edb5036880b8e463b8f190b9007ee055d)
|
||||||
|
---
|
||||||
|
lib/ns/update.c | 335 ++++++++++++++++++++++++++----------------------
|
||||||
|
1 file changed, 181 insertions(+), 154 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/ns/update.c b/lib/ns/update.c
|
||||||
|
index 9a8c309..036184b 100644
|
||||||
|
--- a/lib/ns/update.c
|
||||||
|
+++ b/lib/ns/update.c
|
||||||
|
@@ -261,6 +261,9 @@ static void
|
||||||
|
forward_done(isc_task_t *task, isc_event_t *event);
|
||||||
|
static isc_result_t
|
||||||
|
add_rr_prepare_action(void *data, rr_t *rr);
|
||||||
|
+static isc_result_t
|
||||||
|
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
|
||||||
|
+ const dns_rdata_t *rdata, bool *flag);
|
||||||
|
|
||||||
|
/**************************************************************************/
|
||||||
|
|
||||||
|
@@ -333,25 +336,26 @@ inc_stats(ns_client_t *client, dns_zone_t *zone, isc_statscounter_t counter) {
|
||||||
|
static isc_result_t
|
||||||
|
checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
|
||||||
|
dns_acl_t *updateacl, dns_ssutable_t *ssutable) {
|
||||||
|
+ isc_result_t result;
|
||||||
|
char namebuf[DNS_NAME_FORMATSIZE];
|
||||||
|
char classbuf[DNS_RDATACLASS_FORMATSIZE];
|
||||||
|
- int level;
|
||||||
|
- isc_result_t result;
|
||||||
|
+ bool update_possible =
|
||||||
|
+ ((updateacl != NULL && !dns_acl_isnone(updateacl)) ||
|
||||||
|
+ ssutable != NULL);
|
||||||
|
|
||||||
|
result = ns_client_checkaclsilent(client, NULL, queryacl, true);
|
||||||
|
if (result != ISC_R_SUCCESS) {
|
||||||
|
+ int level = update_possible ? ISC_LOG_ERROR : ISC_LOG_INFO;
|
||||||
|
+
|
||||||
|
dns_name_format(zonename, namebuf, sizeof(namebuf));
|
||||||
|
dns_rdataclass_format(client->view->rdclass, classbuf,
|
||||||
|
sizeof(classbuf));
|
||||||
|
|
||||||
|
- level = (updateacl == NULL && ssutable == NULL) ? ISC_LOG_INFO
|
||||||
|
- : ISC_LOG_ERROR;
|
||||||
|
-
|
||||||
|
ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
|
||||||
|
NS_LOGMODULE_UPDATE, level,
|
||||||
|
"update '%s/%s' denied due to allow-query",
|
||||||
|
namebuf, classbuf);
|
||||||
|
- } else if (updateacl == NULL && ssutable == NULL) {
|
||||||
|
+ } else if (!update_possible) {
|
||||||
|
dns_name_format(zonename, namebuf, sizeof(namebuf));
|
||||||
|
dns_rdataclass_format(client->view->rdclass, classbuf,
|
||||||
|
sizeof(classbuf));
|
||||||
|
@@ -1543,6 +1547,156 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
isc_result_t result = ISC_R_SUCCESS;
|
||||||
|
update_event_t *event = NULL;
|
||||||
|
isc_task_t *zonetask = NULL;
|
||||||
|
+ dns_ssutable_t *ssutable = NULL;
|
||||||
|
+ dns_message_t *request = client->message;
|
||||||
|
+ dns_aclenv_t *env =
|
||||||
|
+ ns_interfacemgr_getaclenv(client->manager->interface->mgr);
|
||||||
|
+ dns_rdataclass_t zoneclass;
|
||||||
|
+ dns_rdatatype_t covers;
|
||||||
|
+ dns_name_t *zonename = NULL;
|
||||||
|
+ dns_db_t *db = NULL;
|
||||||
|
+ dns_dbversion_t *ver = NULL;
|
||||||
|
+
|
||||||
|
+ CHECK(dns_zone_getdb(zone, &db));
|
||||||
|
+ zonename = dns_db_origin(db);
|
||||||
|
+ zoneclass = dns_db_class(db);
|
||||||
|
+ dns_zone_getssutable(zone, &ssutable);
|
||||||
|
+ dns_db_currentversion(db, &ver);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Update message processing can leak record existence information
|
||||||
|
+ * so check that we are allowed to query this zone. Additionally,
|
||||||
|
+ * if we would refuse all updates for this zone, we bail out here.
|
||||||
|
+ */
|
||||||
|
+ CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone),
|
||||||
|
+ dns_zone_getorigin(zone),
|
||||||
|
+ dns_zone_getupdateacl(zone), ssutable));
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Check requestor's permissions.
|
||||||
|
+ */
|
||||||
|
+ if (ssutable == NULL) {
|
||||||
|
+ CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
|
||||||
|
+ "update", dns_zone_getorigin(zone), false,
|
||||||
|
+ false));
|
||||||
|
+ } else if (client->signer == NULL && !TCPCLIENT(client)) {
|
||||||
|
+ CHECK(checkupdateacl(client, NULL, "update",
|
||||||
|
+ dns_zone_getorigin(zone), false, true));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (dns_zone_getupdatedisabled(zone)) {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
|
||||||
|
+ "because the zone is frozen. Use "
|
||||||
|
+ "'rndc thaw' to re-enable updates.");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Prescan the update section, checking for updates that
|
||||||
|
+ * are illegal or violate policy.
|
||||||
|
+ */
|
||||||
|
+ for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||||
|
+ result == ISC_R_SUCCESS;
|
||||||
|
+ result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||||
|
+ {
|
||||||
|
+ dns_name_t *name = NULL;
|
||||||
|
+ dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||||
|
+ dns_ttl_t ttl;
|
||||||
|
+ dns_rdataclass_t update_class;
|
||||||
|
+
|
||||||
|
+ get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
|
||||||
|
+ &rdata, &covers, &ttl, &update_class);
|
||||||
|
+
|
||||||
|
+ if (!dns_name_issubdomain(name, zonename)) {
|
||||||
|
+ FAILC(DNS_R_NOTZONE, "update RR is outside zone");
|
||||||
|
+ }
|
||||||
|
+ if (update_class == zoneclass) {
|
||||||
|
+ /*
|
||||||
|
+ * Check for meta-RRs. The RFC2136 pseudocode says
|
||||||
|
+ * check for ANY|AXFR|MAILA|MAILB, but the text adds
|
||||||
|
+ * "or any other QUERY metatype"
|
||||||
|
+ */
|
||||||
|
+ if (dns_rdatatype_ismeta(rdata.type)) {
|
||||||
|
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||||
|
+ }
|
||||||
|
+ result = dns_zone_checknames(zone, name, &rdata);
|
||||||
|
+ if (result != ISC_R_SUCCESS) {
|
||||||
|
+ FAIL(DNS_R_REFUSED);
|
||||||
|
+ }
|
||||||
|
+ } else if (update_class == dns_rdataclass_any) {
|
||||||
|
+ if (ttl != 0 || rdata.length != 0 ||
|
||||||
|
+ (dns_rdatatype_ismeta(rdata.type) &&
|
||||||
|
+ rdata.type != dns_rdatatype_any))
|
||||||
|
+ {
|
||||||
|
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||||
|
+ }
|
||||||
|
+ } else if (update_class == dns_rdataclass_none) {
|
||||||
|
+ if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
|
||||||
|
+ FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ update_log(client, zone, ISC_LOG_WARNING,
|
||||||
|
+ "update RR has incorrect class %d",
|
||||||
|
+ update_class);
|
||||||
|
+ FAIL(DNS_R_FORMERR);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * draft-ietf-dnsind-simple-secure-update-01 says
|
||||||
|
+ * "Unlike traditional dynamic update, the client
|
||||||
|
+ * is forbidden from updating NSEC records."
|
||||||
|
+ */
|
||||||
|
+ if (rdata.type == dns_rdatatype_nsec3) {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
|
||||||
|
+ "allowed "
|
||||||
|
+ "in secure zones");
|
||||||
|
+ } else if (rdata.type == dns_rdatatype_nsec) {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
|
||||||
|
+ "allowed "
|
||||||
|
+ "in secure zones");
|
||||||
|
+ } else if (rdata.type == dns_rdatatype_rrsig &&
|
||||||
|
+ !dns_name_equal(name, zonename))
|
||||||
|
+ {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
|
||||||
|
+ "currently "
|
||||||
|
+ "not supported in secure zones "
|
||||||
|
+ "except "
|
||||||
|
+ "at the apex");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ssutable != NULL) {
|
||||||
|
+ isc_netaddr_t netaddr;
|
||||||
|
+ dst_key_t *tsigkey = NULL;
|
||||||
|
+ isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||||
|
+
|
||||||
|
+ if (client->message->tsigkey != NULL) {
|
||||||
|
+ tsigkey = client->message->tsigkey->key;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (rdata.type != dns_rdatatype_any) {
|
||||||
|
+ if (!dns_ssutable_checkrules(
|
||||||
|
+ ssutable, client->signer, name,
|
||||||
|
+ &netaddr, TCPCLIENT(client), env,
|
||||||
|
+ rdata.type, tsigkey))
|
||||||
|
+ {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "rejected by "
|
||||||
|
+ "secure update");
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (!ssu_checkall(db, ver, name, ssutable,
|
||||||
|
+ client->signer, &netaddr, env,
|
||||||
|
+ TCPCLIENT(client), tsigkey))
|
||||||
|
+ {
|
||||||
|
+ FAILC(DNS_R_REFUSED, "rejected by "
|
||||||
|
+ "secure update");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (result != ISC_R_NOMORE) {
|
||||||
|
+ FAIL(result);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
|
||||||
|
|
||||||
|
result = isc_quota_attach(&client->manager->sctx->updquota,
|
||||||
|
&(isc_quota_t *){ NULL });
|
||||||
|
@@ -1552,9 +1706,7 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
isc_result_totext(result));
|
||||||
|
ns_stats_increment(client->manager->sctx->nsstats,
|
||||||
|
ns_statscounter_updatequota);
|
||||||
|
- ns_client_drop(client, result);
|
||||||
|
- isc_nmhandle_detach(&client->reqhandle);
|
||||||
|
- return (DNS_R_DROP);
|
||||||
|
+ CHECK(DNS_R_DROP);
|
||||||
|
}
|
||||||
|
|
||||||
|
event = (update_event_t *)isc_event_allocate(
|
||||||
|
@@ -1571,6 +1723,16 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
dns_zone_gettask(zone, &zonetask);
|
||||||
|
isc_task_send(zonetask, ISC_EVENT_PTR(&event));
|
||||||
|
|
||||||
|
+failure:
|
||||||
|
+ if (db != NULL) {
|
||||||
|
+ dns_db_closeversion(db, &ver, false);
|
||||||
|
+ dns_db_detach(&db);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (ssutable != NULL) {
|
||||||
|
+ dns_ssutable_detach(&ssutable);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return (result);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1671,9 +1833,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
|
||||||
|
break;
|
||||||
|
case dns_zone_secondary:
|
||||||
|
case dns_zone_mirror:
|
||||||
|
- CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
|
||||||
|
- "update forwarding", zonename, true,
|
||||||
|
- false));
|
||||||
|
CHECK(send_forward_event(client, zone));
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
@@ -1685,8 +1844,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
|
||||||
|
|
||||||
|
failure:
|
||||||
|
if (result == DNS_R_REFUSED) {
|
||||||
|
- INSIST(dns_zone_gettype(zone) == dns_zone_secondary ||
|
||||||
|
- dns_zone_gettype(zone) == dns_zone_mirror);
|
||||||
|
inc_stats(client, zone, ns_statscounter_updaterej);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2578,7 +2735,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||||
|
dns_rdatatype_t covers;
|
||||||
|
dns_message_t *request = client->message;
|
||||||
|
dns_rdataclass_t zoneclass;
|
||||||
|
- dns_name_t *zonename;
|
||||||
|
+ dns_name_t *zonename = NULL;
|
||||||
|
dns_ssutable_t *ssutable = NULL;
|
||||||
|
dns_fixedname_t tmpnamefixed;
|
||||||
|
dns_name_t *tmpname = NULL;
|
||||||
|
@@ -2590,8 +2747,6 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||||
|
dns_ttl_t maxttl = 0;
|
||||||
|
uint32_t maxrecords;
|
||||||
|
uint64_t records;
|
||||||
|
- dns_aclenv_t *env =
|
||||||
|
- ns_interfacemgr_getaclenv(client->manager->interface->mgr);
|
||||||
|
|
||||||
|
INSIST(event->ev_type == DNS_EVENT_UPDATE);
|
||||||
|
|
||||||
|
@@ -2602,14 +2757,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||||
|
zonename = dns_db_origin(db);
|
||||||
|
zoneclass = dns_db_class(db);
|
||||||
|
dns_zone_getssutable(zone, &ssutable);
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Update message processing can leak record existence information
|
||||||
|
- * so check that we are allowed to query this zone. Additionally
|
||||||
|
- * if we would refuse all updates for this zone we bail out here.
|
||||||
|
- */
|
||||||
|
- CHECK(checkqueryacl(client, dns_zone_getqueryacl(zone), zonename,
|
||||||
|
- dns_zone_getupdateacl(zone), ssutable));
|
||||||
|
+ options = dns_zone_getoptions(zone);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get old and new versions now that queryacl has been checked.
|
||||||
|
@@ -2745,135 +2893,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||||
|
|
||||||
|
update_log(client, zone, LOGLEVEL_DEBUG, "prerequisites are OK");
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * Check Requestor's Permissions. It seems a bit silly to do this
|
||||||
|
- * only after prerequisite testing, but that is what RFC2136 says.
|
||||||
|
- */
|
||||||
|
- if (ssutable == NULL) {
|
||||||
|
- CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
|
||||||
|
- "update", zonename, false, false));
|
||||||
|
- } else if (client->signer == NULL && !TCPCLIENT(client)) {
|
||||||
|
- CHECK(checkupdateacl(client, NULL, "update", zonename, false,
|
||||||
|
- true));
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (dns_zone_getupdatedisabled(zone)) {
|
||||||
|
- FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
|
||||||
|
- "because the zone is frozen. Use "
|
||||||
|
- "'rndc thaw' to re-enable updates.");
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * Perform the Update Section Prescan.
|
||||||
|
- */
|
||||||
|
-
|
||||||
|
- for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||||
|
- result == ISC_R_SUCCESS;
|
||||||
|
- result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||||
|
- {
|
||||||
|
- dns_name_t *name = NULL;
|
||||||
|
- dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||||
|
- dns_ttl_t ttl;
|
||||||
|
- dns_rdataclass_t update_class;
|
||||||
|
- get_current_rr(request, DNS_SECTION_UPDATE, zoneclass, &name,
|
||||||
|
- &rdata, &covers, &ttl, &update_class);
|
||||||
|
-
|
||||||
|
- if (!dns_name_issubdomain(name, zonename)) {
|
||||||
|
- FAILC(DNS_R_NOTZONE, "update RR is outside zone");
|
||||||
|
- }
|
||||||
|
- if (update_class == zoneclass) {
|
||||||
|
- /*
|
||||||
|
- * Check for meta-RRs. The RFC2136 pseudocode says
|
||||||
|
- * check for ANY|AXFR|MAILA|MAILB, but the text adds
|
||||||
|
- * "or any other QUERY metatype"
|
||||||
|
- */
|
||||||
|
- if (dns_rdatatype_ismeta(rdata.type)) {
|
||||||
|
- FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||||
|
- }
|
||||||
|
- result = dns_zone_checknames(zone, name, &rdata);
|
||||||
|
- if (result != ISC_R_SUCCESS) {
|
||||||
|
- FAIL(DNS_R_REFUSED);
|
||||||
|
- }
|
||||||
|
- } else if (update_class == dns_rdataclass_any) {
|
||||||
|
- if (ttl != 0 || rdata.length != 0 ||
|
||||||
|
- (dns_rdatatype_ismeta(rdata.type) &&
|
||||||
|
- rdata.type != dns_rdatatype_any))
|
||||||
|
- {
|
||||||
|
- FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||||
|
- }
|
||||||
|
- } else if (update_class == dns_rdataclass_none) {
|
||||||
|
- if (ttl != 0 || dns_rdatatype_ismeta(rdata.type)) {
|
||||||
|
- FAILC(DNS_R_FORMERR, "meta-RR in update");
|
||||||
|
- }
|
||||||
|
- } else {
|
||||||
|
- update_log(client, zone, ISC_LOG_WARNING,
|
||||||
|
- "update RR has incorrect class %d",
|
||||||
|
- update_class);
|
||||||
|
- FAIL(DNS_R_FORMERR);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /*
|
||||||
|
- * draft-ietf-dnsind-simple-secure-update-01 says
|
||||||
|
- * "Unlike traditional dynamic update, the client
|
||||||
|
- * is forbidden from updating NSEC records."
|
||||||
|
- */
|
||||||
|
- if (rdata.type == dns_rdatatype_nsec3) {
|
||||||
|
- FAILC(DNS_R_REFUSED, "explicit NSEC3 updates are not "
|
||||||
|
- "allowed "
|
||||||
|
- "in secure zones");
|
||||||
|
- } else if (rdata.type == dns_rdatatype_nsec) {
|
||||||
|
- FAILC(DNS_R_REFUSED, "explicit NSEC updates are not "
|
||||||
|
- "allowed "
|
||||||
|
- "in secure zones");
|
||||||
|
- } else if (rdata.type == dns_rdatatype_rrsig &&
|
||||||
|
- !dns_name_equal(name, zonename)) {
|
||||||
|
- FAILC(DNS_R_REFUSED, "explicit RRSIG updates are "
|
||||||
|
- "currently "
|
||||||
|
- "not supported in secure zones "
|
||||||
|
- "except "
|
||||||
|
- "at the apex");
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (ssutable != NULL) {
|
||||||
|
- isc_netaddr_t netaddr;
|
||||||
|
- dst_key_t *tsigkey = NULL;
|
||||||
|
- isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||||
|
-
|
||||||
|
- if (client->message->tsigkey != NULL) {
|
||||||
|
- tsigkey = client->message->tsigkey->key;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (rdata.type != dns_rdatatype_any) {
|
||||||
|
- if (!dns_ssutable_checkrules(
|
||||||
|
- ssutable, client->signer, name,
|
||||||
|
- &netaddr, TCPCLIENT(client), env,
|
||||||
|
- rdata.type, tsigkey))
|
||||||
|
- {
|
||||||
|
- FAILC(DNS_R_REFUSED, "rejected by "
|
||||||
|
- "secure update");
|
||||||
|
- }
|
||||||
|
- } else {
|
||||||
|
- if (!ssu_checkall(db, ver, name, ssutable,
|
||||||
|
- client->signer, &netaddr, env,
|
||||||
|
- TCPCLIENT(client), tsigkey))
|
||||||
|
- {
|
||||||
|
- FAILC(DNS_R_REFUSED, "rejected by "
|
||||||
|
- "secure update");
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- if (result != ISC_R_NOMORE) {
|
||||||
|
- FAIL(result);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- update_log(client, zone, LOGLEVEL_DEBUG, "update section prescan OK");
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Process the Update Section.
|
||||||
|
*/
|
||||||
|
|
||||||
|
- options = dns_zone_getoptions(zone);
|
||||||
|
for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
|
||||||
|
result == ISC_R_SUCCESS;
|
||||||
|
result = dns_message_nextname(request, DNS_SECTION_UPDATE))
|
||||||
|
@@ -3307,10 +3330,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
|
||||||
|
if (result == ISC_R_SUCCESS && records > maxrecords) {
|
||||||
|
update_log(client, zone, ISC_LOG_ERROR,
|
||||||
|
"records in zone (%" PRIu64 ") "
|
||||||
|
- "exceeds"
|
||||||
|
- " max-"
|
||||||
|
- "records"
|
||||||
|
- " (%u)",
|
||||||
|
+ "exceeds max-records (%u)",
|
||||||
|
records, maxrecords);
|
||||||
|
result = DNS_R_TOOMANYRECORDS;
|
||||||
|
goto failure;
|
||||||
|
@@ -3601,6 +3621,13 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
|
||||||
|
update_event_t *event = NULL;
|
||||||
|
isc_task_t *zonetask = NULL;
|
||||||
|
|
||||||
|
+ result = checkupdateacl(client, dns_zone_getforwardacl(zone),
|
||||||
|
+ "update forwarding", dns_zone_getorigin(zone),
|
||||||
|
+ true, false);
|
||||||
|
+ if (result != ISC_R_SUCCESS) {
|
||||||
|
+ return (result);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
result = isc_quota_attach(&client->manager->sctx->updquota,
|
||||||
|
&(isc_quota_t *){ NULL });
|
||||||
|
if (result != ISC_R_SUCCESS) {
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
272
bind-9.16-CVE-2022-3094-test.patch
Normal file
272
bind-9.16-CVE-2022-3094-test.patch
Normal file
@ -0,0 +1,272 @@
|
|||||||
|
From 630529ea7d4587703008de1465021bdde2a3a971 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Evan Hunt <each@isc.org>
|
||||||
|
Date: Wed, 9 Nov 2022 21:56:16 -0800
|
||||||
|
Subject: [PATCH] test failure conditions
|
||||||
|
|
||||||
|
verify that updates are refused when the client is disallowed by
|
||||||
|
allow-query, and update forwarding is refused when the client is
|
||||||
|
is disallowed by update-forwarding.
|
||||||
|
|
||||||
|
verify that "too many DNS UPDATEs" appears in the log file when too
|
||||||
|
many simultaneous updates are processing.
