11 $debug $needglue $localonly $verbosity);
13 $quis= $0; $quis =~ s,.*/,,;
17 $etcfile= "/etc/bind/chiark-conf-gen.zones";
24 use vars qw($dig_owner $dig_type $dig_rdata);
26 while (@ARGV && $ARGV[0] =~ m/^\-/) {
30 if (m/^(yes|no|force)$/) { m/^./; $mode= $&; }
31 elsif (m/^all$/) { $doall=1; }
32 elsif (m/^config$/) { $etcfile= loarg(); $where= '--config option'; }
33 elsif (m/^glueless$/) { $needglue--; }
34 elsif (m/^localonly$/) { $localonly=1; }
35 elsif (m/^quiet$/) { $verbosity=0; }
36 elsif (m/^verbose$/) { $verbosity=2; }
37 else { usageerr("unknown option --$_"); }
42 if (s/^[ynf]//) { $mode=$&; }
43 elsif (s/^A//) { $doall=1; }
44 elsif (s/^C//) { $etcfile= soarg(); $where= '-C option'; }
45 elsif (s/^D//) { $debug++; }
46 elsif (s/^g//) { $needglue--; }
47 elsif (s/^l//) { $localonly=1; }
48 elsif (s/^q//) { $verbosity=0; }
49 elsif (s/^v//) { $verbosity=2; }
50 else { usageerr("unknown option -$&"); }
55 sub loarg() { usageerr("missing option value") if !@ARGV; return shift @ARGV; }
56 sub soarg() { my ($rv); $rv=$_; $_=''; return length $rv ? $rv : loarg(); }
58 usageerr("-g may be specified at most twice") if $needglue<0;
59 usageerr("-D may be specified at most twice") if $debug>2;
60 usageerr("must specify either -f|-y|-n or zones (and not both)")
61 if !!$mode == !!@ARGV;
66 usage: named-conf-regen [-rvq] -f|-y|-n|<zone>...\n".
68 " -f --force install without checking\n".
69 " -y --yes check and install\n".
70 " -n --no check only\n".
71 "additional options:\n".
72 " -q --quiet no output for OK zones\n".
73 " -v --verbose extra verbose\n";
76 cfg_fail("config filename $etcfile should not be directory")
79 use vars qw($default_dir);
80 $default_dir= $etcfile =~ m,^.*/, ? $& : './';
82 use vars qw($slave_dir $slave_prefix $slave_suffix);
87 use vars qw(@self_ns @self_soa @self_addr @forbid_addr);
88 @self_ns= @self_soa= @self_addr= @forbid_addr= ();
90 use vars qw(%zone_cfg @zone_cfg_list);
94 use vars qw($output $default_output %output_contents);
99 use vars qw($check $install);
100 $check= $mode !~ m/^f/;
101 $install= $mode =~ m/^[yf]/;
103 read_config($etcfile);
104 debug_dump('@zone_cfg_list %zone_cfg');
105 process_zones($mode ? @zone_cfg_list : @ARGV);
106 debug_dump('%output_contents');
107 output_files() if $install;
111 #-------------------- configuration reading
113 sub cfg_fail ($) { die "$quis: $where:\n $_[0]\n"; }
115 sub read_config ($) {
117 my ($fh,$z,@self,$before,
118 $mod,$dir,$prefix,$suffix,$subfile,$lprefix,$lsuffix,$zf);
121 $fh= new IO::File $if,'r' or cfg_fail("open $if:\n $!");
124 if (!defined($_= <$fh>)) {
125 cfg_fail("read config file $if:\n $!") if $fh->error();
129 if (m/\\$/) { $before.= $_; next; }
137 if (m/^self(\-ns|\-soa|)\s+(\S.*\S)/) {
138 @self= split /\s+/, $2;
139 @self_ns= @self if $1 ne '-soa';
140 @self_soa= @self if $1 ne '-ns';
141 } elsif (m/^self\-addr\s+([0-9. \t]+)/) {
142 @self_addr= split /\s+/, $1;
143 } elsif (m/^forbid\-addr(?:\s+([0-9. \t]+))?/) {
144 @forbid_addr= defined $1 ? split /\s+/, $1 : ();
148 (?: \s+ ([^/ \t]*) (?: (/.+) )?
