Sort of working?

[chiark-utils.git] / scripts / named-conf

#!/usr/bin/perl -w

use strict;
use IO::File;
use Data::Dumper;

use vars qw($etcfile $where);
$etcfile= "/etc/bind/chiark-conf-gen.zones";
$where= '<built-in>';

use vars qw($mode $verbosity $debug);
$mode= '';
$verbosity= 1;
$debug= 0;

use vars qw($dig_owner $dig_type $dig_rdata);

while (@ARGV && $ARGV[0] =~ m/^\-/) {
    $_= shift @ARGV;
    if (s/^\-\-//) {
        last if m/^$/;
        if (m/^quiet$/) { $verbosity=0; }
        elsif (m/^verbose$/) { $verbosity=2; }
        elsif (m/^(yes|no|force)$/) { m/^./; $mode= $&; }
        elsif (m/^config$/) { $etcfile= loarg(); $where= '--config option'; }
        else { usageerr("unknown option --$_"); }
    } else {
        s/^\-//;
        last if m/^$/;
        while (m/^./) {
            if (s/^[ynf]//) { $mode=$&; }
            elsif (s/^v//) { $verbosity=2; }
            elsif (s/^q//) { $verbosity=0; }
            elsif (s/^D//) { $debug++; }
            elsif (s/^C//) { $etcfile= soarg(); $where= '-C option'; }
            else { usageerr("unknown option -$&"); }
        }
    }
}

sub loarg() { usageerr("missing option value") if !@ARGV; return shift @ARGV; }
sub soarg() { my ($rv); $rv=$_; $_=''; return length $rv ? $rv : loarg(); }

usageerr("must specify either -f|-y|-n or zones (and not both)")
    if !!$mode == !!@ARGV;

sub usageerr ($) {
    die
"$_[0]
usage: named-conf-regen [-rvq] -f|-y|-n|<zone>...\n".
"operation modes:\n".
" -f --force   install without checking\n".
" -y --yes     check and install\n".
" -n --no      check only\n".
"additional options:\n".
" -q --quiet   no output for OK zones\n".
" -v --verbose extra verbose\n";
}

cfg_fail("config filename $etcfile should have been absolute path of a file")
    unless $etcfile =~ m,^/, && $etcfile !~ m,/$,;

use vars qw($default_dir);
$default_dir= $etcfile;
$default_dir =~ s,/[^/]+$,,;

use vars qw($slave_dir $slave_prefix $slave_suffix);
$slave_dir= 'slave';
$slave_prefix= '';
$slave_suffix= '';

use vars qw(@self_ns @self_soa);
@self_ns= @self_soa= ();

use vars qw(%zone_cfg @zone_cfg_list);
%zone_cfg= ();
@zone_cfg_list= ();

use vars qw($output $default_output %output_contents);
$output= '';
$default_output= '';
%output_contents= ();

use vars qw($check $install);
$check= $mode !~ m/^f/;
$install= $mode =~ m/^[yf]/;

read_config($etcfile);
debug_dump('@zone_cfg_list %zone_cfg');
process_zones($mode ? @zone_cfg_list : @ARGV);
debug_dump('%output_contents');


#-------------------- configuration reading

sub cfg_fail ($) { die "$0: $where:\n $_[0]\n"; }

sub read_config ($) {
    my ($if) = @_;
    my ($fh,$z,@self, $dir,$prefix,$suffix,$lprefix,$lsuffix);
    local ($_);