|
||||||
|
|
||||||
|
(cherry picked from commit b91339b80e5b82a56622c93cc1e3cca2d0c11bc0)
|
||||||
|
---
|
||||||
|
bin/tests/system/nsupdate/ns1/named.conf.in | 2 +
|
||||||
|
bin/tests/system/nsupdate/tests.sh | 28 +++++++++++++
|
||||||
|
bin/tests/system/upforwd/clean.sh | 2 +
|
||||||
|
.../ns3/{named.conf.in => named1.conf.in} | 13 ++++--
|
||||||
|
bin/tests/system/upforwd/ns3/named2.conf.in | 41 +++++++++++++++++++
|
||||||
|
bin/tests/system/upforwd/setup.sh | 2 +-
|
||||||
|
bin/tests/system/upforwd/tests.sh | 39 ++++++++++++++++++
|
||||||
|
7 files changed, 123 insertions(+), 4 deletions(-)
|
||||||
|
rename bin/tests/system/upforwd/ns3/{named.conf.in => named1.conf.in} (78%)
|
||||||
|
create mode 100644 bin/tests/system/upforwd/ns3/named2.conf.in
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
index 436c97d..83fe884 100644
|
||||||
|
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
|
||||||
|
@@ -21,6 +21,7 @@ options {
|
||||||
|
recursion no;
|
||||||
|
notify yes;
|
||||||
|
minimal-responses no;
|
||||||
|
+ update-quota 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
acl named-acl {
|
||||||
|
@@ -81,6 +82,7 @@ zone "other.nil" {
|
||||||
|
check-integrity no;
|
||||||
|
check-mx warn;
|
||||||
|
update-policy local;
|
||||||
|
+ allow-query { !10.53.0.2; any; };
|
||||||
|
allow-query-on { 10.53.0.1; 127.0.0.1; };
|
||||||
|
allow-transfer { any; };
|
||||||
|
};
|
||||||
|
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
|
||||||
|
index b5f562f..13ba577 100755
|
||||||
|
--- a/bin/tests/system/nsupdate/tests.sh
|
||||||
|
+++ b/bin/tests/system/nsupdate/tests.sh
|
||||||
|
@@ -1268,6 +1268,34 @@ END
|
||||||
|
grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
|
||||||
|
[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
|
||||||
|
+n=$((n + 1))
|
||||||
|
+ret=0
|
||||||
|
+echo_i "check that update is rejected if query is not allowed ($n)"
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -d <<END
|
||||||
|
+ local 10.53.0.2
|
||||||
|
+ server 10.53.0.1 ${PORT}
|
||||||
|
+ update add reject.other.nil 3600 IN TXT Whatever
|
||||||
|
+ send
|
||||||
|
+END
|
||||||
|
+} > nsupdate.out.test$n 2>&1
|
||||||
|
+grep 'failed: REFUSED' nsupdate.out.test$n > /dev/null || ret=1
|
||||||
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
+
|
||||||
|
+n=$((n + 1))
|
||||||
|
+ret=0
|
||||||
|
+echo_i "check that update is rejected if quota is exceeded ($n)"
|
||||||
|
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -4 -l -p ${PORT} -k ns1/session.key > /dev/null 2>&1 <<END
|
||||||
|
+ update add txt-$loop.other.nil 3600 IN TXT Whatever
|
||||||
|
+ send
|
||||||
|
+END
|
||||||
|
+} &
|
||||||
|
+done
|
||||||
|
+wait_for_log 10 "too many DNS UPDATEs queued" ns1/named.run || ret=1
|
||||||
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
+
|
||||||
|
if ! $FEATURETEST --gssapi ; then
|
||||||
|
echo_i "SKIPPED: GSSAPI tests"
|
||||||
|
else
|
||||||
|
diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
|
||||||
|
index 2025252..12311df 100644
|
||||||
|
--- a/bin/tests/system/upforwd/clean.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/clean.sh
|
||||||
|
@@ -29,3 +29,5 @@ rm -f keyname keyname.err
|
||||||
|
rm -f ns*/named.lock
|
||||||
|
rm -f ns1/example2.db
|
||||||
|
rm -f ns*/managed-keys.bind*
|
||||||
|
+rm -f nsupdate.out.*
|
||||||
|
+rm -f ns*/named.run.prev
|
||||||
|
diff --git a/bin/tests/system/upforwd/ns3/named.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
|
||||||
|
similarity index 78%
|
||||||
|
rename from bin/tests/system/upforwd/ns3/named.conf.in
|
||||||
|
rename to bin/tests/system/upforwd/ns3/named1.conf.in
|
||||||
|
index 7bd13d3..2f690ff 100644
|
||||||
|
--- a/bin/tests/system/upforwd/ns3/named.conf.in
|
||||||
|
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
|
||||||
|
@@ -28,20 +28,27 @@ key rndc_key {
|
||||||
|
};
|
||||||
|
|
||||||
|
controls {
|
||||||
|
- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||||
|
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "example" {
|
||||||
|
type secondary;
|
||||||
|
file "example.bk";
|
||||||
|
- allow-update-forwarding { any; };
|
||||||
|
+ allow-update-forwarding { 10.53.0.1; };
|
||||||
|
primaries { 10.53.0.1; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "example2" {
|
||||||
|
type secondary;
|
||||||
|
file "example2.bk";
|
||||||
|
- allow-update-forwarding { any; };
|
||||||
|
+ allow-update-forwarding { 10.53.0.1; };
|
||||||
|
+ primaries { 10.53.0.1; };
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+zone "example3" {
|
||||||
|
+ type secondary;
|
||||||
|
+ file "example3.bk";
|
||||||
|
+ allow-update-forwarding { 10.53.0.1; };
|
||||||
|
primaries { 10.53.0.1; };
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/bin/tests/system/upforwd/ns3/named2.conf.in b/bin/tests/system/upforwd/ns3/named2.conf.in
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..86d7469
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/bin/tests/system/upforwd/ns3/named2.conf.in
|
||||||
|
@@ -0,0 +1,41 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||||
|
+ *
|
||||||
|
+ * SPDX-License-Identifier: MPL-2.0
|
||||||
|
+ *
|
||||||
|
+ * This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||||
|
+ *
|
||||||
|
+ * See the COPYRIGHT file distributed with this work for additional
|
||||||
|
+ * information regarding copyright ownership.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+options {
|
||||||
|
+ query-source address 10.53.0.3;
|
||||||
|
+ notify-source 10.53.0.3;
|
||||||
|
+ transfer-source 10.53.0.3;
|
||||||
|
+ port @PORT@;
|
||||||
|
+ pid-file "named.pid";
|
||||||
|
+ listen-on { 10.53.0.3; };
|
||||||
|
+ listen-on-v6 { none; };
|
||||||
|
+ recursion no;
|
||||||
|
+ notify yes;
|
||||||
|
+ update-quota 1;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+key rndc_key {
|
||||||
|
+ secret "1234abcd8765";
|
||||||
|
+ algorithm @DEFAULT_HMAC@;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+controls {
|
||||||
|
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+zone "example" {
|
||||||
|
+ type secondary;
|
||||||
|
+ file "example.bk";
|
||||||
|
+ allow-update-forwarding { any; };
|
||||||
|
+ primaries { 10.53.0.1; };
|
||||||
|
+};
|
||||||
|
diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
|
||||||
|
index e748078..88ab28d 100644
|
||||||
|
--- a/bin/tests/system/upforwd/setup.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/setup.sh
|
||||||
|
@@ -17,7 +17,7 @@ cp -f ns3/nomaster.db ns3/nomaster1.db
|
||||||
|
|
||||||
|
copy_setports ns1/named.conf.in ns1/named.conf
|
||||||
|
copy_setports ns2/named.conf.in ns2/named.conf
|
||||||
|
-copy_setports ns3/named.conf.in ns3/named.conf
|
||||||
|
+copy_setports ns3/named1.conf.in ns3/named.conf
|
||||||
|
|
||||||
|
if $FEATURETEST --enable-dnstap
|
||||||
|
then
|
||||||
|
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
|
||||||
|
index 8062d68..20fc46f 100644
|
||||||
|
--- a/bin/tests/system/upforwd/tests.sh
|
||||||
|
+++ b/bin/tests/system/upforwd/tests.sh
|
||||||
|
@@ -80,6 +80,7 @@ if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||||
|
echo_i "updating zone (signed) ($n)"
|
||||||
|
ret=0
|
||||||
|
$NSUPDATE -y hmac-sha256:update.example:c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K -- - <<EOF || ret=1
|
||||||
|
+local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
update add updated.example. 600 A 10.10.10.1
|
||||||
|
update add updated.example. 600 TXT Foo
|
||||||
|
@@ -138,6 +139,7 @@ fi
|
||||||
|
echo_i "updating zone (unsigned) ($n)"
|
||||||
|
ret=0
|
||||||
|
$NSUPDATE -- - <<EOF || ret=1
|
||||||
|
+local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
update add unsigned.example. 600 A 10.10.10.1
|
||||||
|
update add unsigned.example. 600 TXT Foo
|
||||||
|
@@ -194,6 +196,7 @@ while [ $count -lt 5 -a $ret -eq 0 ]
|
||||||
|
do
|
||||||
|
(
|
||||||
|
$NSUPDATE -- - <<EOF
|
||||||
|
+local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
zone nomaster
|
||||||
|
update add unsigned.nomaster. 600 A 10.10.10.1
|
||||||
|
@@ -225,6 +228,7 @@ then
|
||||||
|
ret=0
|
||||||
|
keyname=`cat keyname`
|
||||||
|
$NSUPDATE -k $keyname.private -- - <<EOF
|
||||||
|
+ local 10.53.0.1
|
||||||
|
server 10.53.0.3 ${PORT}
|
||||||
|
zone example2
|
||||||
|
update add unsigned.example2. 600 A 10.10.10.1
|
||||||
|
@@ -249,5 +253,40 @@ EOF
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
+echo_i "attempting an update that should be rejected by ACL ($n)"
|
||||||
|
+ret=0
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -- - << EOF
|
||||||
|
+ local 10.53.0.2
|
||||||
|
+ server 10.53.0.3 ${PORT}
|
||||||
|
+ update add another.unsigned.example. 600 A 10.10.10.2
|
||||||
|
+ update add another.unsigned.example. 600 TXT Bar
|
||||||
|
+ send
|
||||||
|
+EOF
|
||||||
|
+} > nsupdate.out.$n 2>&1
|
||||||
|
+grep REFUSED nsupdate.out.$n > /dev/null || ret=1
|
||||||
|
+if [ $ret != 0 ] ; then echo_i "failed"; status=`expr $status + $ret`; fi
|
||||||
|
+n=`expr $n + 1`
|
||||||
|
+
|
||||||
|
+n=$((n + 1))
|
||||||
|
+ret=0
|
||||||
|
+echo_i "attempting updates that should exceed quota ($n)"
|
||||||
|
+# lower the update quota to 1.
|
||||||
|
+copy_setports ns3/named2.conf.in ns3/named.conf
|
||||||
|
+rndc_reconfig ns3 10.53.0.3
|
||||||
|
+nextpart ns3/named.run > /dev/null
|
||||||
|
+for loop in 1 2 3 4 5 6 7 8 9 10; do
|
||||||
|
+{
|
||||||
|
+ $NSUPDATE -- - > /dev/null 2>&1 <<END
|
||||||
|
+ local 10.53.0.1
|
||||||
|
+ server 10.53.0.3 ${PORT}
|
||||||
|
+ update add txt-$loop.unsigned.example 300 IN TXT Whatever
|
||||||
|
+ send
|
||||||
|
+END
|
||||||
|
+} &
|
||||||
|
+done
|
||||||
|
+wait_for_log 10 "too many DNS UPDATEs queued" ns3/named.run || ret=1
|
||||||
|
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
|
||||||
|
+
|
||||||
|
echo_i "exit status: $status"
|
||||||
|
[ $status -eq 0 ] || exit 1
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
53
bind-9.16-CVE-2022-3736.patch
Normal file
53
bind-9.16-CVE-2022-3736.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
From 1b6590eafce064cbf70f5afc2fe4d6f1bfdc3804 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Andrews <marka@isc.org>
|
||||||
|
Date: Thu, 27 Oct 2022 13:22:11 +1100
|
||||||
|
Subject: [PATCH] Move the mapping of SIG and RRSIG to ANY
|
||||||
|
|
||||||
|
dns_db_findext() asserts if RRSIG is passed to it and
|
||||||
|
query_lookup_stale() failed to map RRSIG to ANY to prevent this. To
|
||||||
|
avoid cases like this in the future, move the mapping of SIG and RRSIG
|
||||||
|
to ANY for qctx->type to qctx_init().
|
||||||
|
|
||||||
|
(cherry picked from commit 56eae064183488bcf7ff08c3edf59f2e1742c1b6)
|
||||||
|
---
|
||||||
|
lib/ns/query.c | 17 +++++++++--------
|
||||||
|
1 file changed, 9 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||||
|
index a450cb7..f66bab4 100644
|
||||||
|
--- a/lib/ns/query.c
|
||||||
|
+++ b/lib/ns/query.c
|
||||||
|
@@ -5103,6 +5103,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype,
|
||||||
|
qctx->result = ISC_R_SUCCESS;
|
||||||
|
qctx->findcoveringnsec = qctx->view->synthfromdnssec;
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * If it's an RRSIG or SIG query, we'll iterate the node.
|
||||||
|
+ */
|
||||||
|
+ if (qctx->qtype == dns_rdatatype_rrsig ||
|
||||||
|
+ qctx->qtype == dns_rdatatype_sig)
|
||||||
|
+ {
|
||||||
|
+ qctx->type = dns_rdatatype_any;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -5243,14 +5252,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) {
|
||||||
|
|
||||||
|
CALL_HOOK(NS_QUERY_SETUP, &qctx);
|
||||||
|
|
||||||
|
- /*
|
||||||
|
- * If it's a SIG query, we'll iterate the node.
|
||||||
|
- */
|
||||||
|
- if (qctx.qtype == dns_rdatatype_rrsig ||
|
||||||
|
- qctx.qtype == dns_rdatatype_sig) {
|
||||||
|
- qctx.type = dns_rdatatype_any;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* Check SERVFAIL cache
|
||||||
|
*/
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
27
bind-9.16-CVE-2022-38177.patch
Normal file
27
bind-9.16-CVE-2022-38177.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From df8222fb189708199a185f73543b6e0602c1c72f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Tue, 20 Sep 2022 11:21:45 +0200
|
||||||
|
Subject: [PATCH 3/4] Fix CVE-2022-38177
|
||||||
|
|
||||||
|
5961. [security] Fix memory leak in ECDSA verify processing.
|
||||||
|
(CVE-2022-38177) [GL #3487]
|
||||||
|
---
|
||||||
|
lib/dns/opensslecdsa_link.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
|
||||||
|
index ce4c8c4..3847896 100644
|
||||||
|
--- a/lib/dns/opensslecdsa_link.c
|
||||||
|
+++ b/lib/dns/opensslecdsa_link.c
|
||||||
|
@@ -228,7 +228,7 @@ opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sig->length != siglen) {
|
||||||
|
- return (DST_R_VERIFYFAILURE);
|
||||||
|
+ DST_RET(DST_R_VERIFYFAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) {
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
32
bind-9.16-CVE-2022-38178.patch
Normal file
32
bind-9.16-CVE-2022-38178.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From 132ef295b8407f91e6922f4dfc4f30f1790b61c5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Tue, 20 Sep 2022 11:22:47 +0200
|
||||||
|
Subject: [PATCH 4/4] Fix CVE-2022-38178
|
||||||
|
|
||||||
|
5962. [security] Fix memory leak in EdDSA verify processing.
|
||||||
|
(CVE-2022-38178) [GL #3487]
|
||||||
|
---
|
||||||
|
lib/dns/openssleddsa_link.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
|
||||||
|
index 6a6a74d..3157011 100644
|
||||||
|
--- a/lib/dns/openssleddsa_link.c
|
||||||
|
+++ b/lib/dns/openssleddsa_link.c
|
||||||
|
@@ -234,11 +234,11 @@ openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
|
||||||
|
}
|
||||||
|
#endif /* if HAVE_OPENSSL_ED448 */
|
||||||
|
if (siglen == 0) {
|
||||||
|
- return (ISC_R_NOTIMPLEMENTED);
|
||||||
|
+ DST_RET(ISC_R_NOTIMPLEMENTED);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sig->length != siglen) {
|
||||||
|
- return (DST_R_VERIFYFAILURE);
|
||||||
|
+ DST_RET(DST_R_VERIFYFAILURE);
|
||||||
|
}
|
||||||
|
|
||||||
|
isc_buffer_usedregion(buf, &tbsreg);
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
128
bind-9.16-CVE-2022-3924.patch
Normal file
128
bind-9.16-CVE-2022-3924.patch
Normal file
@ -0,0 +1,128 @@
|
|||||||
|
From 20424b3bfe8d3fae92c11a30e79aeffd26dc2891 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aram Sargsyan <aram@isc.org>
|
||||||
|
Date: Mon, 14 Nov 2022 12:18:06 +0000
|
||||||
|
Subject: [PATCH] Cancel all fetch events in dns_resolver_cancelfetch()
|
||||||
|
|
||||||
|
Although 'dns_fetch_t' fetch can have two associated events, one for
|
||||||
|
each of 'DNS_EVENT_FETCHDONE' and 'DNS_EVENT_TRYSTALE' types, the
|
||||||
|
dns_resolver_cancelfetch() function is designed in a way that it
|
||||||
|
expects only one existing event, which it must cancel, and when it
|
||||||
|
happens so that 'stale-answer-client-timeout' is enabled and there
|
||||||
|
are two events, only one of them is canceled, and it results in an
|
||||||
|
assertion in dns_resolver_destroyfetch(), when it finds a dangling
|
||||||
|
event.
|
||||||
|
|
||||||
|
Change the logic of dns_resolver_cancelfetch() function so that it
|
||||||
|
cancels both the events (if they exist), and in the right order.
|
||||||
|
|
||||||
|
(cherry picked from commit ec2098ca35039e4f81fd0aa7c525eb960b8f47bf)
|
||||||
|
---
|
||||||
|
lib/dns/resolver.c | 53 +++++++++++++++++++++++++++++++++++-----------
|
||||||
|
lib/ns/query.c | 4 +++-
|
||||||
|
2 files changed, 44 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||||
|
index 18585b5..7cbfbb2 100644
|
||||||
|
--- a/lib/dns/resolver.c
|
||||||
|
+++ b/lib/dns/resolver.c
|
||||||
|
@@ -11254,8 +11254,9 @@ void
|
||||||
|
dns_resolver_cancelfetch(dns_fetch_t *fetch) {
|
||||||
|
fetchctx_t *fctx;
|
||||||
|
dns_resolver_t *res;
|
||||||
|
- dns_fetchevent_t *event, *next_event;
|
||||||
|
- isc_task_t *etask;
|
||||||
|
+ dns_fetchevent_t *event = NULL;
|
||||||
|
+ dns_fetchevent_t *event_trystale = NULL;
|
||||||
|
+ dns_fetchevent_t *event_fetchdone = NULL;
|
||||||
|
|
||||||
|
REQUIRE(DNS_FETCH_VALID(fetch));
|
||||||
|
fctx = fetch->private;
|
||||||
|
@@ -11267,32 +11268,60 @@ dns_resolver_cancelfetch(dns_fetch_t *fetch) {
|
||||||
|
LOCK(&res->buckets[fctx->bucketnum].lock);
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * Find the completion event for this fetch (as opposed
|
||||||
|
+ * Find the events for this fetch (as opposed
|
||||||
|
* to those for other fetches that have joined the same
|
||||||
|
- * fctx) and send it with result = ISC_R_CANCELED.
|
||||||
|
+ * fctx) and send them with result = ISC_R_CANCELED.
|
||||||
|
*/
|
||||||
|
- event = NULL;
|
||||||
|
if (fctx->state != fetchstate_done) {
|
||||||
|
+ dns_fetchevent_t *next_event = NULL;
|
||||||
|
for (event = ISC_LIST_HEAD(fctx->events); event != NULL;
|
||||||
|
event = next_event) {
|
||||||
|
next_event = ISC_LIST_NEXT(event, ev_link);
|
||||||
|
if (event->fetch == fetch) {
|
||||||
|
ISC_LIST_UNLINK(fctx->events, event, ev_link);
|
||||||
|
- break;
|
||||||
|
+ switch (event->ev_type) {
|
||||||
|
+ case DNS_EVENT_TRYSTALE:
|
||||||
|
+ INSIST(event_trystale == NULL);
|
||||||
|
+ event_trystale = event;
|
||||||
|
+ break;
|
||||||
|
+ case DNS_EVENT_FETCHDONE:
|
||||||
|
+ INSIST(event_fetchdone == NULL);
|
||||||
|
+ event_fetchdone = event;
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ ISC_UNREACHABLE();
|
||||||
|
+ }
|
||||||
|
+ if (event_trystale != NULL &&
|
||||||
|
+ event_fetchdone != NULL)
|
||||||
|
+ {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if (event != NULL) {
|
||||||
|
- etask = event->ev_sender;
|
||||||
|
- event->ev_sender = fctx;
|
||||||
|
- event->result = ISC_R_CANCELED;
|
||||||
|
- isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * The "trystale" event must be sent before the "fetchdone" event,
|
||||||
|
+ * because the latter clears the "recursing" query attribute, which is
|
||||||
|
+ * required by both events (handled by the same callback function).
|
||||||
|
+ */
|
||||||
|
+ if (event_trystale != NULL) {
|
||||||
|
+ isc_task_t *etask = event_trystale->ev_sender;
|
||||||
|
+ event_trystale->ev_sender = fctx;
|
||||||
|
+ event_trystale->result = ISC_R_CANCELED;
|
||||||
|
+ isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_trystale));
|
||||||
|
}
|
||||||
|
+ if (event_fetchdone != NULL) {
|
||||||
|
+ isc_task_t *etask = event_fetchdone->ev_sender;
|
||||||
|
+ event_fetchdone->ev_sender = fctx;
|
||||||
|
+ event_fetchdone->result = ISC_R_CANCELED;
|
||||||
|
+ isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event_fetchdone));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* The fctx continues running even if no fetches remain;
|
||||||
|
* the answer is still cached.
|
||||||
|
*/
|
||||||
|
-
|
||||||
|
UNLOCK(&res->buckets[fctx->bucketnum].lock);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||||||
|
index f66bab4..4f61374 100644
|
||||||
|
--- a/lib/ns/query.c
|
||||||
|
+++ b/lib/ns/query.c
|
||||||
|
@@ -6021,7 +6021,9 @@ fetch_callback(isc_task_t *task, isc_event_t *event) {
|
||||||
|
CTRACE(ISC_LOG_DEBUG(3), "fetch_callback");
|
||||||
|
|
||||||
|
if (event->ev_type == DNS_EVENT_TRYSTALE) {
|
||||||
|
- query_lookup_stale(client);
|
||||||
|
+ if (devent->result != ISC_R_CANCELED) {
|
||||||
|
+ query_lookup_stale(client);
|
||||||
|
+ }
|
||||||
|
isc_event_free(ISC_EVENT_PTR(&event));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
60
bind-9.16-redhat_doc.patch
Normal file
60
bind-9.16-redhat_doc.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From 3a161af91bffcd457586ab466e32ac8484028763 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Wed, 17 Jun 2020 23:17:13 +0200
|
||||||
|
Subject: [PATCH] Update man named with Red Hat specifics
|
||||||
|
|
||||||
|
This is almost unmodified text and requires revalidation. Some of those
|
||||||
|
statements are no longer correct.
|
||||||
|
---
|
||||||
|
bin/named/named.rst | 35 +++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 35 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/bin/named/named.rst b/bin/named/named.rst
|
||||||
|
index 6fd8f87..3cd6350 100644
|
||||||
|
--- a/bin/named/named.rst
|
||||||
|
+++ b/bin/named/named.rst
|
||||||
|
@@ -228,6 +228,41 @@ Files
|
||||||
|
``/var/run/named/named.pid``
|
||||||
|
The default process-id file.
|
||||||
|
|
||||||
|
+Notes
|
||||||
|
+~~~~~
|
||||||
|
+
|
||||||
|
+**Red Hat SELinux BIND Security Profile:**
|
||||||
|
+
|
||||||
|
+By default, Red Hat ships BIND with the most secure SELinux policy
|
||||||
|
+that will not prevent normal BIND operation and will prevent exploitation
|
||||||
|
+of all known BIND security vulnerabilities. See the selinux(8) man page
|
||||||
|
+for information about SElinux.