151 ($mod, $dir, $prefix, $suffix, $subfile) =
152 ($1,qualify($2),$3,$4,$5);
153 $suffix= '' if !defined $suffix;
154 $subfile= '' if !defined $subfile;
155 $suffix= '_db' if !length $suffix && !length $subfile;
156 if (-d "$dir/$prefix") { $dir.='/'; $dir.=$prefix; $prefix=''; }
157 opendir D, $dir or cfg_fail("open primary-dir $dir:\n $!");
158 $lprefix= length $prefix; $lsuffix= length $suffix;
159 while (defined($_= readdir D)) {
160 next if m/^\./ && !$lprefix;
161 next unless length > $lprefix+$lsuffix;
162 next unless substr($_,0,$lprefix) eq $prefix;
163 next unless substr($_,length($_)-$lsuffix) eq $suffix;
164 $z= substr($_,$lprefix,length($_)-($lprefix+$lsuffix));
165 $zf= $dir.'/'.$prefix.$z.$suffix.$subfile;
167 next if length $subfile && $! == &ENOENT;
168 cfg_fail("cannot stat zonefile $zf:\n $!");
170 -f _ or cfg_fail("zonefile $zf is not a plain file");
171 zone_conf($z,'primary','p',$mod,$zf);
173 closedir D or cfg_fail("close primary-dir $dir:\n $!");
174 } elsif (m/^primary([*?]?)\s+(\S+)\s+(\S+)$/) {
175 zone_conf($2,'primary','p',$1,qualify($3));
176 } elsif (m/^published([*?]?)\s+(\S+)\s+([0-9.\t]+)$/) {
177 zone_conf($2,'published','s',$1,'',$3);
178 } elsif (m/^stealth([*?]?)\s+(\S+)\s+([0-9. \t]+)$/) {
179 zone_conf($2,'stealth','u',$1,'',split /\s+/, $3);
180 } elsif (m/^slave\-dir\s+(\S+)(?:(?:\s+(\S+))\s+(\S+))?$/) {
181 ($slave_dir, $slave_prefix, $slave_suffix) = (qualify($1),$2,$3);
182 $slave_prefix='' if !defined $slave_prefix;
183 $slave_suffix='' if !defined $slave_suffix;
184 } elsif (m/^output\s+bind8\+(\S+)$/) {
185 cfg_fail("default output may not apply to only some zones")
186 if @zone_cfg_list && length $default_output;
187 set_output(qualify($1));
188 } elsif (m/^include\s+(\S+)$/) {
191 cfg_fail("unknown configuration directive".
192 " or incorrect syntax or arguments");
195 $fh->close or cfg_fail("close config file $if:\n $!");
200 $i= "$default_dir$i" unless $i =~ m,^/,;
204 sub zone_conf ($$$$$@) {
205 my ($zone,$style,$sabbr,$mod,$file,@servers) = @_;
207 $file= qualify("$slave_dir/$slave_prefix".$zone.$slave_suffix)
209 if (!length $output) {
210 $default_output= qualify('chiark-conf-gen.bind8')
211 unless length $default_output;
212 set_output($default_output);
214 cfg_fail("redefined zone $zone\n".
