+sub zone_server_addr ($$$$$) {
+ my ($addr,$name,$ww,$wwq,$is_soa) = @_;
+ $addr_is_ok{$addr}= "$name ($wwq)"
+ if $is_soa || $cfg->{'s'} =~ m/u/;
+ zone_warning("configured as stealth but we [$addr]".
+ " are published ($name $wwq)")
+ if $cfg->{'s'} =~ m/u/ && grep { $_ eq $addr } @self_addr;
+ zone_warning("forbidden nameserver address [$addr] $name ($wwq)")
+ if grep { $_ eq $addr } @forbid_addr;
+
+ my ($name_is_self, $addr_is_self);
+ $name_is_self= grep { $_ eq $name }
+ @{ $cfg->{$is_soa ? 'self_soa' : 'self_ns'} };
+ $addr_is_self= grep { $_ eq $addr }
+ @{ $cfg->{'self_addr'} };
+ if ($name_is_self && !$addr_is_self) {
+ zone_warning("our name $name with wrong address [$addr], (eg) $ww")
+ unless $warned_nameaddr{$name}{$addr}++;
+ } elsif (!$name_is_self && $addr_is_self) {
+ zone_warning(($is_soa ? "SOA ORIGIN maps to" : "allegedly served by").
+ " us [$addr] with wrong name $name, (eg) $ww")
+ unless $warned_nameaddr{$name}{$addr}++;
+ }
+ $delg_to_us=1 if $name_is_self;
+}
+
+sub zone_check_soa ($$$) {
+ my ($uaddr,$ww,$wwq) = @_;
+ my ($lame,$origin,$got,$rcode,@soa_addrs,$soa_addr,$wwn);
+ verbose("checking service at $wwq");
+ $lame= 'dead or lame';
+ dig(sub {
+ if ($dig_type eq 'flags:') {
+ $lame= $dig_rdata =~ m/ aa / ? '' : 'lame';
+ } elsif ($dig_type eq 'soa' && $dig_owner eq $zone && !$lame) {
+ die "several SOAs ? $ww" if defined $origin;
+ $got= $dig_rdata;
+ $got =~ m/^(\S+) \d+/ or die "$got ?";
+ $origin= $1;
+ }
+ },
+ $zone,'soa',$uaddr);
+ $lame= 'broken' if !$lame && !defined $origin;
+ if ($lame) { zone_warning("$lame server $ww"); return; }
+ push @{ $soas{$got} }, $ww;
+ ($rcode,@soa_addrs)= lookup($origin,'a','0');
+ foreach $soa_addr (@soa_addrs) {
+ $wwn= "SOA ORIGIN from $ww";
+ zone_server_addr($soa_addr,$origin,$wwn,"SOA [$uaddr]",1);
+ push @to_check, $soa_addr, "$origin, $wwn";
+ }
+}
+
+sub zone_consistency() {
+ my ($d, $org_ser, $origin, $a, $h, $self_soa);
+ zone_consistency_set('delegations',\%delgs);
+ foreach $d (keys %delgs) { delete $auths{$d}; }
+ zone_consistency_set('zone nameserver rrset',\%auths);
+ foreach $h (keys %glue) {
+ zone_consistency_set("glue for $h", $glue{$h});
+ }
+ zone_consistency_set("SOA ORIGIN and SERIAL",\%soas);
+ $self_soa= $cfg->{'self_soa'};
+ if ($cfg->{'s'} =~ m/p/) {
+ foreach $org_ser (keys %soas) {
+ $org_ser =~ m/^(\S+) \d+$/ or die "$org_ser ?";
+ $origin= $1;
+ next if grep { $_ eq $origin } @$self_soa;
+ zone_warning("SOA ORIGIN $origin is not our name (@$self_soa),".
+ " eg from ".($soas{$org_ser}[0]));
+ }
+ }
+}
+
+sub zone_servers_ok () {
+ my ($showok);
+ if (%addr_is_ok) {
+ $showok= 0;
+ foreach $a (@{ $cfg->{'servers'} }) {
+ next if exists $addr_is_ok{$a};
+ zone_warning("we slave from $a"); $showok=1;
+ }
+ if ($showok) {
+ foreach $a (keys %addr_is_ok) {
+ zone_warnmore("permitted master [$a] $addr_is_ok{$a}");
+ }
+ }
+ }
+ if ($cfg->{'s'} =~ m/s/ && !$delg_to_us) {
+ zone_warning("we are supposedly published secondary,".