|
||||||
|
+
|
||||||
|
+It is not necessary to run named in a chroot environment if the Red Hat
|
||||||
|
+SELinux policy for named is enabled. When enabled, this policy is far
|
||||||
|
+more secure than a chroot environment. Users are recommended to enable
|
||||||
|
+SELinux and remove the bind-chroot package.
|
||||||
|
+
|
||||||
|
+*With this extra security comes some restrictions:*
|
||||||
|
+
|
||||||
|
+By default, the SELinux policy does not allow named to write outside directory
|
||||||
|
+/var/named. That directory used to be read-only for named, but write access is
|
||||||
|
+enabled by default now.
|
||||||
|
+
|
||||||
|
+The "named" group must be granted read privelege to
|
||||||
|
+these files in order for named to be enabled to read them.
|
||||||
|
+Any file updated by named must be writeable by named user or named group.
|
||||||
|
+
|
||||||
|
+Any file created in the zone database file directory is automatically assigned
|
||||||
|
+the SELinux file context *named_zone_t* .
|
||||||
|
+
|
||||||
|
+The Red Hat BIND distribution and SELinux policy creates three directories where
|
||||||
|
+named were allowed to create and modify files: */var/named/slaves*, */var/named/dynamic*
|
||||||
|
+*/var/named/data*. The service is able to write and file under */var/named* with appropriate
|
||||||
|
+permissions. They are used for better organisation of zones and backward compatibility.
|
||||||
|
+Files in these directories are automatically assigned the '*named_cache_t*'
|
||||||
|
+file context, which SELinux always allows named to write.
|
||||||
|
+
|
||||||
|
See Also
|
||||||
|
~~~~~~~~
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
17
bind-9.16.23.tar.xz.asc
Normal file
17
bind-9.16.23.tar.xz.asc
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
Comment: GPGTools - https://gpgtools.org
|
||||||
|
|
||||||
|
iQIzBAABAgAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAmGKhMcACgkQxbTukxqf
|
||||||
|
nf1EbQ//YXsBbMtyI3c0MoleSi5zwzcpCTZTWTFHqH5WUiruLMDF453j/Fn2zaSC
|
||||||
|
WuaUnhN61dR+BVtX+D2Y8GiVQFICo5X1nJj0jb/TcflXFq7YLWUAO0NPwPkBL1J4
|
||||||
|
/PA0YCp1zYcvBXIxTKaU7AcBxlKmcGLdZcgCyGU6NSKaOJSxHOWXM460uD/crskB
|
||||||
|
iSPEbMevN9TTJs9webztJNKH/3BuNkOD9SFb6JlUIQqwKx1v8rosgdI7BvgGMZqy
|
||||||
|
s+10+GlIRFFvsX2XkX8BnjDlQ1QdzDOAoyCU+Se9rXDqu+zZf1VN4ReUCSDuPYf9
|
||||||
|
z+GW1EbMxuZzEKrEIJvhnVNNiHqtKVaK6IIUX5bHqgPLEx87HxJMOPmbyBc1kDAe
|
||||||
|
0WCmsITaq62WvKOG8Ho8wLrlG4AAO5+A7xit4bJ4XUtLiqyt+9FUIeEFY9nZb/6O
|
||||||
|
OXK9eBMZHZ++r52RtA+GYZllkNRpzwnULOdR/9svVQuc10/MjnRoFqInzLlqwfwm
|
||||||
|
2q6r372oWn8+MUvjQVBgzprn5BvY+HDo2gNEYEi5QyR3ql2dX/Qz7iUdUfhRvMNL
|
||||||
|
FdPt3B3kktfOV98p/imrIwLwVVWwKBlphntkRxLtSZBs3nbo27F/ND54fixC2eCa
|
||||||
|
epB6FF5IquzQ/MOiz4uql3YexNDQQ+7N2IGPJVMwO2ILAyZDNOQ=
|
||||||
|
=pVtf
|
||||||
|
-----END PGP SIGNATURE-----
|
30
bind-9.5-PIE.patch
Normal file
30
bind-9.5-PIE.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
|
||||||
|
index eb622d1..37053a7 100644
|
||||||
|
--- a/bin/named/Makefile.in
|
||||||
|
+++ b/bin/named/Makefile.in
|
||||||
|
@@ -117,8 +117,12 @@ SRCS = builtin.c config.c control.c \
|
||||||
|
tkeyconf.c tsigconf.c zoneconf.c \
|
||||||
|
${DLZDRIVER_SRCS} ${DBDRIVER_SRCS}
|
||||||
|
|
||||||
|
+EXT_CFLAGS = -fpie
|
||||||
|
+
|
||||||
|
@BIND9_MAKE_RULES@
|
||||||
|
|
||||||
|
+LDFLAGS += -pie -Wl,-z,relro,-z,now,-z,nodlopen,-z,noexecstack
|
||||||
|
+
|
||||||
|
main.@O@: main.c
|
||||||
|
${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
|
||||||
|
-DVERSION=\"${VERSION}\" \
|
||||||
|
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
|
||||||
|
index fd9ca8d..f1c102c 100644
|
||||||
|
--- a/bin/named/unix/Makefile.in
|
||||||
|
+++ b/bin/named/unix/Makefile.in
|
||||||
|
@@ -11,6 +11,8 @@ srcdir = @srcdir@
|
||||||
|
VPATH = @srcdir@
|
||||||
|
top_srcdir = @top_srcdir@
|
||||||
|
|
||||||
|
+EXT_CFLAGS = -fpie
|
||||||
|
+
|
||||||
|
@BIND9_MAKE_INCLUDES@
|
||||||
|
|
||||||
|
CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
|
53
bind-9.5-dlz-64bit.patch
Normal file
53
bind-9.5-dlz-64bit.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
diff --git a/contrib/dlz/config.dlz.in b/contrib/dlz/config.dlz.in
|
||||||
|
index 47525af..eefe3c3 100644
|
||||||
|
--- a/contrib/dlz/config.dlz.in
|
||||||
|
+++ b/contrib/dlz/config.dlz.in
|
||||||
|
@@ -17,6 +17,13 @@
|
||||||
|
#
|
||||||
|
dlzdir='${DLZ_DRIVER_DIR}'
|
||||||
|
|
||||||
|
+AC_MSG_CHECKING([for target libdir])
|
||||||
|
+AC_RUN_IFELSE([int main(void) {exit((sizeof(void *) == 8) ? 0 : 1);}],
|
||||||
|
+ [target_lib=lib64],
|
||||||
|
+ [target_lib=lib],
|
||||||
|
+)
|
||||||
|
+AC_MSG_RESULT(["$target_lib"])
|
||||||
|
+
|
||||||
|
#
|
||||||
|
# Private autoconf macro to simplify configuring drivers:
|
||||||
|
#
|
||||||
|
@@ -292,9 +299,9 @@ case "$use_dlz_bdb" in
|
||||||
|
then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
- elif test -f "$dd/lib/lib${d}.so"
|
||||||
|
+ elif test -f "$dd/${target_lib}/lib${d}.so"
|
||||||
|
then
|
||||||
|
- dlz_bdb_libs="-L${dd}/lib -l${d}"
|
||||||
|
+ dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
@@ -396,7 +403,7 @@ case "$use_dlz_ldap" in
|
||||||
|
*)
|
||||||
|
DLZ_ADD_DRIVER(LDAP, dlz_ldap_driver,
|
||||||
|
[-I$use_dlz_ldap/include],
|
||||||
|
- [-L$use_dlz_ldap/lib -lldap -llber])
|
||||||
|
+ [-L$use_dlz_ldap/${target_lib} -lldap -llber])
|
||||||
|
|
||||||
|
AC_MSG_RESULT(
|
||||||
|
[using LDAP from $use_dlz_ldap/lib and $use_dlz_ldap/include])
|
||||||
|
@@ -432,11 +439,11 @@ then
|
||||||
|
odbcdirs="/usr /usr/local /usr/pkg"
|
||||||
|
for d in $odbcdirs
|
||||||
|
do
|
||||||
|
- if test -f $d/include/sql.h -a -f $d/lib/libodbc.a
|
||||||
|
+ if test -f $d/include/sql.h -a -f $d/${target_lib}/libodbc.a
|
||||||
|
then
|
||||||
|
use_dlz_odbc=$d
|
||||||
|
dlz_odbc_include="-I$use_dlz_odbc/include"
|
||||||
|
- dlz_odbc_libs="-L$use_dlz_odbc/lib -lodbc"
|
||||||
|
+ dlz_odbc_libs="-L$use_dlz_odbc/${target_lib} -lodbc"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
31
bind-9.9.1-P2-dlz-libdb.patch
Normal file
31
bind-9.9.1-P2-dlz-libdb.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
diff -up bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb bind-9.10.1b1/contrib/dlz/config.dlz.in
|
||||||
|
--- bind-9.10.1b1/contrib/dlz/config.dlz.in.libdb 2014-08-04 12:33:09.320735111 +0200
|
||||||
|
+++ bind-9.10.1b1/contrib/dlz/config.dlz.in 2014-08-04 12:41:46.888241910 +0200
|
||||||
|
@@ -263,7 +263,7 @@ case "$use_dlz_bdb" in
|
||||||
|
# Check other locations for includes.
|
||||||
|
# Order is important (sigh).
|
||||||
|
|
||||||
|
- bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /db"
|
||||||
|
+ bdb_incdirs="/db53 /db51 /db48 /db47 /db46 /db45 /db44 /db43 /db42 /db41 /db4 /libdb /db"
|
||||||
|
# include a blank element first
|
||||||
|
for d in "" $bdb_incdirs
|
||||||
|
do
|
||||||
|
@@ -288,16 +288,9 @@ case "$use_dlz_bdb" in
|
||||||
|
bdb_libnames="db53 db-5.3 db51 db-5.1 db48 db-4.8 db47 db-4.7 db46 db-4.6 db45 db-4.5 db44 db-4.4 db43 db-4.3 db42 db-4.2 db41 db-4.1 db"
|
||||||
|
for d in $bdb_libnames
|
||||||
|
do
|
||||||
|
- if test "$dd" = "/usr"
|
||||||
|
+ if test -f "$dd/${target_lib}/lib${d}.so"
|
||||||
|
then
|
||||||
|
- AC_CHECK_LIB($d, db_create, dlz_bdb_libs="-l${d}")
|
||||||
|
- if test $dlz_bdb_libs != "yes"
|
||||||
|
- then
|
||||||
|
- break
|
||||||
|
- fi
|
||||||
|
- elif test -f "$dd/${target_lib}/lib${d}.so"
|
||||||
|
- then
|
||||||
|
- dlz_bdb_libs="-L${dd}/${target_lib} -l${d}"
|
||||||
|
+ dlz_bdb_libs="-L${dd}/${target_lib}/libdb -l${d}"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
1
bind.tmpfiles.d
Normal file
1
bind.tmpfiles.d
Normal file
@ -0,0 +1 @@
|
|||||||
|
d /run/named 0755 named named -
|
4035
bind9.16.spec
Normal file
4035
bind9.16.spec
Normal file
File diff suppressed because it is too large
Load Diff
34
bind93-rh490837.patch
Normal file
34
bind93-rh490837.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
|
||||||
|
index cd44fe3..5b7c539 100644
|
||||||
|
--- a/lib/isc/lex.c
|
||||||
|
+++ b/lib/isc/lex.c
|
||||||
|
@@ -27,6 +27,8 @@
|
||||||
|
#include <isc/string.h>
|
||||||
|
#include <isc/util.h>
|
||||||
|
|
||||||
|
+#include "../errno2result.h"
|
||||||
|
+
|
||||||
|
typedef struct inputsource {
|
||||||
|
isc_result_t result;
|
||||||
|
bool is_file;
|
||||||
|
@@ -422,7 +424,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
|
||||||
|
#endif /* if defined(HAVE_FLOCKFILE) && defined(HAVE_GETC_UNLOCKED) */
|
||||||
|
if (c == EOF) {
|
||||||
|
if (ferror(stream)) {
|
||||||
|
- source->result = ISC_R_IOERROR;
|
||||||
|
+ source->result = isc__errno2result(errno);
|
||||||
|
result = source->result;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
|
||||||
|
index e3e2644..5e58600 100644
|
||||||
|
--- a/lib/isc/unix/errno2result.c
|
||||||
|
+++ b/lib/isc/unix/errno2result.c
|
||||||
|
@@ -37,6 +37,7 @@ isc___errno2result(int posixerrno, bool dolog, const char *file,
|
||||||
|
case EINVAL: /* XXX sometimes this is not for files */
|
||||||
|
case ENAMETOOLONG:
|
||||||
|
case EBADF:
|
||||||
|
+ case EISDIR:
|
||||||
|
return (ISC_R_INVALIDFILE);
|
||||||
|
case ENOENT:
|
||||||
|
return (ISC_R_FILENOTFOUND);
|
31
bind97-rh645544.patch
Normal file
31
bind97-rh645544.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
||||||
|
index 31549c6..65a14b6 100644
|
||||||
|
--- a/lib/dns/resolver.c
|
||||||
|
+++ b/lib/dns/resolver.c
|
||||||
|
@@ -1762,7 +1762,7 @@ log_edns(fetchctx_t *fctx) {
|
||||||
|
*/
|
||||||
|
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
|
||||||
|
isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
|
||||||
|
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
|
||||||
|
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||||
|
"success resolving '%s' (in '%s'?) after %s", fctx->info,
|
||||||
|
domainbuf, fctx->reason);
|
||||||
|
}
|
||||||
|
@@ -5298,7 +5298,7 @@ log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
|
||||||
|
dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
|
||||||
|
isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
|
||||||
|
isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
|
||||||
|
- DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
|
||||||
|
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||||
|
"lame server resolving '%s' (in '%s'?): %s", namebuf,
|
||||||
|
domainbuf, addrbuf);
|
||||||
|
}
|
||||||
|
@@ -5316,7 +5316,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
|
||||||
|
isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
|
||||||
|
|
||||||
|
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
||||||
|
- DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
|
||||||
|
+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(1),
|
||||||
|
"DNS format error from %s resolving %s for %s: %s", nsbuf,
|
||||||
|
fctx->info, fctx->clientstr, msgbuf);
|
||||||
|
}
|
534
codesign2021.txt
Normal file
534
codesign2021.txt
Normal file
@ -0,0 +1,534 @@
|
|||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBFwq9BQBEADHjPDCwsHVtxnMNilgu187W8a9rYTMLgLfQwioSbjsF7dUJu8m
|
||||||
|
r1w2stcsatRs7HBk/j26RNJagY2Jt0QufOQLlTePpTl6UPU8EeiJ8c15DNf45TMk
|
||||||
|
pa/3MdIVpDnBioyD1JNqsI4z+yCYZ7p/TRVCyh5vCcwmt5pdKjKMTcu7aD2PtTtI
|
||||||
|
yhTIetJavy1HQmgOl4/t/nKL7Lll2xtZ56JFUt7epo0h69fiUvPewkhykzoEf4UG
|
||||||
|
ZFHSLZKqdMNPs/Jr9n7zS+iOgEXJnKDkp8SoXpAcgJ5fncROMXpxgY2U+G5rB9n0
|
||||||
|
/hvV1zG+EP6OLIGqekiDUga84LdmR/8Cyc7DimUmaoIZXrAo0Alpt0aZ8GimdKmh
|
||||||
|
qirIguJOSrrsZTeZLilCWu37fRIjCQ3dSMNyhHJaOhRJQpQOEDG7jHxFak7627aF
|
||||||
|
UnVwBAOK3NlFfbomapXQm64lYNoONGrpV0ctueD3VoPipxIyzNHHgcsXDZ6C00sv
|
||||||
|
SbuuS9jlFEDonA6S8tApKgkEJuToBuopM4xqqwHNJ4e6QoXYjERIgIBTco3r/76D
|
||||||
|
o22ZxSK1m2m2i+p0gnWTlFn6RH+r6gfLwZRj8iR4fa0yMn3DztyTO6H8AiaslONt
|
||||||
|
LV2kvkhBar1/6dzlBvMdiRBejrVnw+Jg2bOmYTncFN00szPOXbEalps8wwARAQAB
|
||||||
|
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
|
||||||
|
LCAyMDE5LTIwMjApIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBK4/rHln
|
||||||
|
EexZ/AB6pHS7a5pMuz04BQJcKvQUAhsDBQkD7JcABQsJCAcCBhUKCQgLAgQWAgMB
|
||||||
|
Ah4BAheAAAoJEHS7a5pMuz0476oP/1+UaSHfe4WVHV43QaQ/z1rw7vg2aHEwyWJA
|
||||||
|
1D1tBr9+LvfohswwWBLIjcKRaoXZ4pLBFjuiYHBTsdaAQFeQQvQTXMmBx21ZyUZj
|
||||||
|
tjim8f9T1JhmIrMx6tF14NbqFpjw82Mv0rc8y74pdRvkdnFigqLKUoN2tFQlKeG+
|
||||||
|
5T24zNwrGrlR3S7gnM47nD1JqKwt4GnczLnMBW/0gbLscMUpAeNo/gY4g0GV/zkn
|
||||||
|
Rt91bLpcEyDAv+ZhQZbkJ49dnNzl5cTK5+uQWnlAZAdPecdLkvBNRNgj/FKL41RF
|
||||||
|
JGN6eqq3+jlPbyj9okeJoGQ64Ibv1ZHVTQIx5vT1+PuVX/Nm0GqSUZdLqR33daKI
|
||||||
|
hjpgUdUK/D0AnN5ulVuE1NnZWjVDTXVEeU8DFvi4lxZVHnZixejxFIZ7vRMvyaHa
|
||||||
|
xLwbevwEUuPLzWn3XhC5yQeqCe6zmzzaPhPlg6NTnM5wgzcKORqCXgxzmtnX+Pbd
|
||||||
|
gXTwNKAJId/141vj1OtZQKJexG9QLufMjBg5rg/qdKooozremeM+FovIocbdFnmX
|
||||||
|
pzP8it8r8FKi7FpXRE3fwxwba4Y9AS2/owtuixlJ2+7M2OXwZEtxyXTXw2v5GFOP
|
||||||
|
vN64G/b71l9c3yKVlQ3BXD0jErv9XcieeFDR9PK0XGlsxykPcIXZYVy2KSWptkSf
|
||||||
|
6f2op3tMuQINBFwq9BQBEAC59lflbMmvSVkCHFoakdjokwGviNU4I/hOsNmHALYr
|
||||||
|
gJc0z88ss2KxbOq6JZoW9QOEHz2QLGsSGKnBUViEGvXoINDGuvzKFqHdEjGsExiF
|
||||||
|
FPGAgCQA2CSEZZ8MlITNdq4DuSti1LetjCF9d7hw2xOQs9ucxSXIslyqPbCdlxki
|
||||||
|
33tov40VE/J8jDUp9Rv27e0H2x4Nhu9MRQt4vTtpOcelYzl/dtPAmsnY4U/Nex4I
|
||||||
|
LM+JU2HcG/5i0nWkxOtz9Qc7kOgm4cuwXTCJw9KukPS3CykV1H/StPp43JyxoK1X
|
||||||
|
gZDMFww+9jupqLletmYKqCW6jVbqXr4Xlisq9Ey3LIWRQ0Zw/LB2NKU/jgnJGtLa
|
||||||