215 " earlier definition $zone_cfg{$zone}{'where'}")
216 if exists $zone_cfg{$zone};
217 $zone_cfg{$zone}{'where'}= $where;
218 $zone_cfg{$zone}{'file'}= $file;
219 $zone_cfg{$zone}{'style_p'}= $style.$mod;
220 $zone_cfg{$zone}{'s'}= $sabbr.$mod; # p)rimary s)econdary u)npub f)oreign
221 $zone_cfg{$zone}{'servers'}= [ @servers ];
222 foreach $sfx (qw(soa ns addr)) {
223 { no strict 'refs'; $aref= [ @{ "self_$sfx" } ]; }
224 @$aref or cfg_fail("failed to specify self-$sfx before zone");
225 $zone_cfg{$zone}{"self_$sfx"}= $aref;
227 $zone_cfg{$zone}{'output'}= $output;
228 push @zone_cfg_list, $zone;
234 $output_contents{$output}= '';
238 #-------------------- checking
240 use vars qw($zone $cfg $warnings);
244 return if !$verbosity;
249 return if $verbosity<2;
253 sub process_zones (@) {
257 foreach $zone (@zones) {
258 $cfg= $zone_cfg{$zone} || {
259 'style_p' => 'foreign',
263 progress(sprintf "%-40s %s", $zone, $$cfg{'style_p'});
264 if ($check && ($doall || $cfg->{'s'} !~ m/\?/)) {
266 if ($localonly && $cfg->{'s'} =~ m/f/) {
267 zone_warning("foreign zone specified with -l");
268 } elsif ($cfg->{'s'} =~ m/\*/ ||
269 ($localonly && $cfg->{'s'} !~ m/p/)) {
275 zone_warning("checks failed: $@") if length $@;
277 $output_contents{$$cfg{'output'}} .= zone_output()
280 print STDERR "$quis: $warnings warnings\n" or die $!
284 sub zone_warning ($) {
288 print STDERR "$zone: warning: $w\n" or die $!;
292 sub zone_warnmore ($) {
293 print STDERR "$zone: $_[0]\n" or die $!;
296 use vars qw(%delgs); # $delgs{$nameserver_list} = [ $whosaidandwhy ]
297 use vars qw(%auths); # $auths{$nameserver_list} = [ $whosaidandwhy ]
298 use vars qw(%glue); # $glue{$name}{$addr_list} = [ $whosaidandwhy ]
299 use vars qw(%soas); # $soa{"$origin $serial"} = [ $whosaidandwhy ]
300 use vars qw(%addr_is_ok %warned_glueless %warned_nameaddr);
301 use vars qw($delg_to_us);
302 use vars qw(@to_check); # ($addr,$whyask,$is_auth,$glueless_ok, ...)
303 use vars qw(@to_check_soa); # ($addr,$whyask, ...)
305 sub zone_check_full () {
313 %delgs= %auths= %glue= %soas=
314 %warned_glueless= %warned_nameaddr=
317 @to_check= @to_check_soa= ();
320 sub zone_investigate() {
321 my ($super_zone, @super_nsnames,
322 $super_ns, @super_ns_addrs, $s, $wa, $is_auth,
323 %nsrrset_checked, %soa_checked, $addr, $glueless_ok, $rcode);
327 debug_trace("zone $zone superzone $super_zone");
328 $super_zone =~ s/^[^.]+\.// or die "no superzone ? ($super_zone)\n";
329 ($rcode,@super_nsnames)= lookup($super_zone,'ns-','06');
332 for $super_ns (@super_nsnames) {
333 $super_ns= lc $super_ns;
334 ($rcode,@super_ns_addrs)= lookup($super_ns,'a','0');
335 foreach $addr (@super_ns_addrs) {
338 "$super_ns, server for $super_zone",
343 # We do these in order so that we always do NS RRset checks on
344 # nameservers that came from other NS RRsets first; otherwise
345 # we might set nsrrset_checked due to a glueless_ok check,
346 # and then not check for gluefulness later.