+ " but not listed as a nameserver");
+ }
+}
+
+sub zone_consistency_set ($%) {
+ my ($msg,$set) = @_;
+ my ($d,$o);
+ if (keys(%$set) > 1) {
+ zone_warning("inconsistent $msg:");
+ foreach $d (keys %$set) {
+ foreach $o (@{ $set->{$d} }) { zone_warnmore(" $d from $o"); }
+ }
+ }
+}
+
+sub zone_check_local () {
+ zone_reset();
+ zone_servers_simplefind();
+ zone_servers_ok();
+}
+
+sub zone_servers_simplefind () {
+ my ($rcode,@nsnames,$ns,@soas,$origin);
+
+ ($rcode,@nsnames)= lookup($zone,'ns-','0');
+ foreach $ns (@nsnames) { zone_server_simple($ns,'NS',0); }
+
+ ($rcode,@soas)= lookup($zone,'soa','0');
+ die "multiple SOA RRs in set! @soas ?" if @soas!=1;
+ $soas[0] =~ m/^(\S+)\s/ or die "SOA ? $_";
+ zone_server_simple(domain_canon($1),'SOA',1);
+}
+
+sub zone_server_simple ($$$) {
+ my ($name,$ww,$is_soa) = @_;
+ my ($rcode,@addrs,$addr);
+ ($rcode,@addrs)= lookup($name,'a','0');
+ foreach $addr (@addrs) { zone_server_addr($addr,$name,$ww,$ww,$is_soa); }
+}
+
+#-------------------- outputting
+
+sub zone_output () {
+ my ($o,$m);
+
+ $o= "zone \"$zone\" {\n";
+ if ($$cfg{'s'} =~ m/p/) {
+ $o.= " type master;\n";
+ } else {
+ $o.= " type slave;\n".
+ " masters {\n";
+ foreach $m (@{ $$cfg{'servers'} }) { $o.= " $m;\n"; }
+ $o.= " };\n";
+ }
+ $o.= " file \"$$cfg{'file'}\";\n";
+ $o.= "};\n";
+ return $o;
+}
+
+sub output_files () {
+ my ($fn,$ofn,$mfn,$l,$dir, $maxmode,$h,@to_install);
+
+ foreach $ofn (keys %output_contents) {
+ $fn= $ofn; $mfn= "output file $fn";
+ for (;;) {
+ if (!lstat $fn) {
+ $! == &ENOENT or die "$quis: stat $mfn:\n $!\n";
+ $maxmode= 0666;
+ last;
+ } elsif (-f _) {
+ $maxmode= (stat _)[2];
+ last;
+ } elsif (-l _) {
+ defined($l= readlink $fn)
+ or die "$quis: readlink $mfn:\n $!\n";
+ $dir= $fn =~ m,^.*/, ? $& : './';
+ $fn= "$dir$l" unless $l =~ m,^/,;
+ $mfn= "output file $fn (symlink target of $ofn)";
+ } else {
+ die "$quis: output file $mfn exists but is not a file".