|
7O8VRWJKwkCtyYUbZMksKiGex7zCqPDR0hRVuYNsTjONobnrOS+7ST7ThbCndc+A
|
||||||
|
5mtuXpxuFffIuG78a3R3N30RF6g18peTfaEHMpqz+914HkNl6Ns445Zh+2rJkLUu
|
||||||
|
8O++tgWEUrpUajN9nosWaXWHOf7E9qGnm1G/3f9P3Nd5U+b3OKUYyqb+CNGCHyiN
|
||||||
|
bE1Cg3MnKpM9Yi9aZu4Qg/dPdxMWrqUmkmyDf6x/Oh8ZZkIacFlAaqbysQ6hRaJo
|
||||||
|
p7UG9AJfXHynj/Hz+1dNpUOlAIairFe3T2mWQO4Yy6IMgLEGVodZRHaMugdzZwus
|
||||||
|
HwARAQABiQI8BBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlwq9BQCGwwF
|
||||||
|
CQPslwAACgkQdLtrmky7PTikHw/8CZ+DnggV4AuI86spuMLdtUBDOux/T0gvyxSW
|
||||||
|
f8sJkjH0eAYAmP9/flJDfmwra5yNaINfqoLFWtaYLpxpBcWBc4VIoiWqVp2aaCPi
|
||||||
|
wh0sznCPiduiYcKGkHmupX8aCQXBYFDeQ8Jq1e9zwGD7Mon7BeBO48Vd5/IT1H5I
|
||||||
|
u5qzaCtD2ECO9MYdhuqJjFKU0MVzVocsBDdtLvrfnUwe4wc6kvOgHQ6RkMJU1bgY
|
||||||
|
0Sqstsg12vnREAr4uihnZQEihsRmNdiiv0DYVaRK92PLPpfVAox1Axq2HpH3WT87
|
||||||
|
RpsFruXLj/zTl4AZczfDVd/Z4yWmJSzr0F5igkGSUrxo0ye2kNES6cmOGI9TgmgP
|
||||||
|
NLGXlC/su5fKXKjRgkD1ibJ0qFNNxF3Cwpz/+cav9ySDgFGX5Vu0kFi93fEYHshD
|
||||||
|
6lP9M5qS/2oKiykCGvcRCNU/9emdYlF37H52rxRerBaZN6dYMTjZw2vsEMUl06pL
|
||||||
|
llbLiwjPix2OlLFcwH3yKJG0pKkpEImBdJwHtJh5uHzfkSAbZjJAZ2Ekw7sLqiT0
|
||||||
|
85hAGovywGpHMiYkqhNUO84fjZYCsrAlZMdriY92IMcQhmWQ416t5zcle2Xgx+/x
|
||||||
|
zBnktvx9KIH/HwBa+qym5z/uFC2S6zhNyC61LV/CEDCmcUi2lUXr7vcIxCsmxuUF
|
||||||
|
1ONbRP65Ag0EXFtUfAEQAN5tk4luE92Ed4E92VlgTetGMHyxwOlZ2OsK6l+Z5ML0
|
||||||
|
wzomAITgMQwG0FeT6HX7vB+luVhg0XAZUW/K0bme8ZEO0dbHB3Vn07wXHhmq7QXH
|
||||||
|
/ACftkvevIT610dHskrtIvE5rZfj1P/wtjRTxDrkjhlGj9vhUxxcCkKadzDdBJGo
|
||||||
|
dP+Zh02d/4cc++LePNqZ3eJWm0JLghqKxzTv0MV1r6G1ZeykFzXeWY+La8ZCRaON
|
||||||
|
LcHjI7wlpyTJA9WGmyAphtEHM4fQqKLxtebIDo7m4glgR12nlV6B53gUT96PcKuA
|
||||||
|
Y/UPRiTV6nHyUtuL1EGTAVLsMDmtDbdSdtLLVbJXVmA+tapABa4amMxNVNY3QSUj
|
||||||
|
cAbECcTyVmVJfIT5fJW4eOMhWtrIGMspWoO5It0pl4K8jhCzIcfoXQ0olCSeC9fE
|
||||||
|
tljE7qzRzYQUUvN1VZPVX0Yw/xSwOutv4mxmNRWY9HW1M/jGoRAboqN8WhCbldak
|
||||||
|
a0XCH3U4rWXB/8HHb8KP4+q4ssVyPuEQ/v1UNNRk9AB25NPEh5PMdcf7HU8IcUHX
|
||||||
|
THEfd7zZVJ0l4FSsnGeuJfMrnRIpNOYX65ikeoTwmDU3ZjWfmSy7F5hTLw8WOEB4
|
||||||
|
EKpnplyV1QN/j3317/M9PxvB8IOvyNF2okeurtHFMmI/lGwy51akp6iHMkbBDm5n
|
||||||
|
ABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2uaTLs9OAUCXFtUfAIbAgUJ
|
||||||
|
A70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBJXO2iVrHKChXzAvtZUhp+1drOkY
|
||||||
|
BQJcW1R8AAoJEJUhp+1drOkY94wQAKb2fED9Up/xHEOjZm5ODK5LCVHy0KMATiTf
|
||||||
|
5SiJhRtqaRbimPH1WB3XMLls3FJZnm+UngIfwCsoWo0rksFUNmqFi6t4Cj/UB/Zv
|
||||||
|
29EnDT9BAeG5fP+Op5PDCsu4qnLv3oam35oV9yZLRkLhBd/EkRGEA/q27WnpiYCx
|
||||||
|
Jv5uPOJBWQqu32aE6st23PpY/QWDWOhGPfcWCecu1rIe+2BCs0UjfO0KOT8HYWNh
|
||||||
|
nGpsEZ+TmDKjRxMTYWKguEb9evEihl6kUwmQZgROdhBes63Yq4ku9rBXvRhCYbwS
|
||||||
|
odhjx2soDRcNmzxNV1Ply8a+2bwRHPnOeyyxEHFAwjkyXo7ZqGtenwSriG0LOW87
|
||||||
|
y3Yw63O+oAlGLIB3psBSj4wZVGme9485HVICAFcJ3jXqsXSIJdzW61nGerB2r2Qk
|
||||||
|
Bn7yYIvHg3iOToB0alfNw2QuDtCZTNefvlHFnoashRhkk0yWzBerleFJbijx4+Vr
|
||||||
|
FaOH35BO1T3rgBmGkDW6gewoZMHEcmzTDoxxmbXiRvY+5o7b+ul/yzwhnJz3f5jk
|
||||||
|
7+Adnr9qAGMD2o3rCRBHV3lSEkLhBL+bfmsEYEor1fd+pDFoEKKjpDP6bgDcZyGv
|
||||||
|
O0mmr7Y/6ZrnKWxOrmNXieOTLbpY22tXv43QLgyiPcjhCfphT95IxqdNfMfOiI9k
|
||||||
|
IQf8g7GBciIP/1mbdnMj6Hg0J9IbI/XX/DWATOVMdDhq38VcggOHRjZk2lY99+4V
|
||||||
|
Au1wRHa/Io/CENikYzI00deSzhrN+tdUK/TCZI0Ft5Lykmti2ilmkIQGsBuD9gu/
|
||||||
|
2bmWkNJEdpHeC/+oxntDFj43CpyKpPAarrw+4XiYNK+1+4WZsQRL0jJuKJ754v/o
|
||||||
|
NTaSd8GOCyFR7q8SVH4tig9DjkZjYjFFMnWkxdpnDX56/AfdS+x5EaRHKCJoGChT
|
||||||
|
+pHimvKe+MxBxpwJr4JpGddklin+6xUF5jTG6322hz385wsagGvmH2XliOu47a+7
|
||||||
|
xUei7w3S1qtVCfdhtBEWL5i021yVYlrw+rUCwpFMIXAPA/p44O/qY06sQXJ01Fym
|
||||||
|
JCbOnjtVYX9gdF8fMKoDXAcvEtSulBNpXDongWp50BDfVoA7h9oDsxL5kw0GpkJn
|
||||||
|
uVMYLpO+iOqoEA3bJfsCedilkcz6UamLb+6RXMupKQaZ006Bu75Rm+h6PdicdiKD
|
||||||
|
jJY/7PbGuUmXxuSFT92v0hATlpEIQ8H8laEcnb8apiX2qOyGUHnb7pfYoNqvCm06
|
||||||
|
3NP2igCtiGkzAohiHfhztfy2UApiTtXmPu3EhEUMooB+0Lt0zzY+e1cnFKRbJHvQ
|
||||||
|
ZidiOJfKuqp6upPvEgKYMRCAU4+nLT3MVbralo726JnDqrDJvCqAamhfuQINBFxb
|
||||||
|
VNsBEADcRGjaY+/ZVWBlQWvgy08ObhQbTRglb8thrcPeTR7211JJwAJemuTWwCjF
|
||||||
|
SVDH8JJ0Ss8rBcbitrGI3i3mcgJRQ1hILR2HT0bbmMLufCxZzQBjJm76H8XN++k6
|
||||||
|
bd8HCYGXMguUaHRRHAcV+P18e3qGizgL7c8Vln9fbhowkX9yi/WhiL2uoXC3+XSa
|
||||||
|
C08TzwjKPb9Wnct6uCBAzMp8S7KW6P18vZyBTRBrugA9eZrGEe25rhy9szlJcajc
|
||||||
|
VeMiDMf058z7ait5t43AfUzd5zrD6c+ZGYIku88oY55LsZVcvn9o7I+UNbNJdiek
|
||||||
|
IpLae3Dgrie3QgDyfzPV1vXT2X8LaegOsNIkSo6jzjdKE0ZNg4xVSuPdr5jujYBN
|
||||||
|
z2k1lqV/Q/Ccpqzs0NsgnXnY8RDDrrmJhdy/ZrCMsXpbTK5KryR+JoDEiuyJ7YO2
|
||||||
|
jTOCo6zQ631jvi7XUeHAFIdQ7eYRklJwABwj/IMXY++O8JBLO7iZ1dvvu3pfY7pg
|
||||||
|
dQvPgDttVAIxrNxMMj39LRbb6LE+eclWcTfGCMr3O6LOOLwkMnDWEkJAz7JMtWqr
|
||||||
|
2l+9xF9Dq7CkxHPP87dLTMNGIDr38bJ83CSmDPlBoaljTYgrlatBTV2hGMjPgEcB
|
||||||
|
jOgg6QyRGpO2N0SVBnD8PfBI7a7CwQw3BHOJtH8vPUkXZoafoQARAQABiQRyBBgB
|
||||||
|
CAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVNsCGwIFCQO9IQACQAkQdLtr
|
||||||
|
mky7PTjBdCAEGQEIAB0WIQTXDITmS1WOW8zsByEy4hdfHXV6KgUCXFtU2wAKCRAy
|
||||||
|
4hdfHXV6KoJ9D/9IUN+s4gSiyWnqfq+UK5q86DTbC+OyQpAY/U/VDi/jQXDUaXzu
|
||||||
|
f25cCgyl4Xgf6nNTE6IEdgJCL4R6bChxJOHNpZ8/N3ckb/Q5xHKZ/5k5wFv7nxUk
|
||||||
|
vunzxB0wUgCLkn4oy4B8QbTMuRz1qcSdehUyZAlfkr7o/J5UO8FtgaMuNACxZNlO
|
||||||
|
JW5AjTDdbEW0MZapAgjx7+oTQMDtz9q4afuPaGJ3fTz4Vx1+mYt59b1h6xaMTXJi
|
||||||
|
8egJF0U4n/tJ+3gxAIhF7tQRPdNEwG+2Kw/YNyrLMY+nbazhlgUIIkk2IH3Ztd0S
|
||||||
|
XnNd7gV/slN80T9CtHtaDlH2FkeAd1unynxsDd/TLb1gLHem5iDsFuZBaIyHetdY
|
||||||
|
TlvT3SlKnDQr0FBTe86Kuv7n/ZNoU4lceXhUXTcataxKdxKEJt2x1Ei/hMHSVjaY
|
||||||
|
3ir57tuOUDMkl6hpL3sYiq7cMGUAnLH9nBZbbcNdfChDiM24mGmXaNoITutVAHS4
|
||||||
|
uNunSL1l13hJ1hnGY79j4l+CgnPx7LHzBmLh4PPWKM3RYqwgaPEkflVQr1JOOKMM
|
||||||
|
x4bpllEtzpvVAIaF73tlsOQRRN1Aah67gvkWKqiZrXc0Sx/yh8EO/6bImb87rtVr
|
||||||
|
0kjeDGEiuGYXsszNBCmVjHal5kLUKaESefzd223zeaFe9foO2HrnsFb9B34ZD/9J
|
||||||
|
W5M+42QFd+tOLh1ue/5xToiyggGh1MX9axDqHiRu2w+E7kNuuws2426aupUQ3yPD
|
||||||
|
4dSwR428U14ytM90bZXztKFDgFAaQJ/4YVEGPSbLHFc4VlhDHpGljl8J7vI5xPOm
|
||||||
|
Ruc9aabtXwd065nQ2csk1DliiA4jpS9dUq/flH2oGj4b2OSGFvR5oC7oERHMpUA0
|
||||||
|
p+wY3vnjkSVnWqV98yEBCFcZvpOy8J5KDZxYZvZydUvZ3ny5W6QPg8OKriqrCAKW
|
||||||
|
QXds47vRIiAasK14duLgex6il7HmboaqqOhRhevtBAHBJpB1z6Aq0SMwcKwdtTId
|
||||||
|
GTSoQd0R77ZGYvR3StpAwl8rJhCNwJHu2euA3hYPWHg0pF0L8pFbfUwOYf1dU+uQ
|
||||||
|
4xAJQKcCteQ7B0pawp+Hxp/0erB5c5PUUck38ze1ZoGm/oqh24XZ/amPVWE9nYSo
|
||||||
|
VTJwnbqWsfI6mzKdBHr5MP5zW5ei0PAo3lFb5gvVzJ2TqaGJvrh907I9R5Nwd6GM
|
||||||
|
wAWAzZ/nCLflSNyPyJ3ftxY6pGyCBJsycY7gBQD9i1xU0bxONltqSyifwQ0rt7yr
|
||||||
|
iwSI0VRnv8K3M2iTAdDm44bX6oHzljgiYachlV6IGmO3vdVVrCDhm+b+ia1bnQ/1
|
||||||
|
H7itWEwllkUCCtaDwEcf8o3OdbS9S5KEbwH7YUD967kCDQRcW1UMARAAvl+0jUaB
|
||||||
|
UkQWBflWy4Wd8Gcf3lzOqbARdpM/iztebc7RbLnv0TNFQPV4TD9RoP+rY4dJzC8w
|
||||||
|
/rlxlhD3DiGcI3of3o/3pN6jss4wKyy9Jcg7uCo/fcspOoPOwigAUfBYTd2rWNvI
|
||||||
|
/pPUl7zmavQR2+TyQ4IHWG52zAABGej/tf3Ma6WGHC4QeTkh7LtHn3JFRCoFy101
|
||||||
|
x60bJqIWONfR6+5UAOL/P+zTteEMsO3v7dWCWHX/tcYLrhCEH1CNnyPS7v7TF+Ys
|
||||||
|
uOGL7sSmQOUAcgldfUfTACw84YqViu5BSYiww18Eg1l66UcQFnhwB3fTGwzb3oPM
|
||||||
|
npAv2wAZ9gyFGzRgcH8QnXRm/SLDWlTaMIJS//0p/gXifCAdBZA/skBt+E4hQ5Sr
|
||||||
|
9iXGNMueR3bn7u8Pcoc1DpSJENE5H0nB62l3/OiSl/k7mJMGlUv6wKr42xNnIM6M
|
||||||
|
hO97axjRXy/XQz5n6ktyn9xRngkQNL9Ynj+i8E0k/xv5jA39EGAKOXxQFf8357sA
|
||||||
|
DnZ5g/Yf0Yr1c+TNIIRXER/k/KMavB52mguTNqCsewO5aje4Gq4vKd5P+jOKGopA
|
||||||
|
C4idTLkHutZTiakod7lW2jmjpm6P7oyAeAhDNEroNrbOIw0SaujHBmJtxgK1Q929
|
||||||
|
y/EaH5vJyWfMFyUqM7CQBqUU/HRLERsebM8AEQEAAYkEcgQYAQgAJhYhBK4/rHln
|
||||||
|
EexZ/AB6pHS7a5pMuz04BQJcW1UMAhsCBQkDvSEAAkAJEHS7a5pMuz04wXQgBBkB
|
||||||
|
CAAdFiEErtYi/gIHfrS1wUbBQqJ50kjNwxAFAlxbVQwACgkQQqJ50kjNwxAf5xAA
|
||||||
|
hBhcOeqLgeXbUu0CCTKlnG6D7H8sQJWXCSsh9pAXffv58b4f0ntJ1TztKfVd79hS
|
||||||
|
BCcXRc/9+MhUUzR79NvFWWZMWqJ6MucjAkkOBRoc7c85PawYTI7e1zSapLPJEHG0
|
||||||
|
xDzK8ClxwGEvlA4O/eGGVFaCTkxdTQg95fDXfghab6j89GI8Ghc9rC9V8RUgGVQV
|
||||||
|
qJJkBJ/gECJJp3holB4/w/I/sU+9AHXGKJvSJJ62fpmY143Y5JQk+I8DxoT0kIq4
|
||||||
|
W2iZVAQMzQGpAOXkDuHk7a7J/QuL78CuoG98GOsfTd7nNsgPTZ07cPYGOxXeNR5U
|
||||||
|
9DlYOBWDwsf6d+D+tHLB8KzH3MWnWa3crjE3a/sgrDEad0CmAJzHXuCyPMy8vPQn
|
||||||
|
uxIai/gw2POq8YQMoKW5S80perLuN73FxAumjK9a2hYVdZNtABwrlW/6ELruv1se
|
||||||
|
mMjUq6oDyFio0rGy/uzCItl13hIr1Ii7B/SPz9dNnCagV8aiUmKXRk3HKoEXf34I
|
||||||
|
xWlod0szWopnP31NXNKHihs46ORSMrjnzFKjRcJsnipdins+DHJYroYhtOjNtsb/
|
||||||
|
WV3D4tSerG3xKF/v3ssn2VsjcgK5HY/k9iUol/dvoP0bJ+rKs/fzt8oAqEexiRnV
|
||||||
|
cPnj/zAiBOt1940+0vTWaNYOPDkq872S48GNybOC342u2xAAnAp5myKostxjyQn3
|
||||||
|
E/7/G1OWHaJW5kx/HCqHCWjgwwLOmhssNn8kpTf3ybvt5uhMolIF95RjFB3gBOfU
|
||||||
|
vw0sqMvEoBoGSMSTSc3zD05RBsWWFD9qwvPMXtn0gYaH39ISAFnxXrtrQ7dDD1d2
|
||||||
|
LcBErdttnxEhUnT4/0YIat+r2PhmYYDYviKsuOy8MC/sJIxvhYEpbyPQnPksUzA4
|
||||||
|
wmAbVNPlzqU2oWPrLT2tlxUue3z6VS/YHDcsLSgjVOMWSusLMh1+D76Y+Lcr9kVz
|
||||||
|
nRu+dYXh4I6OBnlT1VuzEVmrf69NFwh8j3PaVn0I0NEDU7mMa+5W0QYuJIsXZonq
|
||||||
|
SI2uIu64ZOVd+D8WmCEZO/Kmk5PMXs+0fMcFD9mOeFaiOdz+PIlHAsrxwKXr4Q5z
|
||||||
|
zzu/wEOaqAVa2bJywTbl8MntQUY/XeD94MvdlSAwO3Ll1BpQ5NfXjm3YpP6Uyqlj
|
||||||
|
pkrYQL56iqucgYn61jLSXhFHGLXSZs2G48ggN2mHtf6ZQeAJ4D2DIXRj4uqIHoJf
|
||||||
|
7MWDui8u+cJsw/F0ZerPsCN/CpkEoj4FW4F4O3JbiieYSUK7lxc0qyDdbQiVCVl/
|
||||||
|
08wNToe3RctSzsQ99tCwfVWqLVcTVb+0aeSaNykb+qW30bHW7AUYs/qKiapQFzZz
|
||||||
|
QZnpHXGmVe93fDfILx3yUCA8Yia5Ag0EXFtVOgEQAOS7GFDH2DGXPMJzSdS7a/zZ
|
||||||
|
ewP4bM42n2Ku3XiCyXG173p4ppNdOLS3l7JrRflMhjfBtETCOV8B4z0B9wCZZywz
|
||||||
|
iLOt8+0A0zpY7EHZNvMRjZyq/s0FCKLtnlqo/KNwiJPRvQazZ6+UOSffEQEGpNKs
|
||||||
|
1ycZIDb1tk8iRpRvtCin8CeLRLf+2BxHbWBewnCSCl80rC89PTcvPf+jmtcDJqDQ
|
||||||
|
z/blp2CT1JUo1xdzyHYdIa/kQ2PBQo02ejBVs0vDjbzuYVQzZV3q6cYnYwGPtpTB
|
||||||
|
Ot8GXuA1X3qYx0MlZwGEYpiTFS+Ju4cJrYofuBOudXpfux2uAPkJskw+ro5k1I/q
|
||||||
|
fptRWDbZ4fGgROmUXBPg29XdyVExYgAbVeBdHWX30sCHs8+c8wzWkdAY/BgdCySg
|
||||||
|
EVLiDmSfMekH2H1N9ncwzhwNlHk2BaYTR9hWdZ7lrH7BbT8g6SVSge/eqgvjKI33
|
||||||
|
AUmragvNQ1B3362yqLK/FJOHyJiYd6DKfkq4E+ysw+C+qIo51qVNkqRqT0M7HhwZ
|
||||||
|
AvaoeykrGIE5vq6jHa9+MxDlsN5Sf7gNgx2dk0d7LAJR6AmYNqRS2V+837XfogMc
|
||||||
|
bB90ZyK2rOzDN3f48jaqXA8TX2CSun01RoPdCPZm0M/uxTZxOFzoatrkpEVbx/3x
|
||||||
|
sjvuPVa7qkKdgUuo/PhBABEBAAGJBHIEGAEIACYWIQSuP6x5ZxHsWfwAeqR0u2ua
|
||||||
|
TLs9OAUCXFtVOgIbAgUJA70hAAJACRB0u2uaTLs9OMF0IAQZAQgAHRYhBHkdfriO
|
||||||
|
vI0BOENKrDPfNZrnpgp5BQJcW1U6AAoJEDPfNZrnpgp5JY4QAMry7TcsRIZJCVlC
|
||||||
|
qecIAjyJizWz5dEwScba0BDU4rv/h42CvXJlySZpbgUEyB4SBggEnu/dKVbsd/t0
|
||||||
|
TXRNg80Zs/pTFVbwcg+sDgIg1wZldZbClLfvgk0xLoDl5vq+K4SAQwSLTSPHQyYu
|
||||||
|
8IxkrKmbBdBSXlgnmcHK2lDXrzWYJDEYEyFPV4pC3cHicCygSc/4eepUz+crEF6Z
|
||||||
|
IE1df4LRv9h5CgsLewMv5nQ1EjxTo9mX1GiSh3e7KcfS98FgIQl3oy+yO2cmVVVq
|
||||||
|
x5ggDcRI2sUbXa3D3kjAo2tUIA1nUMFLIrii+aZawOsf64VMdIs2OXEi5XFR+Zdw
|
||||||
|
t+Bx6lUKZ3/tntStZitJdK8/RUbhmYQ8Tu01vxt/IAN+07VxWyZwcFB5KuC+lKtO
|
||||||
|
/0vwyhyiOlHm8lzV/5qwFPusB4bNk/2uLPUaavJdrBpmB0t9pol/NFCRzW5MKFvu
|
||||||
|
Qw35QyFVR0IBeaGjRc5J9yxbzi78umN1iHZbDjXFA7oRa9tkM2AP8V2anxSHUyon
|
||||||
|
UN6OuLqSM2frA8iZcl0S7qcepYNF1ix9PhdQHXy0H7hoikXMLIiCl/unW5pVTs6q
|
||||||
|
KnmxmRz9ZcqvvuVXbeY9C+kZE0LOBTZMljuS1Hcs69RU3rA18swfN5CTXw12ZwQZ
|
||||||
|
SsnRhi2X28Tn8SD0vrEsEf08q3XshDwP/0MvBBfymXd+5MzxlvMg8vGJeFuDMEFN
|
||||||
|
cpETa7Xzzz5Eir3ETtxpUWPCriqmCpnlIWidNwbg+LlyTeYUDPIDnMtEX5ySmYGn
|
||||||
|
BI8ykvAKm/XTfr0PWOEAXcmxTC3oMhvYEhIyGHZOFJQxIo7vmrwZKi2wqMnKMPq+
|
||||||
|
XXHgvtZe5tNbESI27APeQCMVZLVnVVa0D1JRFYBuwNoJXhWbAIKlIjBGv05NvK71
|
||||||
|
e4x0zEY2mXxLBbsxVBvHhpg29HseX/AhHvUAcBehJ+sqnenXZqdeNhgBIeZubXq6
|
||||||
|
A/gfscswF/Ocp63Z/vqAjEmvUKwAxNKrKlwLVShVvobPx2N4hH4ZT7p58cjhMhQz
|
||||||
|
Lm4whTHy1hvBIR6j/Lo2eOkkVhiMlrrvWJIAEic3Gzj5f7XOsVr7CXjkSdoXHOIR
|
||||||
|
63ZDO/9Wy6ygu8vCdiIFlyRyUBLnGhUYVbRYnTU58tQMfEYy30ZKF4vxz4Ysxoy1
|
||||||
|
oJa6emaa33Nn1Z2kE64AaW4wbUJ57nROuFdoYTwJ02vyc51J4s0C94EA+a5VrQkN
|
||||||
|
J7bT8P9G5gksp4b1WyoFm+O4aU5Sx+XpSO2IZFuBL05anF57Pm6Bz3LJX6sEYima
|
||||||
|
chv72q7PYeYbETrl4DZxE2xlEiMUvN4DH/RExpPWeUsVMFtS5n60n5+AW1EYyGJ9
|
||||||
|
mfWlvZ0xCjQ3uQINBFxbVW4BEAC/gtho2rZl6/+/szkOfEumAdFwyQbtM5CnJyuU
|
||||||
|
rnrneWWlnNPLeaHml5a9yrcgOZ15QgnFD5YOHZ/S9L40goML8cB118etk9uE7vMv
|
||||||
|
EtwxbkqZXTlqdxpFI/SzT4jJCa9XFQ2uA+KdmKmGW9EagtdLql2B9ziMhH0Ha6Y9
|
||||||
|
5x+9+7/oRYU+ddmAbwrJjdn6bCuYQ7QVpccFC67qdpy2I97v03hst7yGT1FbrIjE
|
||||||
|
sF4nMig6Uhwma5Edqm2dLaVXeZ+Fl0WeQCnWjprZMvkHCAxjTBlQpmvvwcQwqHot
|
||||||
|
s832s96l/Sd5R6r+TWU0lTtXpcxL6t7MXfW+BInkqg0ZiHG1Znni6SwfatzDv6W2
|
||||||
|
lJW2pj3Ub++JulEIkbct1f+TEeeLU0RbJmWlL/qe24fodKg1ixH0gyxsRKzdBUIf
|
||||||
|
vgCkrzwLFgJEHRISjQzIASVtDdt8QoIqX8XALgjMBgAnZqtYrAEdFImWys0K1zOu
|
||||||
|
MbuPcTImufz5ObnKM7rRMdCO9z+cHGs0TT2vUvPPuOsNYL1GX4EfrCp2eLKahjJQ
|
||||||
|
BCxfatn4mFqHVmR/4a7vqq1j4Qfj3h08z7QVrNwGWAF3r8nmaHdaT0m55xctMRQa
|
||||||
|
3N3UaYj0IQ08CSUJq5e005Z5Oinbt2O4paxnG4/UbJXpRiLEVU5Ja17IBsDfZydx
|
||||||
|
W//ZlQARAQABiQRyBBgBCAAmFiEErj+seWcR7Fn8AHqkdLtrmky7PTgFAlxbVW4C
|
||||||
|
GwIFCQO9IQACQAkQdLtrmky7PTjBdCAEGQEIAB0WIQQVaJBoXqDfahNx7yAXzF2x
|
||||||
|
8AiEBwUCXFtVbgAKCRAXzF2x8AiEB3iPEACI735VFBDd4E6wlGAA12Av+XnWSruo
|
||||||
|
Te7zGdKo2SuZ1gN1PYdNgflbifYCYajnQENp92N3q263Sq3MDf+EZYKijJ3EoU6y
|
||||||
|
chjOJR6ge+UgKPdGQc7Lu61wWECBFaL6TMXCedcZ/Xd0xT2IbvK8qsKsITDjiDOh
|
||||||
|
DUqdjVeyPXyfkmSrF5P3hvNxJvPbQ6k5Igx9JA+unLXxatljAeh1whnchRQAIKkx
|
||||||
|
l19Nr1z+odFD+tzCX4HQmUfHRXgBiJICyIxWB+U7USqLtqk+7DE893meceSt0Mz0
|
||||||
|
JgLct0E5EFfCdwbehnl5NJeay8XEdcfjUkeyb/VAVxWYUBiG72okUIaIP7xR5MW1
|
||||||
|
P6ecdTr0GzOC1SySpfyT0+ot0rtXGSnXrBzpY6nU14hDoV3g/FMas+qz1smTtOVi