347 debug_dump('@to_check @to_check_soa');
348 if (($addr,$wa,$is_auth,$glueless_ok,@to_check) = @to_check) {
349 push @to_check_soa, $addr, $wa if $is_auth;
350 next if $nsrrset_checked{$addr}++;
351 zone_check_nsrrset($addr, "[$addr] $wa",
352 $is_auth, $glueless_ok);
353 } elsif (($addr,$wa,@to_check_soa) = @to_check_soa) {
354 next if $soa_checked{$addr}++;
355 zone_check_soa($addr,"[$addr] $wa","[$addr] NS");
362 sub zone_check_nsrrset ($$$$) {
363 my ($uaddr,$ww, $is_auth, $glueless_ok) = @_;
364 my (@s, $s, %s2g, @glue, $glue, $delgs_or_auths, $wwn);
365 verbose("checking delegation by $ww");
367 if ($dig_type eq 'ns' && $dig_owner eq $zone) {
368 $s2g{lc $dig_rdata} = [ ];
369 } elsif ($dig_type eq 'a' && exists $s2g{$dig_owner}) {
370 $wwn= "in glue from $ww";
371 push @to_check, $dig_rdata, "$dig_owner, $wwn", 1, 0;
372 zone_server_addr($dig_rdata,$dig_owner,$wwn,"NS [$uaddr]",0);
373 push @{ $s2g{$dig_owner} }, $dig_rdata;
377 if (!%s2g) { zone_warning("unable to find NS RRset at $ww"); return; }
378 elsif (keys %s2g == 1) { zone_warning("only one nameserver at $ww"); }
381 @glue= @{ $s2g{$s} };
383 zone_warning("glueless NS $s,".
384 ($needglue<=1 ? " (eg)" : "").
386 unless $glueless_ok || !$needglue ||
387 ($needglue<=1 && $warned_glueless{$s}++);
390 $glue= join ' ', sort @glue;
391 push @{ $glue{$s}{$glue} }, $ww;
394 $delgs_or_auths= $is_auth ? \%auths : \%delgs;
395 push @{ $delgs_or_auths->{$s} }, $ww;
398 sub zone_server_addr ($$$$$) {
399 my ($addr,$name,$ww,$wwq,$is_soa) = @_;
400 $addr_is_ok{$addr}= "$name ($wwq)"
401 if $is_soa || $cfg->{'s'} =~ m/u/;
402 zone_warning("configured as stealth but we [$addr]".
403 " are published ($name $wwq)")
404 if $cfg->{'s'} =~ m/u/ && grep { $_ eq $addr } @self_addr;
405 zone_warning("forbidden nameserver address [$addr] $name ($wwq)")
406 if grep { $_ eq $addr } @forbid_addr;
408 my ($name_is_self, $addr_is_self);
409 $name_is_self= grep { $_ eq $name }
410 @{ $cfg->{$is_soa ? 'self_soa' : 'self_ns'} };
411 $addr_is_self= grep { $_ eq $addr }
412 @{ $cfg->{'self_addr'} };
413 if ($name_is_self && !$addr_is_self) {
414 zone_warning("our name $name with wrong address [$addr], (eg) $ww")
415 unless $warned_nameaddr{$name}{$addr}++;
416 } elsif (!$name_is_self && $addr_is_self) {
417 zone_warning(($is_soa ? "SOA ORIGIN maps to" : "allegedly served by").
418 " us [$addr] with wrong name $name, (eg) $ww")
419 unless $warned_nameaddr{$name}{$addr}++;
421 $delg_to_us=1 if $name_is_self;
424 sub zone_check_soa ($$$) {
425 my ($uaddr,$ww,$wwq) = @_;
426 my ($lame,$origin,$got,$rcode,@soa_addrs,$soa_addr,$wwn);
427 verbose("checking service at $wwq");
428 $lame= 'dead or lame';
430 if ($dig_type eq 'flags:') {
431 $lame= $dig_rdata =~ m/ aa / ? '' : 'lame';
432 } elsif ($dig_type eq 'soa' && $dig_owner eq $zone && !$lame) {
433 die "several SOAs ? $ww" if defined $origin;
435 $got =~ m/^(\S+) \d+/ or die "$got ?";
440 $lame= 'broken' if !$lame && !defined $origin;
441 if ($lame) { zone_warning("$lame server $ww"); return; }
442 push @{ $soas{$got} }, $ww;
443 ($rcode,@soa_addrs)= lookup($origin,'a','0');
444 foreach $soa_addr (@soa_addrs) {
445 $wwn= "SOA ORIGIN from $ww";
446 zone_server_addr($soa_addr,$origin,$wwn,"SOA [$uaddr]",1);
447 push @to_check, $soa_addr, "$origin, $wwn";
451 sub zone_consistency() {
452 my ($d, $org_ser, $origin, $a, $h, $self_soa);
453 zone_consistency_set('delegations',\%delgs);
454 foreach $d (keys %delgs) { delete $auths{$d}; }
455 zone_consistency_set('zone nameserver rrset',\%auths);
456 foreach $h (keys %glue) {
457 zone_consistency_set("glue for $h", $glue{$h});
459 zone_consistency_set("SOA ORIGIN and SERIAL",\%soas);
460 $self_soa= $cfg->{'self_soa'};
461 if ($cfg->{'s'} =~ m/p/) {
462 foreach $org_ser (keys %soas) {
463 $org_ser =~ m/^(\S+) \d+$/ or die "$org_ser ?";
465 next if grep { $_ eq $origin } @$self_soa;
466 zone_warning("SOA ORIGIN $origin is not our name (@$self_soa),".