+ " (or symlink to one)";
+ }
+ }
+ unlink "$fn.new" or $! == &ENOENT or
+ die "$quis: cannot clear out old .new version of $mfn:\n $!";
+ $h= new IO::File "$fn.new",'w',$maxmode
+ or die("$quis: create .new version of $mfn:\n $!");
+ print $h
+ "# generated by $quis, do not edit\n",
+ $output_contents{$ofn}
+ or die "$quis: write data to .new version of $mfn:\n $!";
+ $h->close
+ or die "$quis: close .new version of $mfn:\n $!";
+ push @to_install, $fn,$mfn;
+ }
+
+ while (($fn,$mfn, @to_install) = @to_install) {
+ rename "$fn.new",$fn
+ or die "$quis: install new version of $mfn:\n $!";
+ }
+}
+
+#-------------------- general utilities
+
+sub debug_dump ($) {
+ my ($vn);
+ return unless $debug>1;
+ local $Data::Dumper::Terse=1;
+ foreach $vn (split /\s+/, $_[0]) {
+ print "$vn := ", eval "Dumper(\\$vn)";
+ }
+}
+
+sub debug_trace ($) {
+ return unless $debug;
+ print "D $_[0]\n";
+}
+
+sub lookup ($$$) {
+ my ($domain,$type,$okrcodes) = @_;
+ my ($c,$h,@result);
+ debug_trace("lookup ==> (->$okrcodes) $domain $type");
+ $h= new IO::Handle;
+
+ defined($c= open $h, "-|") or die "$quis: fork adnshost:\n $!\n";
+ if (!$c) {
+ exec 'adnshost','-Fi','+Do','+Dt','+Dc','-Cf',"-t$type",
+ '-',"$domain.";
+ die "$quis: exec adnshost:\n $!\n";
+ }
+ @result= $h->getlines();
+ $h->error and die "$quis: read from adnshost:\n $!\n";
+ chomp @result;
+ $!=0; $h->close;
+ die "$quis: lookup -t$type $domain $okrcodes failed $? $! @result\n"
+ if $! or $?>6 or index($okrcodes,$?)<0;
+ debug_trace("lookup <== $? @result");
+ return ($?,@result);
+}
+
+
+sub dig (&$$$) {
+ my ($eachrr, $qowner,$qtype,$qaddr) = @_;
+ # also pseudo-rr with type `flags:'
+ my ($h,$inmid,$irdata,$c);
+ local ($_);
+
+ debug_trace("dig ==> \@$qaddr $qowner $qtype");
+
+ $h= new IO::Handle;
+ defined($c= open $h, "-|") or die "$quis: fork dig:\n $!\n";
+ if (!$c) {
+ open STDERR, ">&STDOUT" or die $!;
+ exec ('dig',
+ '+nodef','+nosea','+nodebug','+norecurse',
+ "\@$qaddr",'-t',$qtype,$qowner);
+ die "$quis: exec dig:\n $!\n";
+ }
+ $inmid='';
+ for (;;) {
+ if (!defined($_= $h->getline())) {
+ $h->error() and die "$quis: read from dig:\n $!\n";
+ last;
+ }
+ chomp;
+ if (length $inmid) {
+ s/^\s+/ / or die "$inmid // $_ ?";
+ s/\;.*$//;
+ $_= $inmid.$_;
+ $inmid='';
+ s/$/ \(/ unless s/\s*\)\s*$//;
+ }
+ if (s/\s*\(\s*$//) { $inmid= $_; next; }
+ if (m/^\;\; flags\:( [-0-9a-z ]+)\;/) {
+ $dig_owner=''; $dig_type='flags:'; $dig_rdata= "$1 ";
+ debug_trace("dig f: $dig_rdata");
+ &$eachrr;
+ } elsif (m/^\;/) {
+ } elsif (!m/\S/) {
+ } elsif (m/^([-.0-9a-z]+)\s+\d\w+\s+in\s+([a-z]+)\s+(\S.*)/i) {
+ $dig_owner=domain_canon($1); $dig_type=lc $2; $irdata=$3;
+ if ($dig_type eq 'a') {
+ $irdata =~ m/^[.0-9]+$/ or die "$irdata ?";
+ $dig_rdata= $&;
+ } elsif ($dig_type eq 'ns') {
+ $irdata =~ m/^[-.0-9a-z]+$/i or die "bad nameserver $irdata ?";
+ $dig_rdata= domain_canon($irdata);
+ } elsif ($dig_type eq 'soa') {
+ $irdata =~ m/^([-.0-9a-z]+)\s+.*\s+(\d+)(?:\s+\d\w+){4}$/i
+ or die "bad SOA $irdata ?";
+ $dig_rdata= domain_canon($1).' '.$2;
+ } else {
+ debug_trace("ignoring uknown RR type $dig_type");
+ next;
+ }
+ debug_trace("dig $dig_owner $dig_type $dig_rdata");
+ &$eachrr;
+ } else {
+ debug_trace("ignoring unknown dig output $_");
+ }
+ }
+ $h->close;
+ debug_trace("dig <== gave $?");
+}
+
+sub domain_canon ($) {
+ local ($_) = @_;
+ s/(.)\.$/$1/;
+ die "domain $_ ?" unless m/^[0-9a-z]/i;
+ return lc $_;
+}