|
||||||
|
1MVakDRf4QyP9Jqf4q4/GosRrgBvXZHi+zWkKuf+DXPcL/q6MfgHvQc6tFMh5ONQ
|
||||||
|
snrF3Bca3BQDT2GKjSukeG3JmECHmKtQk22jhk6T9DJ3518yw29El9tUgraaZ5Fo
|
||||||
|
Gen3TYCxA2BhV2LYCSLSHiTPdtUsbDuIP/FXaFXr34nAtKKOSSY6nP8SMzCPSEMN
|
||||||
|
iscfdjejR1Xd012T/mLqVCBzFJWyX2RaUdygSWUpt/QdvWa4pXCgYZjEVidraOws
|
||||||
|
VWMbb0zuI9KCseOaD/4jd+awtnRUj2SbGeJSVnqDPk0Hk8ndFebAo70uQGATkLXC
|
||||||
|
m5ls0RDU2xHZumuUk+b74Y1KjwdqF65NEmfjaSQ6B8gnCO69eKHcUT821ED9bwfa
|
||||||
|
4XpgsOMEoZklvFByax0JMS4JEJU/xfsLmfeuXVirN9Z82vxAXG8fuK8bso6VLG/J
|
||||||
|
Mpxhq1Zv24NQ+uevvh9loyWMcaw3IqPvQzNlyuuya3rXJYZHSH7TauYgqWySXiGS
|
||||||
|
H6oXl6Ej4GR3t5uWwHKvEREQer+KPZV3uXRnrTpgITy+PxZ9ywmPwmPBHcD6c0P+
|
||||||
|
g0lNNtDdvw69qy+oh7JaqqYaDvedseN39UgBSx++ewRhq0OTikAD/BCv1zhPizlD
|
||||||
|
9BHAOsCxrgnz0WsONYKFAE8vtNo/wB//djf/zqMsI3iWdbWqM9e/muEEV4jQRWLW
|
||||||
|
TWp1XTqqvkc6TsLBBNO5zisJ0VwSfDyRUplr/IWeUl9FrRngjBJqF2nl90US5p3o
|
||||||
|
uk5wUWdjFa0haFyDgZNFwyFr85mex+o6qIC3oif7UjC4kHPe4wzvHDYAxrHMB6MY
|
||||||
|
QvrcXzULmInot3qRAr5duUNbQbrjdtVvOQFvjowBP5Scu5ZBSzc0O2TUUSKgnJZS
|
||||||
|
Bs7+yswfgyhYzusbxlOdA+iE2Y8GuovamGYTbsdCxDStOMfZnaiXuLL04Uy1PQ==
|
||||||
|
=fX+D
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
|
mQINBF/u5KMBEAC0hPiTonjYEe5FqNzFn73KmcN8KGD2wzujmWWLnFXGEVDEpFcS
|
||||||
|
ULQDshhCclwNeXUArUey4nficwpqUe+Xl2h4dP4z7yh3WiL5nA5JRjJjw8KJQGVW
|
||||||
|
AkgiZTnJHH8DrzNt9LnDL516qMDJarTHemDUUUZLNxnuv0RDEhDxsXWiVCQZZcw/
|
||||||
|
41yIY97uCf30dsDwnckVl3iEmYaGTYavWbKP60S8WaxO0YG57RI1etmlIQ0nMmka
|
||||||
|
4bvFnwwb9Jdnwle4LIiRMCGymsheaKCKrEZgIJY+idyBuExLLykiL8iNBj2Pzi7z
|
||||||
|
XSCniH9qcEwfqgZlP/KZwujLhGOc4c4peNwpuDGcmYZoAsUD8CZ8H/LU1FIR2A1u
|
||||||
|
/UrRREtC8nNTDGxCckSMEquHNURfMk1QmDbJ9gaa9aOk0AArxuTxyj6Cn+KQd5l5
|
||||||
|
0mN0R1sDVQq9xWdvnB7N0d3MDhnV7f19iUhi3KYvjVTkCMXjhNXjDH/KXFKoFhKa
|
||||||
|
9SkxYGfW25inwSQoqbP1TE5+rESf57bo+XFxfVQuYfVJ5BlZobz+sRl2iDQyBJDM
|
||||||
|
uDFyXE/t+E76BmwyHeOI1weqUMYebqHgu0x76dTYj9yWgWdQAC1pXi15/MTIaOtQ
|
||||||
|
hWezb5rkI2yZqaZLaRBOIRBIPM5C5AOjL2XbfwUuSr2W4+TvxLocxi48DwARAQAB
|
||||||
|
tE1JbnRlcm5ldCBTeXN0ZW1zIENvbnNvcnRpdW0sIEluYy4gKFNpZ25pbmcga2V5
|
||||||
|
LCAyMDIxLTIwMjIpIDxjb2Rlc2lnbkBpc2Mub3JnPokCVAQTAQgAPhYhBH4ckayA
|
||||||
|
MKWlnR76uXUPPIdyPkASBQJf7uSjAhsPBQkD60WABQsJCAcCBhUKCQgLAgQWAgMB
|
||||||
|
Ah4BAheAAAoJEHUPPIdyPkAS0lMP/2IgMErScBUaXrZXqYXoluR8xU0p9DyZEBx+
|
||||||
|
ZGNAcJ2CTPAbn3FrkNGNpK4SOCLXEZPKOQ09umaIxl8H6uEGaTut1JLj1qGaZ8ID
|
||||||
|
4gAeQcTIN9OQA5ElQo+ci20XE9JSvzqY1zb04EkMuVL678xPCYJhUSLS0MAQkcDJ
|
||||||
|
JQLN17SwNi4vGqzVhnwKUviQU9/s+LRUkThsTg4qT0fNnmGoVJXqrshxJa2ZWM6J
|
||||||
|
QtOWBgJiC6xZ+zRiZS898L0tekU4o9yxtnnDWry2bI+mJbxAp94ZAXgKahOU7LKV
|
||||||
|
3SPxkx7TAng24nOWi1EaP51pe7usTFH1BR3CUHZdoIQ4xruZGkt/qPumskofzl+1
|
||||||
|
8bw1bEFbq8S6jC+twT3JUcE02HbEIbrd6l2T8pYBXaojFggGjUTSv9d5YUN5N9U/
|
||||||
|
/Qy0o3xZwHNdXLx6xSrUO+NT5JU1Nh/0sutEH7ru/YqFZof9vfCbV86y8fIOPgk8
|
||||||
|
LkJNUSu4QCJ1PHKB+fJp7yAhlPkOXNG1b9+W/hVp96rdkovpCUkLD83s+suQyJGk
|
||||||
|
QB7Qpem7nS4zp7/Naui+g3M3p/uRSzZgELTnXNyY//bw9fOqx5SDLjSUslUMz+TH
|
||||||
|
sFTwfo/Mot70MPHMe6aE6tdTDoJTcv4Iim/8MDhJ6yqKt8sxprataZoWwFi6zAF9
|
||||||
|
BzWkJcrbuQINBF/u5P4BEACso8iLzFJ+M1wqcsCDup+GtRMzte04CAlLmaLgyzfL
|
||||||
|
3xxBo4AUgX6UbUCGycG878JVn52S6Nsl6FlasmyH00MGjZt1CuNz4htfSmLGcBMj
|
||||||
|
IwQv1CYR8bm9EPwR15NaWdgzJHShCduMHv4HdfqSa6UQfzO/P8mwioER19fkDQSE
|
||||||
|
U1KsY0yl//ipWiW3ZJGShGHLnn4YbxogQtsRPESKUsQ9MtzuMt3ehGtkN4RguOXC
|
||||||
|
6pCWP8J4F9lgjSZ+uLOQKV4rmpbSMXntOJi2nu+14Zj36enW8xyAXO/w5z/wci2G
|
||||||
|
LN/aa/v2a3GM3WJQsPNzpDwB+pr1n0Kp+wK6K7siVmDoV+WecD2KNNgOuSyUve7h
|
||||||
|
BjWRM9W13LsgLGhKJA8yUpPvhXk91vLRUhwFJ2GUirxLPLs2TSTjHlHvhcPy6aX2
|
||||||
|
HxbHkcOt53n2h0zx7ntl1N7XHozMWmHphPsSvOZ5StuQRAFvfE63EyfR84KUPIbZ
|
||||||
|
kvftbAJPKCJC8W6GqhfORzYZqldDNNva5iYHF1OItF79ZLGI56diNsBV9SOVKk4d
|
||||||
|
f9Qp6urYOd+9RGQGmCQte/WSFaU9z9QYPEGl1NlmGAWt7KKyB6QXZH1oEMwXtPd8
|
||||||
|
4GQX3XGtyggEp6BGwkFFWRQzF1EZ0maRPrpN4bpQqLXSJiqQxsX+FAcOkhpo6X7b
|
||||||
|
8QARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5P4CGwIF
|
||||||
|
CQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQTpq255IzwEFuiZP0UMA6+pClln
|
||||||
|
xAUCX+7k/gAKCRAMA6+pCllnxDtmD/0YCUccmKudW9PiQw7mI1HSuwL6aS+MlG6/
|
||||||
|
LJ79nmi6TTpe87NDcEv2bBpVWYcQK87smCxIYyuj4SCZuBQivjyuecipRoG14PUh
|
||||||
|
KU8UiqdF+vKDvUAA7huOBlR4dgr7/KvjirnbwO3mGouwZszDOLvaHuO403+TPm1b
|
||||||
|
mJtEA9y6Wbk/+PTtfPymQwnaiJkPhQ6Q7ZbyasRIisO3MRPacUjt2DXFi5VV/Mya
|
||||||
|
8o5Pae3zY+5SjMyE2siPnVE4/nzp424jDzSq4DGEUip/x+QYHFwxhCJmdZlRIFmn
|
||||||
|
vSCAGXBpyPVbckC0Gw8kZ8HsGzNbMbx/VjDG3LFT8TR2Djsh99/6icO1J+jDkPNn
|
||||||
|
IFEsYjAw7Tos5IPhIT1XkSCW84KqBG5pGI5h7fJzf19sR7Ki6XyFe6VYvggeQIS7
|
||||||
|
VN1ISl3tRN/dk0GbrKkUKr0OVfaRD0wXQHTzbec8Fs43G0z/DKoFutGB/J3yjAmw
|
||||||
|
IOcP5R6rqjhVp4APQpsB51XCaaqEXaXZyMWrKILbPIjlE6FHeh1qd+zdIjullnF2
|
||||||
|
YZv89HU9dIXxKr35CM8f3BWm4D4cRjsUOWoGhMNwdHzHYOdys6T72KBK9D2irz8C
|
||||||
|
L0bycjN+SIpde/auo+dQKqKD3/ipr4dyKJyOUsls9cyhxkFp031cZ5rWbXcLJ8/s
|
||||||
|
1BeVPjFCngqPD/9rMKA6kCSnTo+rSqZRxo9RlQwy4K6xfPPdHZvBi3A4UYCsurgl
|
||||||
|
qLtFtGG8SMWigmUZWLT6uhsi0orR5wfG7vzajF0Hcd8yuWa4zGeu0rFJXgG64Pyj
|
||||||
|
nJHtv2Tzi8DNY5Y+8mfXqUewyEUXQLxnLqpGlPjNUAJKvjm4SstNadewgWeb6F8x
|
||||||
|
UQJc8owGmK5+yZQ5LZj6bjt9Dr3SCM3Og/iS5XK5POGUJgtgXLXp3uy7p9SzsJ73
|
||||||
|
qhrDII/YqSwToMu8tUv4xEGxyceVPDm+ywde5SXYmtvMYrq5DBdlalZ9kBlC5fyc
|
||||||
|
IIzKoIOOkKKpa/YAyKdLTk8ZByjDk1RrdcOyP4VNpCvyisf6JPwWfKdM5mxf47hb
|
||||||
|
s7zioUH7miUGA6i5TNi1e+DU2mL92sJwQ0WkHw6KaUez2Y9CaD8hZnQw/h/JcNq6
|
||||||
|
nb8y0GR8h7qWms3K0rtSs8SuDXUsdZrFAeURivccmohXddtt0FDzkheKGXs27SSl
|
||||||
|
8oOCh+jl/hEUzz2mJGFwRBo0FI5ipN51IfjhMJ8zzSmvfrtdwT2Tu6wSY9DLsYR7
|
||||||
|
0tWGOc2HA6o7kdcC1V0p2jvQct281FrC9dTXFgcDuGUBYhzEZeWwjuYQXBzMquF6
|
||||||
|
ersVnPo/Z5l1SnkK+wVBQbf4igHOaobl0AQxnb86W4CXBTZ3CvRq6o8vWbkCDQRf
|
||||||
|
7uUlARAA7oTlVZXhdVlPnSQlnI5JwovG2jEIrRifpbyavlhlosX+rgtQ5EILn0DS
|
||||||
|
PJ35CNfOAeOcLQeRrJAZj6w/x9FHWfKRAHUeiTTsVDzTrDyJBCVuC40ck587KVUc
|
||||||
|
GuB3vee03/y8qAczj5TZNaDdl+4qAzOFQuV4MjwJOx5fsXZw3dUAS7pw1mTkAYTh
|
||||||
|
nz557buc8JJCxrebT6FvN8bugk7LJ8SYmI154Q5wCdXB6Q42sdSMFlKKPYRRmIvX
|
||||||
|
vI4Ytl/J35v43gCLbXccTWQpBX+ra75sndS2hYGQhcC+WdNtt4THgU6Sb7ErpJK7
|
||||||
|
7A1r1Wf0WSioQ2VWjT0QbUE+6IXD1J8duh6ZgzuqppMm13aDdMDZGwdcxlFw+vlo
|
||||||
|
bM+IAX+QgzPjslM3FHVvvfCLka+ctMO+lL0bz1G4njNEXcIAILhmoqRI4ItVH7Nl
|
||||||
|
ZI3pAfLLB4qbhTKTIiS+uIoA82RU86ozr5oJZCsJa5N5EpJnYxnjv2tYhU42eh+j
|
||||||
|
hyM+5ra1dXtveKvL5SkVuRUlPZvgOuwQ14Qnj6sv8CmtBpyVpupHmY2RbNtLVLdH
|
||||||
|
Ix3lyQbgVo9iMJIoXiPXmcRWCgLgOeuETjFXsEcFLxuN+D0My0dtwWcg+271vtPn
|
||||||
|
0orTObxkctFK+V32ByJYxVvytNCW245bICpxCicxmh5kYEmQCnMAEQEAAYkEcgQY
|
||||||
|
AQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uUlAhsCBQkD60WAAkAJEHUP
|
||||||
|
PIdyPkASwXQgBBkBCAAdFiEEqtu6UHTxQC97adVrxbTukxqfnf0FAl/u5SUACgkQ
|
||||||
|
xbTukxqfnf2aeg//ZspIr4ETVf3ai0dXCm2Pf6gpM7QUfI9fPUHymvBhNrNhfZqN
|
||||||
|
ADpzbJefzLif8as7kUr904zTc5Jse5a0MzCrMyEwTDIoCKDv2ktLq1L20bwflZs+
|
||||||
|
oP27CYC5FkJYgLYPrQZ/7hRC8EWjgn6v3seJtEo8G73kiVEBOnxVEfGZ8zxmX1Cp
|
||||||
|
aOWfhiFYCmkEe6Ck9hG+OaWt7+WW0wWT1UFiluzRRAEMROcCUtyB5IPCqCH/Rz/m
|
||||||
|
/bE6G+lHZo6OY/wY2q/oW2f9JB/4QyJeSI+fkjY/wDjfNQjiPMLfZctv25IeZYVY
|
||||||
|
ZvIKrdnjbzRe+GwYLg5G/SbpSOEb5O55Ps8mNUpYFaMCfefW+DG48a4WyUGzFr52
|
||||||
|
BMKvHKtc6c7P3+muBAqcNZYxRqyLIQiYiV9CCjpIV1WgUeedroHUXvJF/SAvNVvB
|
||||||
|
ZR00I/D2hsD9BFh3B1FEYbw7GuYuG27Z6fgRolOQUeTabjQLI386SV3IxZ1KFwm4
|
||||||
|
GU8BTbUA2zwT3hu/BaaCI5jTSLyBpdo10b1wgMEnqmXG6AbNdxFVEWwE+CE++BHW
|
||||||
|
0YBhKp8fghHwwN1fwTCV+QyA4Qn6EBVDkTrUPKqTeCmHzt3AQh8WVrsmrodyr5Yp
|
||||||
|
69LoRnlkLcGJiOCKMOmkop9Z32ckGieYHrl24Dw6hmUSWDG+pBn0ezbSPit3FhAA
|
||||||
|
qD2y1VzqxsaCOD634Ltq8AbvphP8XZPrrsC3DIA36ITaCQDa5Cn7madLCXy/uP6N
|
||||||
|
+tojtzXf4tUzumwGJGFLtdMXNmuEuXrj++NrU1xcscbvDn5O4NDMadwI1EDlQo7w
|
||||||
|
uWK9jaQAVhF7iDEBEazZe26knQFxC0my4SyO1uQaEg3BKHj6z7dkAjzWJaQZhzql
|
||||||
|
yrRzbCiVUUI8ZkrgM/+/6NJohUG/had6DoefgK6H8/yjgVx1Wtx+XAuBQ2cvclhc
|
||||||
|
TAmHs128dWduNHxI2Yx+uM4kuHYpPKBwdEh91ZNeNqtBJURfSVjBCjKkTYiS7kiv
|
||||||
|
XyvQOBdZVeSVpj/QoAfaUlQoBVm7aF6xf7GtYlVzjMsLYdpjXhy4ZbQQVUuPI+1f
|
||||||
|
yFkw8PpASZ3gvO6KQ4V2w3hOYAxYQ1kSwTtaA7+18nyv65VolTmAotmLun94UKn7
|
||||||
|
zjopByBnC/XEqsU3tibg9A7xQ2KUpWkpmG35f4ZR9aEIxSe2Jmm+Se0JfiAq6Szf
|
||||||
|
dyWvr/TzaS/BZL4WEPk2Vw/mzWEPZOscpIkBFGK+Ul7yuXvbrbwr+zmAikHmTb1V
|
||||||
|
XfPb9eBnwDDuRHhLBym4FMrPjzeziAxxkScTfDjWq6rvMmaEe1CX+dj6ldx9Jp9d
|
||||||
|
iUngol89eSgAQOtptjcit5o0Y0Mu/RF6KIBG89ghFly5Ag0EX+7lVAEQAKFx5asK
|
||||||
|
W7A9BNKPkaXgym0AlW2szQR1nwxi3APLVLS0Al9Y/3mnBbYyO84HDr82AtMSWSMY
|
||||||
|
UZIKtkUj2sVqUb+xHOPkY/MenyoBrCl2qaTVJ89nnWMUjtrX2qk0O09+ByoYXTit
|
||||||
|
BVPAIZ/qZfGNB+Dsp1haNKRdowkf6WXkw7A9dHB5isVmaM/Z0THNJRHwc6mcqbEV
|
||||||
|
M4fDL+OCx6m2KQHTHirk+OE9Nwral82IIqj3d5UBHmjHAbQNXTDzZbWg6tYbLN3I
|
||||||
|
EYxSRQpkJZIVheyBmWFZuivm4hCDZxJlZ1sgxQeIZk6wR2LBR6ccTW6PH11PhIpr
|
||||||
|
6O8aQh8JUMg+/aJK2eQXINozYdjOTUjnWAUeUqML7Pg/vERRAgHXO9Z+NTIEWEOo
|
||||||
|
Ee+8WOFmrmfjb9Uz27DtymhUjOl0ryiG6F1b90t1rZvVKWR2OaCUhICm88o3MCgb
|
||||||
|
HFeOh7v3tnQb2Uot7kY1hgch6j1MNYWGb8LjwoTAmx9okEv9mh119k+SdVJP6wsX
|
||||||
|
ZtL4860vTfTw6RQM7rkZBzTyf4qCvU5uRSd2u6JqtUhw4m/gkKQyW8jLEkqX7JaT
|
||||||
|
+iEBgPzjALvfSWDbDgst0szqU5jltYpgjG3On7/ZGFFJrkB06orUvovxLThWWvm1
|
||||||
|
iugw4/av3n64hl/yfxvKQHLQA3Kfkjjzc3oPABEBAAGJBHIEGAEIACYWIQR+HJGs
|
||||||
|
gDClpZ0e+rl1DzyHcj5AEgUCX+7lVAIbAgUJA+tFgAJACRB1DzyHcj5AEsF0IAQZ
|
||||||
|
AQgAHRYhBGFPhWcuJXtdQn6ZBiGZBzrXgrS4BQJf7uVUAAoJECGZBzrXgrS4jfkP
|
||||||
|
/ApYZIRnBL+LdTPYdbZDYXotkE6RO6ZsPdcV1G6na5jJ7igdVuvoz5nP3rX+oQoH
|
||||||
|
6k9DysQzyh/SkXRPnbOOyvQsI7atmH7SkhNn7ke8zmEJLzApHA0ZMGXtBJHQkZwA
|
||||||
|
5LDWIQb8HbtJTBr2DyJcQdpRmP3hHDgyYgwg0AUG/2JEwYqps+/pqJCrLSP+GLOA
|
||||||
|
ia+wRH9xwv1Vl2gIxWXqEO6U3puqUg+0z1Av4Gj/xzuw1F3eLrOfgklhpASc8QtC
|
||||||
|
89kx1nhFS+OybQfRAH7YN9DKE5L1kJxQ4t+uW8TiXf9r+MdcVMEI3LATZRtgowFc
|
||||||
|
493g7EkTppmqabFns9OamyxXdIzLAKoKvykr7HPCBWUnZn2I2RrcGQltRBQlR0Mb
|
||||||
|
jO+sFi89XnFPwXIw/t/9zoq1bXCGTt7H5RtrfxC1wTYXqLEdV9pptNj7j5mlff9g
|
||||||
|
DMw1v3MfUxbz9gIDzs7ANnw3SkWi+d0v0bLadWdItkq2WKvvgB58NJtKPc8Jwilh
|
||||||
|
nO7W31U/kv8FR9JcFXzS9+Y6ejIClF4FAwr5tK07N/xSFAKEs5kyAYEKxP6vI59m
|
||||||
|
5h+tO8cws+pi4gqfWa3t3b+dVzKl9AIkWAYjq9FvbfiqZgKTlTviSUMpmK5qJVld
|
||||||
|
72+NiolUVniJbw9Z10ps4G4zmXSl1ZxyKnehUzcKyPieEEsP/1/tctQx1LhVu0TJ
|
||||||
|
RLtWrE523hqxpqDdF8/QrNp9dX3YVoEkMQW3YYir2oERtaosWXmRjldq5dNfgtwc
|
||||||
|
lhG+/CP5rxNeCJlI+b64pC/yQMCrbz/V74aAipuv7ZZMflgr7ZD5i3jyM/7/AunS
|
||||||
|
qOUPwkKrjetNF85eibeO7c0Y9/HhILkLQ8EoNfJshdc0/scwMZEpLHTMAHSrxCAV
|
||||||
|
FuhLsF9epenA6IbtuMsp43aSxshX05RH7F94uj4VCMUSs/90viB5njItpPdZCqUH
|
||||||
|
eXSvLSjxqsmS4Tz9Dn+uWvxleBLRRcpZykuNLGgwVXafWftWbA+U9KaJnDWFdzjJ
|
||||||
|
+gAsWfHfFBOa1RfXYP++e+VJflcHaEZ4byLG5Zf1HqAvvcaShAVuMXY1hoYJinvh
|
||||||
|
uk1zJRW9dP7apZx7BXWxbWcn8LMR5GFfunl/M2iNASmkqxJ9gvy6TBRWJu2QeNbN
|
||||||
|
5Ks0/GDUawQqvhmM3V6zFQWVsPwaHpufIaGqnKC2gXaIHXPP0ldyXdLXwgZ+6A7D
|
||||||
|
IEqHQB2BDbiJtovk6GaK8PUCEHTiDmRF/mBzlpBJOn+Hc5ELufgr9E2lkrKJzFag
|
||||||
|
CBCucNhVEaUedFrycxfSALing7DJPWb5cobu9K+3T9L3k57XgxSAj+g6vOxHuxHL
|
||||||
|
ve1IPheCWfkKpJH5faFDWKpJYYPauQINBF/u5YABEADgWTS7wFA39XvpWNHSfAAR
|
||||||
|
2/nlGWuTvD7zoirzUwOd2+I2XYwgl910KsznhlqDrHZlqKuGRjQlbpyTbsOH2N5k
|
||||||
|
IE+0uEXidU3iwslSZ33RLL0h9+czDnlgijYXLCg5ScswBEC1E/kXX685AUCTPX2n
|
||||||
|
D1+Ymxxgov3AvItVxKDd3N5ERsy6hYWPK4ACXt47hJFqPfPtnQe2IdFkRm3bOuX/
|
||||||
|
X79Kb5N6cAoao65Tpsix1pm6tTNww0+THzIWzK/yhi1/tUOv/QJMEVAxeBAPr+Pm
|
||||||
|
mvjHvsI9RNQt7VnoHVkqJhPDxyQZR2IOVQXvlYyCtkPA4WQlyxLzWM24TG8xhD1v
|
||||||
|
zZzA8qs//o9QI8OLg2ZYxplC4lW6GEZk3GnrTXs7bW6HUq+RlayIbDw7oMs30jAv
|
||||||
|
YyDdQpZrYuZvsWKbKu+65Yi3M5kW0v96LT3ueMJaL/RanL9JhAWuEqyezffsBZ5a
|
||||||
|
88/i0n9FJ8cQ1fZq2/GLq/mN2JZ3e/HSWynTnlmk+qGk2bq0cRFJNHAs2HNAm0Id
|
||||||
|
pjSFCPmek9j30wp2c2knML+SsSw5h6570mwILuKwFr6i2hyFlPk4H7nP04vPQ8P2
|
||||||
|
Pu5O/Cfg9rPSBjIi9FsNS8/a29sSuOmsSGHZnMrVUpGw+iKmx/jVejOtqe6hYydu
|
||||||
|
MSQtIU59E2fq5TM4tub6qwARAQABiQRyBBgBCAAmFiEEfhyRrIAwpaWdHvq5dQ88
|
||||||
|
h3I+QBIFAl/u5YACGwIFCQPrRYACQAkQdQ88h3I+QBLBdCAEGQEIAB0WIQQjoUGa
|
||||||
|
YHzyVyZWN3UsTffOV4ELlAUCX+7lgAAKCRAsTffOV4ELlDerEACBP9kAH17GHloL
|
||||||
|
XJjd1IHttRWU2Qs/VV0H14g14hgRz2/Qa7KRR4mGrXPKS/ctMkDXwlvs4HPUTeO4
|
||||||
|
MMT38hwxv54AjW7CtF8DR3EQFXKR51roICQognvqpPe1auNERdLzAdcn+NoHEQB7
|
||||||
|
eyPqjQM3OGGq0SVRwNnv777o+Kd8Ncv/4fR1xvA20Ds94G5vCYpHB6J+lPPVXBmz
|
||||||
|
rOYSf+QZWsXjAZdnAAYkpEjfJhNrqvqSoRxZ0dweCqieenm8Nzt/vdL9nT3+4AGy
|
||||||
|
5hmaAG2ENj5AhI194gtgACvKwCl5hF0VKMhtm5d9SWS+1quHzgn3UFh3VZrfjPid
|
||||||
|
CR64mIu3RpZe7EcR+lMl7gCJxdFlHVD3z1lbz2V6u+xH4ZsLrTY+v8kDxzY8ojM/
|
||||||
|
zDbnlEK+xzA9akhlaD3D3wKXRVuSlrxfEVv14mwKN5AYHN7bLL3bjOo9WYtLznH6
|
||||||
|
Av4GqXSQ+LOl0+6bLKmD68/N0q2IiZwUSOsxTE1fUdYPF8eiN8L+35Qt0jwybieU
|
||||||
|
a3JYtmO8EW4ZEmjJGwKgyrf+eigJN2/0AeBwcJyUw1YfzaqqS35NNyn5eKANyFQ2
|
||||||
|
ZhIjuXRyBOoUMBAx2TSm7FGeFOIw+aQgap6HuGbZ0EZBz6hr9ogNC9FVXCPENKo+
|
||||||
|
GdTGoIEs0n6gGOPP5ssp7xUK3420AM3HEACSmYaNC1Gfq2d81fI0TBJ9ATCRPo14
|
||||||
|
MjJGiWaFaXoVp/lQeOvlX2JyBG2I6fhMGPGKntCfX+/MERLNAiahQgOjvnOCQdlL
|
||||||
|
hbq+6loQ1eSTX2AXpRlQpvyxLuebbM+HX3N/9mqAksgQdljmqoJQbiE/HqXqjmKe
|
||||||
|
16ylU3Rjabyc2p/31p7hm0IJ/3yqDsM06FUBJ108SALQyVvKqRA6q1t/Odb3xgt2
|
||||||
|
isbCEgvhJ8kYz3LQkvTW75rSa1cM53Udd1rbyo1t0PaOSGeUZw73/nY1+6LtUEg7
|
||||||
|
Q0x4ohL1UE7z7+14mAtn4OvGDuZJil7Lf4cPszf0SFoHPs8iUFpSorBwn3u+5ZXW
|
||||||
|
NYFblPU2WK3O52qZqsjuQI/gK7uQhXjJO5nA5M8Yv7bVrbLMOj64hdOpNbd56Ycc
|
||||||
|