467 " eg from ".($soas{$org_ser}[0]));
472 sub zone_servers_ok () {
476 foreach $a (@{ $cfg->{'servers'} }) {
477 next if exists $addr_is_ok{$a};
478 zone_warning("we slave from $a"); $showok=1;
481 foreach $a (keys %addr_is_ok) {
482 zone_warnmore("permitted master [$a] $addr_is_ok{$a}");
486 if ($cfg->{'s'} =~ m/s/ && !$delg_to_us) {
487 zone_warning("we are supposedly published secondary,".
488 " but not listed as a nameserver");
492 sub zone_consistency_set ($%) {
495 if (keys(%$set) > 1) {
496 zone_warning("inconsistent $msg:");
497 foreach $d (keys %$set) {
498 foreach $o (@{ $set->{$d} }) { zone_warnmore(" $d from $o"); }
503 sub zone_check_local () {
505 zone_servers_simplefind();
509 sub zone_servers_simplefind () {
510 my ($rcode,@nsnames,$ns,@soas,$origin);
512 ($rcode,@nsnames)= lookup($zone,'ns-','0');
513 foreach $ns (@nsnames) { zone_server_simple($ns,'NS',0); }
515 ($rcode,@soas)= lookup($zone,'soa','0');
516 die "multiple SOA RRs in set! @soas ?" if @soas!=1;
517 $soas[0] =~ m/^(\S+)\s/ or die "SOA ? $_";
518 zone_server_simple(domain_canon($1),'SOA',1);
521 sub zone_server_simple ($$$) {
522 my ($name,$ww,$is_soa) = @_;
523 my ($rcode,@addrs,$addr);
524 ($rcode,@addrs)= lookup($name,'a','0');
525 foreach $addr (@addrs) { zone_server_addr($addr,$name,$ww,$ww,$is_soa); }
528 #-------------------- outputting
533 $o= "zone \"$zone\" {\n";
534 if ($$cfg{'s'} =~ m/p/) {
535 $o.= " type master;\n";
537 $o.= " type slave;\n".
539 foreach $m (@{ $$cfg{'servers'} }) { $o.= " $m;\n"; }
542 $o.= " file \"$$cfg{'file'}\";\n";
547 sub output_files () {
548 my ($fn,$ofn,$mfn,$l,$dir, $maxmode,$h,@to_install);
550 foreach $ofn (keys %output_contents) {
551 $fn= $ofn; $mfn= "output file $fn";
554 $! == &ENOENT or die "$quis: stat $mfn:\n $!\n";
558 $maxmode= (stat _)[2];
561 defined($l= readlink $fn)
562 or die "$quis: readlink $mfn:\n $!\n";
563 $dir= $fn =~ m,^.*/, ? $& : './';
564 $fn= "$dir$l" unless $l =~ m,^/,;
565 $mfn= "output file $fn (symlink target of $ofn)";
567 die "$quis: output file $mfn exists but is not a file".
568 " (or symlink to one)";
571 unlink "$fn.new" or $! == &ENOENT or
572 die "$quis: cannot clear out old .new version of $mfn:\n $!";
573 $h= new IO::File "$fn.new",'w',$maxmode
574 or die("$quis: create .new version of $mfn:\n $!");
576 "# generated by $quis, do not edit\n",
577 $output_contents{$ofn}
578 or die "$quis: write data to .new version of $mfn:\n $!";
580 or die "$quis: close .new version of $mfn:\n $!";
581 push @to_install, $fn,$mfn;
584 while (($fn,$mfn, @to_install) = @to_install) {
586 or die "$quis: install new version of $mfn:\n $!";
590 #-------------------- general utilities
594 return unless $debug>1;
595 local $Data::Dumper::Terse=1;
596 foreach $vn (split /\s+/, $_[0]) {
597 print "$vn := ", eval "Dumper(\\$vn)";
601 sub debug_trace ($) {
602 return unless $debug;
607 my ($domain,$type,$okrcodes) = @_;
609 debug_trace("lookup ==> (->$okrcodes) $domain $type");
612 defined($c= open $h, "-|") or die "$quis: fork adnshost:\n $!\n";
614 exec 'adnshost','-Fi','+Do','+Dt','+Dc','-Cf',"-t$type",
616 die "$quis: exec adnshost:\n $!\n";
618 @result= $h->getlines();
619 $h->error and die "$quis: read from adnshost:\n $!\n";
622 die "$quis: lookup -t$type $domain $okrcodes failed $? $! @result\n"
623 if $! or $?>6 or index($okrcodes,$?)<0;
624 debug_trace("lookup <== $? @result");
630 my ($eachrr, $qowner,$qtype,$qaddr) = @_;
631 # also pseudo-rr with type `flags:'
632 my ($h,$inmid,$irdata,$c);
635 debug_trace("dig ==> \@$qaddr $qowner $qtype");
638 defined($c= open $h, "-|") or die "$quis: fork dig:\n $!\n";
640 open STDERR, ">&STDOUT" or die $!;
642 '+nodef','+nosea','+nodebug','+norecurse',
643 "\@$qaddr",'-t',$qtype,$qowner);
644 die "$quis: exec dig:\n $!\n";
648 if (!defined($_= $h->getline())) {
649 $h->error() and die "$quis: read from dig:\n $!\n";
654 s/^\s+/ / or die "$inmid // $_ ?";
658 s/$/ \(/ unless s/\s*\)\s*$//;
660 if (s/\s*\(\s*$//) { $inmid= $_; next; }
661 if (m/^\;\; flags\:( [-0-9a-z ]+)\;/) {
662 $dig_owner=''; $dig_type='flags:'; $dig_rdata= "$1 ";
663 debug_trace("dig f: $dig_rdata");
667 } elsif (m/^([-.0-9a-z]+)\s+\d\w+\s+in\s+([a-z]+)\s+(\S.*)/i) {
668 $dig_owner=domain_canon($1); $dig_type=lc $2; $irdata=$3;
669 if ($dig_type eq 'a') {
670 $irdata =~ m/^[.0-9]+$/ or die "$irdata ?";
672 } elsif ($dig_type eq 'ns') {
673 $irdata =~ m/^[-.0-9a-z]+$/i or die "bad nameserver $irdata ?";
674 $dig_rdata= domain_canon($irdata);
675 } elsif ($dig_type eq 'soa') {
676 $irdata =~ m/^([-.0-9a-z]+)\s+.*\s+(\d+)(?:\s+\d\w+){4}$/i
677 or die "bad SOA $irdata ?";
678 $dig_rdata= domain_canon($1).' '.$2;
680 debug_trace("ignoring uknown RR type $dig_type");
683 debug_trace("dig $dig_owner $dig_type $dig_rdata");
686 debug_trace("ignoring unknown dig output $_");
690 debug_trace("dig <== gave $?");
693 sub domain_canon ($) {
696 die "domain $_ ?" unless m/^[0-9a-z]/i;
~ian / chiark-utils.git / blob