qwYbHZL3WyRAN7TNg5ZlHgIVac22StawjXiHWDGaAXpCaHJn8ryM3LY+LTz16R2M
|
||||||
|
bi+HVaw+0fY9f/mIcOdT6AyDg+V200GkGXL6aw0LZkBZmDin+OMmL7AS8TZ4dvZt
|
||||||
|
zj+sykcT8DsaFj5Au6zHJoCnsuShMquHOA/vcUkhoe8/E2Y2QdiX7zwDM8vFM8tX
|
||||||
|
DujFLNPIZuItcVEpE3ysFV2ZfVgBXoxTlZUQxdgJBQ0zg6Ez7rDYEAhVqo2gY9sk
|
||||||
|
XtN80X/unsjGSbkCDQRf7uWiARAA3i7pu8/QvukeIBoIk1V0GHGPjX+GeV3fR4fu
|
||||||
|
ciYgx+NKTXT/oJ/89KVeetT4CSnGEZcEpAvsBL3hsiblJYyLVmeoCniFlU+rMem4
|
||||||
|
zYP2PnEX70Q56d6SjBArs3K1FZK25S5qqv5ceM10NVRwPufV1RIuui6mQLm2ZwlY
|
||||||
|
JyyANZZXMrHMJdaHpK9mMBSSF42MFQZhcauQCrhMhcpmZKn0D2+PpRveYwSr43Qi
|
||||||
|
qBWR2INTDmj/V3ERMviE7vLajWQcmDdcrBp4u3miAJcJSn3XR5SiuL5W77jFEzgJ
|
||||||
|
zR8yTC4hWE60nWJOk8UrEbpLyr7mBE0Tr7+1IBMgVXh8WHyzLE2ENREFvtp8KlSS
|
||||||
|
y47Ky9n+5aqPI4M7epMNwU/ZGQnC8o3yX0zZL1tKq0fTAw1Ly4NGE1gRbmzrQcCh
|
||||||
|
qUHg/J4KFYBMg8eCAzuPp4CRk8wUzu4fRWrOraoz/7bvhH8ilgPu1teLLKzDdOdx
|
||||||
|
QAaiz/nGy00ICNbYqifR5m73K/rDdjtIqgsMp9Az0mEpgVNq8SPzM5grqAnP/iww
|
||||||
|
QxwFftiXq/pEP2d8rn65e8NikN42Q28PH1D/uBYnOuVdZUvjU9wwywmfyr+NZMaH
|
||||||
|
X9sN8R3Kk990W9VxwdOTITpAjz0qMtpE7i/GwPEtpZPTIfl54+cVKvyUjBuTXkWn
|
||||||
|
vXN+6MkAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76uXUPPIdyPkASBQJf7uWi
|
||||||
|
AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEEBjEqvVaiYb6sKxATk1aQ
|
||||||
|
aqvQi4MFAl/u5aIACgkQk1aQaqvQi4P2Mg/9FXfsIZAgPN/Dq95y1fHG8jsPXEoY
|
||||||
|
VNY1codxxAaNqvBXZkfJbFwSYpLY3xIbyxHuGuOtC9NpIy9M1+PR7MsxtZAvSjP+
|
||||||
|
flP/12x+6nP2H3NWOICpsY1tNOnQe2SjKJxZXHFnDqDBgKpv3QfKUHmYEdExJe3p
|
||||||
|
NQrjZAgmdbEHeoj+P2VV5vqRrJoqNV/pUbM9czfEHeMVMm/mwWNOi/paCh1y/PxZ
|
||||||
|
Mkj2bqLMRFfML9O/7QOJRxu3wQwl6jJHj4o6CHks6t237FSB+qZhhQP+vR2CZl5w
|
||||||
|
lQ4trw0wpNgbZRIMlU3tUfFQ+KdFsM7UqwzwrVgWFur5r7KrFzJN88EKSplrIY0q
|
||||||
|
se6S5b58H7Tw1jtfjb/xF6jQz5aoZ9xemd8roLReRpKPq70o2eIP1HkjCtqmd5Xc
|
||||||
|
RQaVEUvlv34WZQ5w2eA1bEBESjbrKhX+H0Un0msUS0JpnpegRNZqW3Bedeos0usy
|
||||||
|
MsfqMYmZEcZb3hw51XnSb8B/WhkSmcoEuECRxeCu1tw0pn7o4GemAeqT5ng8LXeE
|
||||||
|
RJhrUTlCIyRab8TIQZvmf6XjneT0stZLKCoZUXO+7FH7F7nPsew1dU+WFIauQX71
|
||||||
|
PkZp2JMT7W57HKPuEillF8v5+H1k9Jq/2k+ZdgmT1Gd27nALBOc7q8rr00Lf6BU3
|
||||||
|
K+XsfWo+p08CXKudfQ/+JFzzpyKeX5nVqiqbxqUakPy/Ot010/7457YVpvcLmcvT
|
||||||
|
Yn4cR0dottl96lp5wT1jN7VXfZu/tsHEtTg1ofeExNuCL8DZVsSN836idRmObhLP
|
||||||
|
dnYmThZcXBJ3RgSniQNwvuuGUtpH7OXb5vnAOe42+n3yucxhPI9Gzo5g6fTqWwb+
|
||||||
|
qwh39ydxtiv3v3jgFixJLj/HH3MsxTm6cNUTWNLzvX+HugBeuOfyDG9++fe3UmZe
|
||||||
|
MczAF9N9tDFP+0b1diXywJWfSdVLBmMARYeh0Swjud60SQLTqaqXVfPSECGo9LVc
|
||||||
|
wot2u4q67QhUC2OTKiTkF6QVE05iKoPEPkCTmMvSpbHF3ERZE3J6YsVg17Uc7LrZ
|
||||||
|
7DRRF+03mu4njS8LvIoeBuqsB96mNQNH/PwLSANWTtclCwj2C9W1HKy3zKjnu3kC
|
||||||
|
PHLzwQFEO28TE5EsblnBdA8ozNIV887V7yw89MxPhpuXRn8BVAU1S9Dj7j3mNHLj
|
||||||
|
rVAgZmr/nx3oDt8VfOZpK8u3u1voZdC+cnTBdcG2gzM8Ya+h8C60Y8dFzykr8hr4
|
||||||
|
b5gDeDI1OkQ2vOQHtnQPdscYKl0v1ntHq2wrFuCIol4WneKh3Jrvdb37cL971u4g
|
||||||
|
dpw0jTO/ykCvLlipxjJ/NrnXFb6TriZRgWZqiIwY2lKEfZDXqc/iOa2L0yBr21a5
|
||||||
|
Ag0EX+7luwEQAM/CQdinTzIHaEJsCe42g6tt4dBC/UC4wD367rJcyJbEd+qaLJwS
|
||||||
|
CQUbg/wrEdRT+aROHVKLwrvXxtgJs0x15vvFTurkn1BnNMh7p8woYwip7PKrNn2+
|
||||||
|
96Yg7Aqc3a3gkDQeF8Q7uipOH/5feJh6l7Iu718pvnDUw4UFZt/RUrdqseFXVwr/
|
||||||
|
ffSalLx7gJhL3mYuU1qpJZxsonNwAS43eViagI0FHSqixB5kPgFcbBf3BIiisOCy
|
||||||
|
a1L9a+zSt1y1aEFC7m+9YlGJA3C0/X8s+dK0VWOrJlP/WmKUp3Epxpu6srsBItcT
|
||||||
|
YMuGA82/03YAJ+jpGMRb+X1Dq9vuOUxvDjG+G10Cgew2EjiAkXpVg/1NsCrQWRbs
|
||||||
|
KtFf5PXGfKCO0i8hEzwmJLd5OlNIIiup450iX4eS77Tey69hGyweLIC4YDPDwFpp
|
||||||
|
bkDdRG6nDvePbEHi5z1L41NaWNa0wEyh28OqrmD0FCcGukk24pBVemVEx0En4siQ
|
||||||
|
la6/1QXQlG/wTi7Yi71V/4oz7iZ4lSPWs0ACFGD9W5InlRykiRXC1cV27f+qMw9u
|
||||||
|
Y6UbgvN70cWflK5C7e2h/eAQfxj+seYFUjMnJTkXiZE85m63p1Yu2A1c9+jqJ0L3
|
||||||
|
Lfn5YIQdtWdY3Qc1RIQYPVRl5NcgXIPV7TwjvnjowuHjWX0IQbhv61lNABEBAAGJ
|
||||||
|
BHIEGAEIACYWIQR+HJGsgDClpZ0e+rl1DzyHcj5AEgUCX+7luwIbAgUJA+tFgAJA
|
||||||
|
CRB1DzyHcj5AEsF0IAQZAQgAHRYhBOJesM8c6ASdR/HZpjPhDkoYOo5GBQJf7uW7
|
||||||
|
AAoJEDPhDkoYOo5GhpcQALowCpZ8UowMWlQFfZ2ySJalnZM6S2RxCFiss4W9pGuu
|
||||||
|
9PKuN2wdXW3HGkBGDAuQgLwanSfhGSt/urT3+DT40OlDMzanRwEK0qiSaSs/xBtK
|
||||||
|
dNL7JmGbcWTXpNP3aHhfYhVOg7NJnsfZ8Ti3dfuv3ZrjcLvgdnZ/s6O9S3gU8DtH
|
||||||
|
fpnOfE3hxjUEHEw9hs9Otc6foCqMDZDvfU3emYduD5AvTiXYdeD/mZBD4OmF99II
|
||||||
|
XWNuQexAJ+xgOPdvXaYt0lBuXmfMcn/1hrU3RJqguwnPZ2cU5zo41/uSbdsFrTHK
|
||||||
|
yEOLTn0XYYk07mZGdscljzmXbpsbAC4Jp8CDBhUfdzfi1n3AOyblk1nywfionLlz
|
||||||
|
HDtfWQYCxp16N8S2MU7tA1w8rFNwVDVwmxIfgjLrjPAgvqSpCmLHTXNBfdLUYRAv
|
||||||
|
SpY9TR+U4YOOuEx2Niwnprdjm1qilN+fmPR3tWvVChlD3kHmSpi1+9ix+xizlBjN
|
||||||
|
eZ08Eq5rDBPsTpqJmoNS8pHE0EL3IVpcB1pZ5rd6UBSa7LoMLeWwWm7Ap5VZALfp
|
||||||
|
jMNws4SA2q5OTRY2or/+m1+cfDWIP+2XQV4YaNFMbO7XKr3vnUOxY9gyADqfRJiv
|
||||||
|
DljHiw5iLzbkaHs7dYJOPNMGMlRzZfkkxg6Patx44TQ2rO7LnyCgVdFZWDHNevgR
|
||||||
|
Z8AP/152xfh3qsOnT+R32Rt8CcwXmKFxLylgpjegcUmbutow9zdlX26qZ67cJ/3p
|
||||||
|
hNLZgAYKPrGecGA0BJ2UzsPEKKz8I/dAp96LpHo/24WqUamh1z2PRAgyJGC43zm0
|
||||||
|
rA/KAlcht8bbI/VuZ5eAYXjH01QfPS7i7fFOryYYFqfH+BTp3ZEr/A7FkcOZXmNV
|
||||||
|
Gg4+oC2t6cJnzDsM0MUJ7dgNAHTLGx6RZZahdE3LJ8oVJ8Vek9KtjJbPr143EZLt
|
||||||
|
ymkiy93pzLUaKWfCZJCCI9nfJnNZnvoQXv0l3wnrQIFE14Fv0jbTALHRgRJlB4cZ
|
||||||
|
i3teEuf7shSDsd13JDdfmxMsxnfeVsIUPa+J0GBSbe14JHXlcd0t03cpbzO547Qb
|
||||||
|
rFpD98XO6Y7OefWD3pwDF2Izjnn4Cny/hpUIEO1A2j4qHhUkqmnFmBO6yIFic637
|
||||||
|
CJnYe3uU7ss/TNIUKLhujqlcNl8WeOMVPbhnCuOhyQh2aioAKn1yiQ1EgNSIGIVD
|
||||||
|
LwqMt0kxI52/aDkZgCcEfBFC1c17IeUH+G0HMGm49/acFHkhX61S4efXhvzH5J0l
|
||||||
|
Dr+0qk4aVKNwqkUNp56GSMLhiiSYivX9Xa4qQGNlmrki1pC2DamlTXDLB67XQcRp
|
||||||
|
dAc+4nNTK4E/czrr0+wlkgz7pC1MAllCLilyTSPGnKIPlOd2uQINBF/u5d0BEADF
|
||||||
|
+6hDuKvzbmKWZNXjJK6Em/5nnzBOa155YQLN91zMs6COI4p+YuIVPPzVWZYR0yHs
|
||||||
|
gTWw45cMV+RYwuL/P+1Z84bgOyPloIVF9VQjOC+wB3Gn4qmTzobr6q+UfQVvUiUQ
|
||||||
|
8fGG11teWvYpWiG91uialjHZmrpAOQxjHRxHPpi0cZtTFEqinCIy6c942xbtZnzf
|
||||||
|
nzPpxkKl0a8s1eKZ0KlDK6Ab59nxAinilohXRg/U6sqypsyLl41L0qMZek5dEt4C
|
||||||
|
r3spdSkZgxqJpLTqQy/5VB4pcfEaIaank3sLxhpil/oQiq+38WA0VkICQyeiCsvf
|
||||||
|
eEKyt1C6COBNH+olegUxudTKDHFthyGMPRz3McI5jHxCyru0mfLJag2hHXzgGoaD
|
||||||
|
VkYIwkvyVsHWDqrZMMXcCIUVlpphxtHo1M32AATnWFe4K1nFdbejR9XC5xWOgwbT
|
||||||
|
zCblqporHzU0c8WBbfJ0Y10IDrHsa/F08PkFvVN48Ydik6rcwowSPxP+59Q9AKLh
|
||||||
|
Isd2hzfWU2zAbG5Ph1wecwlYR3tp/0i3uSTDXfuuaY+vrqpoECN6fnSg8NxiBbjU
|
||||||
|
JR0Ju6KDM2SeBUz5hp9BzL8+OPTogRZoinxBogrRAvdGLOnLG5hMjBezzF8UEvp6
|
||||||
|
IMisGHBZgXoX4Juvf78RE8JOwHa+HUejj5kYiQW6TwARAQABiQRyBBgBCAAmFiEE
|
||||||
|
fhyRrIAwpaWdHvq5dQ88h3I+QBIFAl/u5d0CGwIFCQPrRYACQAkQdQ88h3I+QBLB
|
||||||
|
dCAEGQEIAB0WIQT2AU9wN9W7TuO6I3E56nu98JFFWwUCX+7l3QAKCRA56nu98JFF
|
||||||
|
W5whD/9Hu5cnJ0hnzqk3MQsdMXbTNLsv+KePV71kcMRat4hjw2Li/TUaC8xtA81d
|
||||||
|
O/1obmsuoDAgv82KlQ7DLDXjFk2q45lJdgZxAkN3dEoYakdTIEi11FvwbhV+qxZK
|
||||||
|
jTq3jFQho4i3GDLgrvBMG4B1TGMH0IPux9fmBGpxYKmp1GjhpgoMXp9bqzsV/mPZ
|
||||||
|
TxPlmIpeJEO2jeCWKhHHw6rzwGjF68G3HiJ0TqvjdCtcNrwd3GTDsdEJtUl49aqF
|
||||||
|
M7VfoqKjVdRO/YDL//+TJNOYz5EBGjIZxbhgZJ9Qz+geSBx9GJtDWdq193ofFi39
|
||||||
|
oleTFnEMj+OeIr1Bc2pc8Z3HJttFknicJDkeze3mM0CZAkhVkLFy6DvAQkXrgvfp
|
||||||
|
AUYFACQW8E2XmRBiKd4huojWYz5QGSEIk2fYRVhse2HAUZ9gTODSX2L13nls+BEi
|
||||||
|
sArsmSFA/RQslDXW+Jl+P0e37BzN51uk2Dg4ylJUBgcpTRUn4Q8c1DgHDhkEVnBI
|
||||||
|
ny2H/MFuhImw9g5xqlBfCEKh5D8D0e4fX28MhSsBlOCeIKJoY85U3GNY0tlIwAt8
|
||||||
|
M7IIHe1n1qncPbAMmq0K48J1lfyTEbXpnSfArzEdbnosjBUaiQX5EwA656eZ6wb3
|
||||||
|
Vq02UDei6KPuOosl4Voy+Ffq5MCkanVMA97/0wV3CeCvQYGbsvsUD/9fLYc3yH7A
|
||||||
|
0xksK7PImztDR8MLsUPoiv/vnfZ+WJJ+YJ0TKAHm1ZO3NqeZmD7XoWHKwh83zsK8
|
||||||
|
x/JUASCBN16isC+Ym6IwF83/HXJfKNvvotkr2WG6Dv8Vg1Hhk2Iv5y3EMbFa9rfv
|
||||||
|
6vjxho+0sYrraJH8qQAM08IIOi7+afrkR/ikgA8V7ymqmdxtMMHZqG+h5R0VGTVw
|
||||||
|
QBxZ5/ZiY56Qn5UH2m0Tc2AHOcAQTvCEwyb19IPyhif+rek3npSvKtDc6WBJioyi
|
||||||
|
gvDhl+jgIfcIo77w6GthgbFc9k68Je56Peu2J30zWj76Z+Di1OJhAj1wFr4/XT5o
|
||||||
|
c1MB/Vfyx3hEPRDNz7dRaDqoVnYVdoI0blyCiSkD9I4/axb4X3xN2SK4XA/zv+Lb
|
||||||
|
1FbCM1XFL2aF+09tk+77EVdWsBmQpOArD0d54E1YulBGaxVm5QKfov23KiqHIFVF
|
||||||
|
8WYqJqNJwbJRZii7klczkVm3wFte3NWK7HW8kfF147lv0z3AiZYnk0O6Mj1ip3R8
|
||||||
|
Qm5yiv57DbbgIMkSPWCpEtFGHIoK2msJ2bQcizh2WGxLos00RTx3IVAeSAS54+kr
|
||||||
|
rMBg50wNczcGHKPDUKLwkYczgHonUtljAkeXnTl69rifChI+KpjHNtF6dFgC1aSt
|
||||||
|
MOud6HhAcd0f3lmuPzCGGp4YOQx9tV139bkCDQRf7uX4ARAAxaybudQK4fMIzLiV
|
||||||
|
grIzthhb3/DK83PNohTNMemM2V2z1Ij5Dlu2XNDypMdR0rKM/QI3zWud1+vd2h/l
|
||||||
|
QZlg58FspvrY6I7hI+cbdRldVaAKDGQHo5Bi0a7BkonZvS/0wnNUPIhy/znzXtXR
|
||||||
|
f4L7ePZMofH/2shz4TZ1yNpU8zaomY6eNjSc51P4vVxtDQ4QofQeJEn8aO9a4whu
|
||||||
|
O0TVEAPKRYBRgjM8faDuUJtLfiC3OrhLg+B7JVSF3di4JITAyafPbZACLjV7Umxb
|
||||||
|
SUL3qTJZVpIuhF0xQOCE+WRx3Xs7lkPdHMqP2OaJ8Y4ymR08cSfIP2XFKsQFtoqT
|
||||||
|
VyMQgGgI6VXF8OfnCnGgx0Do1vJNoL0neFzVXpCPPzh1RbcrtndZWum/1R4egkYg
|
||||||
|
J8TPQH5X391J58Uwd5l9/ZDdoSeeQYdtTR4YQ8//ATFO3hoSRvES4U6ZwO8LM6di
|
||||||
|
ra6pqb6j0liT+DdcBwE4C1bGJMJ6d93S5SfH3llDIMJo7uJDbKILFMES9rg7S6I8
|
||||||
|
+SW75TjKUk4Y7L8R8qwURqEyuOOGfaQXirqvji4PdcGDBiIk2Oq69Ky6lmlJgyIH
|
||||||
|
SZ7SO1JXk0yAJTXb+a6FJTLFxidkIZzu+LhLBn/MhAPjVyv3qCTQ7O0lu8Mfcqg5
|
||||||
|
8hhJ6IE79PBHS3z8ok+mFK0iGrcAEQEAAYkEcgQYAQgAJhYhBH4ckayAMKWlnR76
|
||||||
|
uXUPPIdyPkASBQJf7uX4AhsCBQkD60WAAkAJEHUPPIdyPkASwXQgBBkBCAAdFiEE
|
||||||
|
JFV3TUL9/mucOD64/hACvFlwgR8FAl/u5fgACgkQ/hACvFlwgR+LoRAAgtIgaKb4
|
||||||
|
ZY8qoAFZeph+Syg+mMKfPJkBuGUedJl6IxbHBSg2mhnCjJ0bmdqxsAXgtcSUqmtZ
|
||||||
|
Yw9NyoGgiVjs+gu5sQp1Oxc2/keQXaVksTkoXwdnf+2iXyp1WPeeLGySHmzuwy9c
|
||||||
|
eExt+h0mVmBgFls2wNdFGPbVfiT3PvFkwqsnta6HebDTN4pMzvG1IIGV7L5KRo1E
|
||||||
|
dmkrt3lXQWmdgHl3JoNQ9v/Jgf4jo6gDw53YvJFKJcaOOAS3d4CzPWmcLzcy4mf0
|
||||||
|
9YI3DoQCbYL3cRNelUwzUF2L6QyPCwonXemLCmfkBgsSVqvW4fq8qbEHGF2fK7x3
|
||||||
|
d7bZEsUiGCt/tXOkDkNJ31T/mC35nxZfcj8AMPixO+BnAeKeYC37LbQD76jrw526
|
||||||
|
tUXsAF+QON5DPeot+e8bIx9qSbvdqpXDkK4lGcRTuS2OVC8J9XfDTch4wm3Kd4P4
|
||||||
|
lDdRAJWnLfVay0m05LGlekWdEzcjP8KDaICH9rEs6f9e1gy6mTEBnBW//41BxELT
|
||||||
|
KxoTGlcX3yEhCmK36g5C/+d6b7Ji5arGGTCa96v/xG32KYc1zfn3TYkCx06pPUbz
|
||||||
|
iAl2l0MTpGeqz2hJMOGA3JuxwlksJKqnPYy0hHKdVW4Pnn25NeXcBp8wpkt8VZOR
|
||||||
|
bzjw/TJB7qvJHoRo1tat85Uij9rAXqTyO8Ea0hAAi/EfuiDDy3GV7bvjFSA1XEjL
|
||||||
|
d+F40g2X0QG/PHTScYB4rFJwV0GFUxLHr4g7iypAVI+BB4EYikx8gpee6B0g3J+r
|
||||||
|
aCFDDrRPDKdqrpZK53oYcBPkdSBbCr5MAa/M3DerKBEgoBVUbaSHWN7OH2ae+5R6
|
||||||
|
X2ERmYZdW4PCj6lw7a+RhkAsgKo8RjonjV61ehQPZh20noI19Q80BYYSCfHHvzy5
|
||||||
|
vwvByhmTMJNrl3PDpBy9/TwBR5DpnHfOPJX6bnl3pdu65F2TRM6yoFbfoUiEqrXV
|
||||||
|
4wC1I++N9VjrQvXSp0ik/XaMWq87wLIg+1owElJIzwyZWukQkZMAYtesVFz20YwC
|
||||||
|
7Nu8SNr/NTSCH1EqLsS4YhBTsjpc2T8AqUlgxKrilmLbrj64PXgMsQ9WYm5zwlC5
|
||||||
|
UA5eky5YhETFJ25dIaplMm47aIbPSH5f9y5eYPkfOCoMu5oDzDzoXdH9V1YfsHqa
|
||||||
|
8bboSgTdariC23x38E9PaWQNyY2MFKL6cFt2ilIsMSSD6JAm1x8kBtn1bBopG588
|
||||||
|
7mTDtlqHCw/QrTuLreJG9KJ1dQFJ/Q42+csH09l081wlv4BBuVlN1Xmj+c2sWn90
|
||||||
|
l1BPZfYHd9jhggI96yTZhfTfFbSMSuGPQyqHnwDYdA3cNj5BYievBkO5FZaCe9SZ
|
||||||
|
4xcYgqlVpv15O7VrD+I=
|
||||||
|
=Uugw
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
33
generate-rndc-key.sh
Executable file
33
generate-rndc-key.sh
Executable file
@ -0,0 +1,33 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ -r /etc/rc.d/init.d/functions ]; then
|
||||||
|
. /etc/rc.d/init.d/functions
|
||||||
|
else
|
||||||
|
success() {
|
||||||
|
echo $" OK "
|
||||||
|
}
|
||||||
|
|
||||||
|
failure() {
|
||||||
|
echo -n " "
|
||||||
|
echo $"FAILED"
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# This script generates /etc/rndc.key if doesn't exist AND if there is no rndc.conf
|
||||||
|
|
||||||
|
if [ ! -s /etc/rndc.key -a ! -s /etc/rndc.conf ]; then
|
||||||
|
echo -n $"Generating /etc/rndc.key:"
|
||||||
|
if /usr/sbin/rndc-confgen -a -A hmac-sha256 > /dev/null 2>&1
|
||||||
|
then
|
||||||
|
chmod 640 /etc/rndc.key
|
||||||
|
chown root:named /etc/rndc.key
|
||||||
|
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.key
|
||||||
|
success $"/etc/rndc.key generation"
|
||||||
|
echo
|
||||||
|
else
|
||||||
|
rc=$?
|
||||||
|
failure $"/etc/rndc.key generation"
|
||||||
|
echo
|
||||||
|
exit $rc
|
||||||
|
fi
|
||||||
|
fi
|
12
named-chroot-setup.service
Normal file
12
named-chroot-setup.service
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Set-up/destroy chroot environment for named (DNS)
|
||||||
|
BindsTo=named-chroot.service
|
||||||
|
Wants=named-setup-rndc.service
|
||||||
|
After=named-setup-rndc.service
|
||||||
|
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/libexec/setup-named-chroot.sh /var/named/chroot on /etc/named-chroot.files
|
||||||
|
ExecStop=/usr/libexec/setup-named-chroot.sh /var/named/chroot off /etc/named-chroot.files
|
27
named-chroot.files
Normal file
27
named-chroot.files
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# Configuration of files used in chroot
|
||||||
|
# Following files are made available after named-chroot.service start
|
||||||
|
# if they are missing or empty in target directory.
|
||||||
|
/etc/localtime
|
||||||
|
/etc/named.root.key
|
||||||
|
/etc/named.conf
|
||||||
|
/etc/named.rfc1912.zones
|
||||||
|
/etc/rndc.conf
|
||||||
|
/etc/rndc.key
|
||||||
|
/etc/named.iscdlv.key
|
||||||
|
/etc/crypto-policies/back-ends/bind.config
|
||||||
|
/etc/protocols
|
||||||
|
/etc/services
|
||||||
|
/etc/named.dnssec.keys
|
||||||
|
/etc/pki/dnssec-keys
|
||||||
|
/etc/named
|
||||||
|
/usr/lib64/bind
|
||||||
|
/usr/lib/bind
|
||||||
|
/usr/lib64/named
|
||||||
|
/usr/lib/named
|
||||||
|
/usr/share/GeoIP
|
||||||
|
/run/named
|
||||||
|
/proc/sys/net/ipv4/ip_local_port_range
|
||||||
|
# Warning: the order is important
|
||||||
|
# If a directory containing $ROOTDIR is listed here,
|
||||||
|
# it MUST be listed last. (/var/named contains /var/named/chroot)
|
||||||
|
/var/named
|
30
named-chroot.service
Normal file
30
named-chroot.service
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
|
||||||
|
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
|
||||||
|
# broken when rsyslogd daemon is restarted (due update, for example).
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Berkeley Internet Name Domain (DNS)
|
||||||
|
Wants=nss-lookup.target
|
||||||
|
Requires=named-chroot-setup.service
|
||||||
|
Before=nss-lookup.target
|
||||||
|
After=named-chroot-setup.service
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
Environment=NAMEDCONF=/etc/named.conf
|
||||||
|
EnvironmentFile=-/etc/sysconfig/named
|
||||||
|
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||||
|
PIDFile=/var/named/chroot/run/named/named.pid
|
||||||
|
|
||||||
|
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||||
|
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS
|
||||||
|
|
||||||
|
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
|
||||||
|
|
||||||
|
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||||
|
|
||||||
|
PrivateTmp=false
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
26
named-pkcs11.service
Normal file
26
named-pkcs11.service
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
|
||||||
|
Wants=nss-lookup.target
|
||||||
|
Wants=named-setup-rndc.service
|
||||||
|
Before=nss-lookup.target
|
||||||
|
After=network.target
|
||||||
|
After=named-setup-rndc.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
Environment=NAMEDCONF=/etc/named.conf
|
||||||
|
EnvironmentFile=-/etc/sysconfig/named
|
||||||
|
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||||
|
PIDFile=/run/named/named.pid
|
||||||
|
|
||||||
|
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||||
|
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
|
||||||
|
|
||||||
|
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
|
||||||
|
|
||||||
|
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||||
|
|
||||||
|
PrivateTmp=true
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
7
named-setup-rndc.service
Normal file
7
named-setup-rndc.service
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Generate rndc key for BIND (DNS)
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
|
||||||
|
ExecStart=/usr/libexec/generate-rndc-key.sh
|
59
named.conf
Normal file
59
named.conf
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
//
|
||||||
|
// named.conf
|
||||||
|
//
|
||||||
|
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
|
||||||
|
// server as a caching only nameserver (as a localhost DNS resolver only).
|
||||||
|
//
|
||||||
|
// See /usr/share/doc/bind*/sample/ for example named configuration files.
|
||||||
|
//
|
||||||
|
|
||||||
|
options {
|
||||||
|
listen-on port 53 { 127.0.0.1; };
|
||||||
|
listen-on-v6 port 53 { ::1; };
|
||||||
|
directory "/var/named";
|
||||||
|
dump-file "/var/named/data/cache_dump.db";
|
||||||
|
statistics-file "/var/named/data/named_stats.txt";
|
||||||
|
memstatistics-file "/var/named/data/named_mem_stats.txt";
|
||||||
|
secroots-file "/var/named/data/named.secroots";
|
||||||
|
recursing-file "/var/named/data/named.recursing";
|
||||||
|
allow-query { localhost; };
|
||||||
|
|
||||||
|
/*
|
||||||
|
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
||||||
|
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
||||||
|
recursion.
|
||||||
|
- If your recursive DNS server has a public IP address, you MUST enable access
|
||||||
|
control to limit queries to your legitimate users. Failing to do so will
|
||||||
|
cause your server to become part of large scale DNS amplification
|
||||||
|
attacks. Implementing BCP38 within your network would greatly
|
||||||
|
reduce such attack surface
|
||||||
|
*/
|
||||||
|
recursion yes;
|
||||||
|
|
||||||
|
dnssec-validation yes;
|
||||||
|
|
||||||
|
managed-keys-directory "/var/named/dynamic";
|
||||||
|
geoip-directory "/usr/share/GeoIP";
|
||||||
|
|
||||||
|
pid-file "/run/named/named.pid";
|
||||||
|
session-keyfile "/run/named/session.key";
|
||||||
|
|
||||||
|
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
||||||
|
include "/etc/crypto-policies/back-ends/bind.config";
|
||||||
|
};
|
||||||
|
|
||||||
|
logging {
|
||||||
|
channel default_debug {
|
||||||
|
file "data/named.run";
|
||||||
|
severity dynamic;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "." IN {
|
||||||
|
type hint;
|
||||||
|
file "named.ca";
|
||||||
|
};
|
||||||
|
|
||||||
|
include "/etc/named.rfc1912.zones";
|
||||||
|
include "/etc/named.root.key";
|
||||||
|
|
243
named.conf.sample
Normal file
243
named.conf.sample
Normal file
@ -0,0 +1,243 @@
|
|||||||
|
/*
|
||||||
|
Sample named.conf BIND DNS server 'named' configuration file
|
||||||
|
for the Red Hat BIND distribution.
|
||||||
|
|
||||||
|
See the BIND Administrator's Reference Manual (ARM) for details, in:
|
||||||
|
file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
|
||||||
|
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
|
||||||
|
its manual.
|
||||||
|
*/
|
||||||
|
|
||||||
|
options
|
||||||
|
{
|
||||||
|
// Put files that named is allowed to write in the data/ directory:
|
||||||
|
directory "/var/named"; // "Working" directory
|
||||||
|
dump-file "data/cache_dump.db";
|
||||||
|
statistics-file "data/named_stats.txt";
|
||||||
|
memstatistics-file "data/named_mem_stats.txt";
|
||||||
|
secroots-file "data/named.secroots";
|
||||||
|
recursing-file "data/named.recursing";
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
Specify listenning interfaces. You can use list of addresses (';' is
|
||||||
|
delimiter) or keywords "any"/"none"
|
||||||
|
*/
|
||||||
|
//listen-on port 53 { any; };
|
||||||
|
listen-on port 53 { 127.0.0.1; };
|
||||||
|
|
||||||
|
//listen-on-v6 port 53 { any; };
|
||||||
|
listen-on-v6 port 53 { ::1; };
|
||||||
|
|
||||||
|
/*
|
||||||
|
Access restrictions
|
||||||
|
|
||||||
|
There are two important options:
|
||||||
|
allow-query { argument; };
|
||||||
|
- allow queries for authoritative data
|
||||||
|
|
||||||
|
allow-query-cache { argument; };
|
||||||
|
- allow queries for non-authoritative data (mostly cached data)
|
||||||
|
|
||||||
|
You can use address, network address or keywords "any"/"localhost"/"none" as argument
|
||||||
|
Examples:
|
||||||
|
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
|
||||||
|
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
|
||||||
|
*/
|
||||||
|
|
||||||
|
allow-query { localhost; };
|
||||||
|
allow-query-cache { localhost; };
|
||||||
|
|
||||||
|
/* Enable/disable recursion - recursion yes/no;
|
||||||
|
|
||||||
|
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
|
||||||
|
- If you are building a RECURSIVE (caching) DNS server, you need to enable
|
||||||
|
recursion.
|
||||||
|
- If your recursive DNS server has a public IP address, you MUST enable access
|
||||||
|
control to limit queries to your legitimate users. Failing to do so will
|
||||||
|
cause your server to become part of large scale DNS amplification
|
||||||
|
attacks. Implementing BCP38 within your network would greatly
|
||||||
|
reduce such attack surface
|
||||||
|
*/
|
||||||
|
recursion yes;
|
||||||
|
|
||||||
|
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
|
||||||
|
|
||||||
|
/* Enable DNSSEC validation on recursive servers */
|
||||||
|
dnssec-validation yes;
|
||||||
|
|
||||||
|
/* In Fedora we use /run/named instead of default /var/run/named
|
||||||
|
so we have to configure paths properly. */
|
||||||
|
pid-file "/run/named/named.pid";
|
||||||
|
session-keyfile "/run/named/session.key";
|
||||||
|
|
||||||
|
managed-keys-directory "/var/named/dynamic";
|
||||||
|
|
||||||
|
/* In Fedora we use system-wide Crypto Policy */
|
||||||
|
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
|
||||||
|
include "/etc/crypto-policies/back-ends/bind.config";
|
||||||
|
};
|
||||||
|
|
||||||
|
logging
|
||||||
|
{
|
||||||
|
/* If you want to enable debugging, eg. using the 'rndc trace' command,
|
||||||
|
* named will try to write the 'named.run' file in the $directory (/var/named).
|
||||||
|
* By default, SELinux policy does not allow named to modify the /var/named directory,
|
||||||
|
* so put the default debug log file in data/ :
|
||||||
|
*/
|
||||||
|
channel default_debug {
|
||||||
|
file "data/named.run";
|
||||||
|
severity dynamic;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
/*
|
||||||
|
Views let a name server answer a DNS query differently depending on who is asking.
|
||||||
|
|
||||||
|
By default, if named.conf contains no "view" clauses, all zones are in the
|
||||||
|
"default" view, which matches all clients.
|
||||||
|
|
||||||
|
Views are processed sequentially. The first match is used so the last view should
|
||||||
|
match "any" - it's fallback and the most restricted view.
|
||||||
|
|
||||||
|
If named.conf contains any "view" clause, then all zones MUST be in a view.
|
||||||
|
*/
|
||||||
|
|
||||||
|
view "localhost_resolver"
|
||||||
|
{
|
||||||
|
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
|
||||||
|
* If all you want is a caching-only nameserver, then you need only define this view:
|
||||||
|
*/
|
||||||
|
match-clients { localhost; };
|
||||||
|
recursion yes;
|
||||||
|
|
||||||
|
# all views must contain the root hints zone:
|
||||||
|
zone "." IN {
|
||||||
|
type hint;
|
||||||
|
file "/var/named/named.ca";
|
||||||
|
};
|
||||||
|
|
||||||
|
/* these are zones that contain definitions for all the localhost
|
||||||
|
* names and addresses, as recommended in RFC1912 - these names should
|
||||||
|
* not leak to the other nameservers:
|
||||||
|
*/
|
||||||
|
include "/etc/named.rfc1912.zones";
|
||||||
|
};
|
||||||
|
view "internal"
|
||||||
|
{
|
||||||
|
/* This view will contain zones you want to serve only to "internal" clients
|
||||||
|
that connect via your directly attached LAN interfaces - "localnets" .
|
||||||
|
*/
|
||||||
|
match-clients { localnets; };
|
||||||
|
recursion yes;
|
||||||
|
|
||||||
|
zone "." IN {
|
||||||
|
type hint;
|
||||||
|
file "/var/named/named.ca";
|
||||||
|
};
|
||||||
|
|
||||||
|
/* these are zones that contain definitions for all the localhost
|
||||||
|
* names and addresses, as recommended in RFC1912 - these names should
|
||||||
|
* not leak to the other nameservers:
|
||||||
|
*/
|
||||||
|
include "/etc/named.rfc1912.zones";
|
||||||
|
|
||||||
|
// These are your "authoritative" internal zones, and would probably
|
||||||
|
// also be included in the "localhost_resolver" view above :
|
||||||
|
|
||||||
|
/*
|
||||||
|
NOTE for dynamic DNS zones and secondary zones:
|
||||||
|
|
||||||
|
DO NOT USE SAME FILES IN MULTIPLE VIEWS!
|
||||||
|
|
||||||
|
If you are using views and DDNS/secondary zones it is strongly
|
||||||
|
recommended to read FAQ on ISC site (www.isc.org), section
|
||||||
|
"Configuration and Setup Questions", questions
|
||||||
|
"How do I share a dynamic zone between multiple views?" and
|
||||||
|
"How can I make a server a slave for both an internal and an external
|
||||||
|
view at the same time?"
|
||||||
|
*/
|
||||||
|
|
||||||
|
zone "my.internal.zone" {
|
||||||
|
type master;
|
||||||
|
file "my.internal.zone.db";
|
||||||
|
};
|
||||||
|
zone "my.slave.internal.zone" {
|
||||||
|
type slave;
|
||||||
|
file "slaves/my.slave.internal.zone.db";
|
||||||
|
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
|
||||||
|
// put slave zones in the slaves/ directory so named can update them
|
||||||
|
};
|
||||||
|
zone "my.ddns.internal.zone" {
|
||||||
|
type master;
|
||||||
|
allow-update { key ddns_key; };
|
||||||
|
file "dynamic/my.ddns.internal.zone.db";
|
||||||
|
// put dynamically updateable zones in the slaves/ directory so named can update them
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
key ddns_key
|
||||||
|
{
|
||||||
|
algorithm hmac-sha256;
|
||||||
|
secret "use /usr/sbin/ddns-confgen to generate TSIG keys";
|
||||||
|
};
|
||||||
|
|
||||||
|
view "external"
|
||||||
|
{
|
||||||
|
/* This view will contain zones you want to serve only to "external" clients
|
||||||
|
* that have addresses that are not match any above view:
|
||||||
|
*/
|
||||||
|
match-clients { any; };
|
||||||
|
|
||||||
|
zone "." IN {
|
||||||
|
type hint;
|
||||||
|
file "/var/named/named.ca";
|
||||||
|
};
|
||||||
|
|
||||||
|
recursion no;
|
||||||
|
// you'd probably want to deny recursion to external clients, so you don't
|
||||||
|
// end up providing free DNS service to all takers
|
||||||
|
|
||||||
|
// These are your "authoritative" external zones, and would probably
|
||||||
|
// contain entries for just your web and mail servers:
|
||||||
|
|
||||||
|
zone "my.external.zone" {
|
||||||
|
type master;
|
||||||
|
file "my.external.zone.db";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
/* Trusted keys
|
||||||
|
|
||||||
|
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
|
||||||
|
should configure at least one trusted key.
|
||||||
|
|
||||||
|
Note that no key written below is valid. Especially root key because root zone
|
||||||
|
is not signed yet.
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
trust-anchors {
|
||||||
|
// Root Key
|
||||||
|
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
|
||||||
|
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
|
||||||
|
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
|
||||||
|
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
|
||||||
|
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
|
||||||
|
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
|
||||||
|
R1AkUTV74bU=";
|
||||||
|
|
||||||
|
// Key for forward zone
|
||||||
|
example.com. static-key 257 3 8 "AwEAAZ0aqu1rJ6orJynrRfNpPmayJZoAx9Ic2/Rl9VQW
|
||||||
|
LMHyjxxem3VUSoNUIFXERQbj0A9Ogp0zDM9YIccKLRd6
|
||||||
|
LmWiDCt7UJQxVdD+heb5Ec4qlqGmyX9MDabkvX2NvMws
|
||||||
|
UecbYBq8oXeTT9LRmCUt9KUt/WOi6DKECxoG/bWTykrX
|
||||||
|
yBR8elD+SQY43OAVjlWrVltHxgp4/rhBCvRbmdflunaP
|
||||||
|
Igu27eE2U4myDSLT8a4A0rB5uHG4PkOa9dIRs9y00M2m
|
||||||
|
Wf4lyPee7vi5few2dbayHXmieGcaAHrx76NGAABeY393
|
||||||
|
xjlmDNcUkF1gpNWUla4fWZbbaYQzA93mLdrng+M=";
|
||||||
|
|
||||||
|
|
||||||
|
// Key for reverse zone.
|
||||||
|
2.0.192.IN-ADDRPA.NET. initial-ds 31406 8 2 "F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D8F6B916D";
|
||||||
|
};
|
||||||
|
*/
|
10
named.empty
Normal file
10
named.empty
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
$TTL 3H
|
||||||
|
@ IN SOA @ rname.invalid. (
|
||||||
|
0 ; serial
|
||||||
|
1D ; refresh
|
||||||
|
1H ; retry
|
||||||
|
1W ; expire
|
||||||
|
3H ) ; minimum
|
||||||
|
NS @
|
||||||
|
A 127.0.0.1
|
||||||
|
AAAA ::1
|
10
named.localhost
Normal file
10
named.localhost
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
$TTL 1D
|
||||||
|
@ IN SOA @ rname.invalid. (
|
||||||
|
0 ; serial
|
||||||
|
1D ; refresh
|
||||||
|
1H ; retry
|
||||||
|
1W ; expire
|
||||||
|
3H ) ; minimum
|
||||||
|
NS @
|
||||||
|
A 127.0.0.1
|
||||||
|
AAAA ::1
|
12
named.logrotate
Normal file
12
named.logrotate
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
/var/named/data/named.run {
|
||||||
|
missingok
|
||||||
|
su named named
|
||||||
|
create 0644 named named
|
||||||
|
postrotate
|
||||||
|
/usr/bin/systemctl reload named.service > /dev/null 2>&1 || true
|
||||||
|
/usr/bin/systemctl reload named-chroot.service > /dev/null 2>&1 || true
|
||||||
|
/usr/bin/systemctl reload named-sdb.service > /dev/null 2>&1 || true
|
||||||
|
/usr/bin/systemctl reload named-sdb-chroot.service > /dev/null 2>&1 || true
|
||||||
|
/usr/bin/systemctl reload named-pkcs11.service > /dev/null 2>&1 || true
|
||||||
|
endscript
|
||||||
|
}
|
11
named.loopback
Normal file
11
named.loopback
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
$TTL 1D
|
||||||
|
@ IN SOA @ rname.invalid. (
|
||||||
|
0 ; serial
|
||||||
|
1D ; refresh
|
||||||
|
1H ; retry
|
||||||
|
1W ; expire
|
||||||
|
3H ) ; minimum
|
||||||
|
NS @
|
||||||
|
A 127.0.0.1
|
||||||
|
AAAA ::1
|
||||||
|
PTR localhost.
|
45
named.rfc1912.zones
Normal file
45
named.rfc1912.zones
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
// named.rfc1912.zones:
|
||||||
|
//
|
||||||
|
// Provided by Red Hat caching-nameserver package
|
||||||
|
//
|
||||||
|
// ISC BIND named zone configuration for zones recommended by
|
||||||
|
// RFC 1912 section 4.1 : localhost TLDs and address zones
|
||||||
|
// and https://tools.ietf.org/html/rfc6303
|
||||||
|
// (c)2007 R W Franks
|
||||||
|
//
|
||||||
|
// See /usr/share/doc/bind*/sample/ for example named configuration files.
|
||||||
|
//
|
||||||
|
// Note: empty-zones-enable yes; option is default.
|
||||||
|
// If private ranges should be forwarded, add
|
||||||
|
// disable-empty-zone "."; into options
|
||||||
|
//
|
||||||
|
|
||||||
|
zone "localhost.localdomain" IN {
|
||||||
|
type master;
|
||||||
|
file "named.localhost";
|
||||||
|
allow-update { none; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "localhost" IN {
|
||||||
|
type master;
|
||||||
|
file "named.localhost";
|
||||||
|
allow-update { none; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
|
||||||
|
type master;
|
||||||
|
file "named.loopback";
|
||||||
|
allow-update { none; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "1.0.0.127.in-addr.arpa" IN {
|
||||||
|
type master;
|
||||||
|
file "named.loopback";
|
||||||
|
allow-update { none; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "0.in-addr.arpa" IN {
|
||||||
|
type master;
|
||||||
|
file "named.empty";
|
||||||
|
allow-update { none; };
|
||||||
|
};
|
61
named.root
Normal file
61
named.root
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
|
||||||
|
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
|
||||||
|
; (2 servers found)
|
||||||
|
;; global options: +cmd
|
||||||
|
;; Got answer:
|
||||||
|
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
|
||||||
|
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
|
||||||
|
|
||||||
|
;; OPT PSEUDOSECTION:
|
||||||
|
; EDNS: version: 0, flags:; udp: 1472
|
||||||
|
;; QUESTION SECTION:
|
||||||
|
;. IN NS
|
||||||
|
|
||||||
|
;; ANSWER SECTION:
|
||||||
|
. 518400 IN NS a.root-servers.net.
|
||||||
|
. 518400 IN NS b.root-servers.net.
|
||||||
|
. 518400 IN NS c.root-servers.net.
|
||||||
|
. 518400 IN NS d.root-servers.net.
|
||||||
|
. 518400 IN NS e.root-servers.net.
|
||||||
|
. 518400 IN NS f.root-servers.net.
|
||||||
|
. 518400 IN NS g.root-servers.net.
|
||||||
|
. 518400 IN NS h.root-servers.net.
|
||||||
|
. 518400 IN NS i.root-servers.net.
|
||||||
|
. 518400 IN NS j.root-servers.net.
|
||||||
|
. 518400 IN NS k.root-servers.net.
|
||||||
|
. 518400 IN NS l.root-servers.net.
|
||||||
|
. 518400 IN NS m.root-servers.net.
|
||||||
|
|
||||||
|
;; ADDITIONAL SECTION:
|
||||||
|
a.root-servers.net. 518400 IN A 198.41.0.4
|
||||||
|
b.root-servers.net. 518400 IN A 199.9.14.201
|
||||||
|
c.root-servers.net. 518400 IN A 192.33.4.12
|
||||||
|
d.root-servers.net. 518400 IN A 199.7.91.13
|
||||||
|
e.root-servers.net. 518400 IN A 192.203.230.10
|
||||||
|
f.root-servers.net. 518400 IN A 192.5.5.241
|
||||||
|
g.root-servers.net. 518400 IN A 192.112.36.4
|
||||||
|
h.root-servers.net. 518400 IN A 198.97.190.53
|
||||||
|
i.root-servers.net. 518400 IN A 192.36.148.17
|
||||||
|
j.root-servers.net. 518400 IN A 192.58.128.30
|
||||||
|
k.root-servers.net. 518400 IN A 193.0.14.129
|
||||||
|
l.root-servers.net. 518400 IN A 199.7.83.42
|
||||||
|
m.root-servers.net. 518400 IN A 202.12.27.33
|
||||||
|
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
|
||||||
|
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
|
||||||
|
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
|
||||||
|
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
|
||||||
|
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
|
||||||
|
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
|
||||||
|
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
|
||||||
|
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
|
||||||
|
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
|
||||||
|
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
|
||||||
|
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
|
||||||
|
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
|
||||||
|
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
|
||||||
|
|
||||||
|
;; Query time: 24 msec
|
||||||
|
;; SERVER: 198.41.0.4#53(198.41.0.4)
|
||||||
|
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
|
||||||
|
;; MSG SIZE rcvd: 811
|
||||||
|
|
13
named.root.key
Normal file
13
named.root.key
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
trust-anchors {
|
||||||
|
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
|
||||||
|
# for current trust anchor information.
|
||||||
|
#
|
||||||
|
# This key (20326) was published in the root zone in 2017.
|
||||||
|
# Servers which were already using the old key (19036) should
|
||||||
|
# roll seamlessly to this new one via RFC 5011 rollover. Servers
|
||||||
|
# being set up for the first time can use the contents of this
|
||||||
|
# file as initializing keys; thereafter, the keys in the
|
||||||
|
# managed key database will be trusted and maintained
|
||||||
|
# automatically.
|
||||||
|
. initial-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
|
||||||
|
};
|
6
named.rwtab
Normal file
6
named.rwtab
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
dirs /var/named
|
||||||
|
|
||||||
|
files /var/named/named.ca
|
||||||
|
files /var/named/named.empty
|
||||||
|
files /var/named/named.localhost
|
||||||
|
files /var/named/named.loopback
|
25
named.service
Normal file
25
named.service
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Berkeley Internet Name Domain (DNS)
|
||||||
|
Wants=nss-lookup.target
|
||||||
|
Wants=named-setup-rndc.service
|
||||||
|
Before=nss-lookup.target
|
||||||
|
After=named-setup-rndc.service
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
Environment=NAMEDCONF=/etc/named.conf
|
||||||
|
EnvironmentFile=-/etc/sysconfig/named
|
||||||
|
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||||
|
PIDFile=/run/named/named.pid
|
||||||
|
|
||||||
|
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||||
|
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
|
||||||
|
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
|
||||||
|
|
||||||
|
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||||
|
|
||||||
|
PrivateTmp=true
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
17
named.sysconfig
Normal file
17
named.sysconfig
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# BIND named process options
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# OPTIONS="whatever" -- These additional options will be passed to named
|
||||||
|
# at startup. Don't add -t here, enable proper
|
||||||
|
# -chroot.service unit file.
|
||||||
|
#
|
||||||
|
# NAMEDCONF=/etc/named/alternate.conf
|
||||||
|
# -- Don't use -c to change configuration file.
|
||||||
|
# Extend systemd named.service instead or use this
|
||||||
|
# variable.
|
||||||
|
#
|
||||||
|
# DISABLE_ZONE_CHECKING -- By default, service file calls named-checkzone
|
||||||
|
# utility for every zone to ensure all zones are
|
||||||
|
# valid before named starts. If you set this option
|
||||||
|
# to 'yes' then service file doesn't perform those
|
||||||
|
# checks.
|
117
setup-named-chroot.sh
Executable file
117
setup-named-chroot.sh
Executable file
@ -0,0 +1,117 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ROOTDIR="$1"
|
||||||
|
CONFIG_FILES="${3:-/etc/named-chroot.files}"
|
||||||
|
|
||||||
|
usage()
|
||||||
|
{
|
||||||
|
echo
|
||||||
|
echo 'This script setups chroot environment for BIND'
|
||||||
|
echo 'Usage: setup-named-chroot.sh ROOTDIR <on|off> [chroot.files]'
|
||||||
|
}
|
||||||
|
|
||||||
|
if ! [ "$#" -ge 2 -a "$#" -le 3 ]; then
|
||||||
|
echo 'Wrong number of arguments'
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Exit if ROOTDIR doesn't exist
|
||||||
|
if ! [ -d "$ROOTDIR" ]; then
|
||||||
|
echo "Root directory $ROOTDIR doesn't exist"
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! [ -r "$CONFIG_FILES" ]; then
|
||||||
|
echo "Files list $CONFIG_FILES doesn't exist" 2>&1
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
dev_create()
|
||||||
|
{
|
||||||
|
DEVNAME="$ROOTDIR/dev/$1"
|
||||||
|
shift
|
||||||
|
if ! [ -e "$DEVNAME" ]; then
|
||||||
|
/bin/mknod -m 0664 "$DEVNAME" $@
|
||||||
|
/bin/chgrp named "$DEVNAME"
|
||||||
|
if [ -x /usr/sbin/selinuxenabled -a -x /sbin/restorecon ]; then
|
||||||
|
/usr/sbin/selinuxenabled && /sbin/restorecon "$DEVNAME" > /dev/null || :
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
dev_chroot_prep()
|
||||||
|
{
|
||||||
|
dev_create random c 1 8
|
||||||
|
dev_create urandom c 1 9
|
||||||
|
dev_create zero c 1 5
|
||||||
|
dev_create null c 1 3
|
||||||
|
}
|
||||||
|
|
||||||
|
files_comment_filter()
|
||||||
|
{
|
||||||
|
if [ -d "$1" ]; then
|
||||||
|
grep -v '^[[:space:]]*#' "$1"/*.files
|
||||||
|
else
|
||||||
|
grep -v '^[[:space:]]*#' "$1"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
mount_chroot_conf()
|
||||||
|
{
|
||||||
|
if [ -n "$ROOTDIR" ]; then
|
||||||
|
# Check devices are prepared
|
||||||
|
dev_chroot_prep
|
||||||
|
files_comment_filter "$CONFIG_FILES" | while read -r all; do
|
||||||
|
# Skip nonexistant files
|
||||||
|
[ -e "$all" ] || continue
|
||||||
|
|
||||||
|
# If mount source is a file
|
||||||
|
if ! [ -d "$all" ]; then
|
||||||
|
# mount it only if it is not present in chroot or it is empty
|
||||||
|
if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
|
||||||
|
touch "$ROOTDIR$all"
|
||||||
|
mount --bind "$all" "$ROOTDIR$all"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# Mount source is a directory. Mount it only if directory in chroot is
|
||||||
|
# empty.
|
||||||
|
if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
|
||||||
|
mount --bind --make-private "$all" "$ROOTDIR$all"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
umount_chroot_conf()
|
||||||
|
{
|
||||||
|
if [ -n "$ROOTDIR" ]; then
|
||||||
|
files_comment_filter "$CONFIG_FILES" | while read -r all; do
|
||||||
|
# Check if file is mount target. Do not use /proc/mounts because detecting
|
||||||
|
# of modified mounted files can fail.
|
||||||
|
if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
|
||||||
|
umount "$ROOTDIR$all"
|
||||||
|
# Remove temporary created files
|
||||||
|
[ -f "$all" ] && rm -f "$ROOTDIR$all"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$2" in
|
||||||
|
on)
|
||||||
|
mount_chroot_conf
|
||||||
|
;;
|
||||||
|
off)
|
||||||
|
umount_chroot_conf
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo 'Second argument has to be "on" or "off"'
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
124
setup-named-softhsm.sh
Executable file
124
setup-named-softhsm.sh
Executable file
@ -0,0 +1,124 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# This script will initialise token storage of softhsm PKCS11 provider
|
||||||
|
# in custom location. Is useful to store tokens in non-standard location.
|
||||||
|
#
|
||||||
|
# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
|
||||||
|
# Quotes around eval are mandatory!
|
||||||
|
# Recommended use:
|
||||||
|
# eval "$(bash setup-named-softhsm.sh -A)"
|
||||||
|
#
|
||||||
|
|
||||||
|
SOFTHSM2_CONF="$1"
|
||||||
|
TOKENPATH="$2"
|
||||||
|
GROUPNAME="$3"
|
||||||
|
# Do not use this script for real keys worth protection
|
||||||
|
# This is intended for crypto accelerators using PKCS11 interface.
|
||||||
|
# Uninitialized token would fail any crypto operation.
|
||||||
|
PIN=1234
|
||||||
|
SO_PIN=1234
|
||||||
|
LABEL=rpm
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
echo_i()
|
||||||
|
{
|
||||||
|
echo "#" $@
|
||||||
|
}
|
||||||
|
|
||||||
|
random()
|
||||||
|
{
|
||||||
|
if [ -x "$(which openssl 2>/dev/null)" ]; then
|
||||||
|
openssl rand -base64 $1
|
||||||
|
else
|
||||||
|
dd if=/dev/urandom bs=1c count=$1 | base64
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
usage()
|
||||||
|
{
|
||||||
|
echo "Usage: $0 -A [token directory] [group]"
|
||||||
|
echo " or: $0 <config file> <token directory> [group]"
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
|
||||||
|
TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
|
||||||
|
usage >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$SOFTHSM2_CONF" = "-A" ]; then
|
||||||
|
# Automagic mode instead
|
||||||
|
MODE=secure
|
||||||
|
SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
|
||||||
|
PIN_SOURCE="$TOKENPATH/pin"
|
||||||
|
SOPIN_SOURCE="$TOKENPATH/so-pin"
|
||||||
|
TOKENPATH="$TOKENPATH/tokens"
|
||||||
|
else
|
||||||
|
MODE=legacy
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
|
||||||
|
|
||||||
|
umask 0022
|
||||||
|
|
||||||
|
if ! [ -f "$SOFTHSM2_CONF" ]; then
|
||||||
|
cat << SED > "$SOFTHSM2_CONF"
|
||||||
|
# SoftHSM v2 configuration file
|
||||||
|
|
||||||
|
directories.tokendir = ${TOKENPATH}
|
||||||
|
objectstore.backend = file
|
||||||
|
|
||||||
|
# ERROR, WARNING, INFO, DEBUG
|
||||||
|
log.level = ERROR
|
||||||
|
|
||||||
|
# If CKF_REMOVABLE_DEVICE flag should be set
|
||||||
|
slots.removable = false
|
||||||
|
SED
|
||||||
|
else
|
||||||
|
echo_i "Config file $SOFTHSM2_CONF already exists" >&2
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$PIN_SOURCE" ]; then
|
||||||
|
touch "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||||
|
chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||||
|
if [ -n "$GROUPNAME" ]; then
|
||||||
|
chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||||
|
chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
export SOFTHSM2_CONF
|
||||||
|
|
||||||
|
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
|
||||||
|
then
|
||||||
|
echo_i "Token in ${TOKENPATH} is already initialized" >&2
|
||||||
|
|
||||||
|
[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
|
||||||
|
[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
|
||||||
|
else
|
||||||
|
PIN=$(random 6)
|
||||||
|
SO_PIN=$(random 18)
|
||||||
|
if [ -n "$PIN_SOURCE" ]; then
|
||||||
|
echo -n "$PIN" > "$PIN_SOURCE"
|
||||||
|
echo -n "$SO_PIN" > "$SOPIN_SOURCE"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo_i "Initializing tokens to ${TOKENPATH}..."
|
||||||
|
softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
|
||||||
|
|
||||||
|
if [ -n "$GROUPNAME" ]; then
|
||||||
|
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
|
||||||
|
chmod -R -- g=rX,o= "$TOKENPATH"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
|
||||||
|
echo "export PIN_SOURCE=\"$PIN_SOURCE\""
|
||||||
|
echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
|
||||||
|
# These are intentionaly not exported
|
||||||
|
echo "PIN=\"$PIN\""
|
||||||
|
echo "SO_PIN=\"$SO_PIN\""
|
1
sources
Normal file
1
sources
Normal file
@ -0,0 +1 @@
|
|||||||
|
SHA512 (bind-9.16.23.tar.xz) = 9dd1c5241f15bf6c3c1e1564564c7e91cba0dfc7f1262d53b4b54f4f7230ed651a148e95efa25efab1712b65bdeb555dfc0e1b524dcfc2a05ede43dd5b3978cf
|
1
trusted-key.key
Normal file
1
trusted-key.key
Normal file
@ -0,0 +1 @@
|
|||||||
|
. 3600 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
|
Loading…
Reference in New Issue
Block a user