    $fh= new IO::File $if,'r' or cfg_fail("open $if:\n $!");
    for (;;) {
        if (!defined($_= <$fh>)) {
            cfg_fail("read config file $if:\n $!") if $fh->error();
            last;
        }
        $where= "$if:$.";
        s/^\s+//; chomp; s/\s+$//;
        next if m/^\#/;
        last if m/^end$/;
        next unless m/\S/;
        if (m/^self(\-ns|\-soa|)\s+(\S.*\S)/) {
            @self= split /\s+/, $2;
            @self_ns= @self if $1 ne '-soa';
            @self_soa= @self if $1 ne '-ns';
        } elsif (m/^primary\-dir\s+(\S+)((?:\s+(\S+))??:\s+(\S+))?$/) {
            ($dir, $prefix, $suffix) = (qualify($1),$2,$3);
            $suffix= '_db' if !length $suffix;
            opendir D, $dir or cfg_fail("open primary-dir $dir:\n $!");
            $lprefix= length $prefix; $lsuffix= length $suffix;
            while ($!=0, $_= readdir D) {
                next if m/^\./ && !$lprefix;
                next unless length > $lprefix+$lsuffix;
                next unless substr($_,0,$lprefix) eq $prefix;
                next unless substr($_,length($_)-$lsuffix) eq $suffix;
                $z= substr($_,$lprefix,length($_)-($lprefix+$lsuffix));
                zone_conf($z,'primary',"$dir/$_");
            }
            $! and cfg_fail("read primary-dir $dir:\n $!");
            closedir D or cfg_fail("close primary-dir $dir:\n $!");
        } elsif (m/^primary\s+(\S+)\s+(\S+)$/) {
            zone_conf($1,'primary',qualify($2));
        } elsif (m/^secondary\s+(\S+)\s+([0-9.\t]+)$/) {
            zone_conf($1,'secondary','',$2);
        } elsif (m/^stealth\s+(\S+)\s+([0-9. \t]+)$/) {
            zone_conf($1,'stealth','',split /\s+/, $2);
        } elsif (m/^slave\-dir\s+(\S+)((?:\s+(\S+))??:\s+(\S+))?$/) {
            ($slave_dir, $slave_prefix, $slave_suffix) = (qualify($1),$2,$3);
        } elsif (m/^output\s+bind8\+(\S+)$/) {
            cfg_fail("default output may not apply to only some zones")
                if @zone_cfg_list && length $default_output;
            set_output(qualify($1));
        } elsif (m/^include\s+(\S+)$/) {
            read_config($1);
        } else {
            cfg_fail("unknown configuration directive".
                     " or incorrect syntax or arguments");
        }
    }
    $fh->close or cfg_fail("close config file $if:\n $!");
}

sub qualify ($) {
    my ($i) = @_;
    $i= "$default_dir/$i" unless $i =~ m,^/,;
}

sub zone_conf ($$@) {
    my ($zone,$style,$file,@servers) = @_;
    $file= qualify("$slave_dir/$slave_prefix".$zone.$slave_suffix)
        unless length $file;
    if (!length $output) {
        $default_output= qualify('chiark-conf-gen.bind8')
            unless length $default_output;
        set_output($default_output);
    }
    cfg_fail("redefined zone $zone") if exists $zone_cfg{$zone};
    $zone_cfg{$zone}{'file'}= $file;
    $zone_cfg{$zone}{'style'}= $style;
    $zone_cfg{$zone}{'servers'}= [ @servers ];
    $zone_cfg{$zone}{'self_soa'}= [ @self_soa ];
    $zone_cfg{$zone}{'self_ns'}= [ @self_ns ];
    $zone_cfg{$zone}{'output'}= $output;
    push @zone_cfg_list, $zone;
}

sub set_output($) {
    my ($newout) = @_;
    $output= $newout;
    $output_contents{$output}= '';
}


#-------------------- checking

use vars qw($zone $cfg $warnings);
$warnings= 0;

sub progress ($) {
    return if !$verbosity;
    print "$_[0]\n";
}

sub verbose ($) {
    return if $verbosity<2;
    print "    $_[0]\n";
}

sub process_zones (@) {
    my (@zones) = @_;
    local ($zone,$cfg);

    foreach $zone (@zones) {
        $cfg= $zone_cfg{$zone} || {
            'style' => 'foreign',
            'servers' => [ ],
            };
        progress(sprintf "%-40s %s", $zone, $$cfg{'style'});
        if ($check) {
            eval { zone_check() };
            zone_warning("checks failed: $@") if length $@;
        }
        zone_output() if $install;
    }
}

sub zone_warning ($) {
    my ($w) = @_;
    $w =~ s/\n$//;
    $w =~ s,\n, // ,g;
    print STDERR "$zone: warning: $w\n" or die $!;
    $warnings++;
}

sub zone_warnmore ($) {
    print STDERR " $_[0]\n" or die $!;
}

use vars qw(%delgs); # $delgs{$nameserver_list} = [ $whosaidandwhy ]
use vars qw(%auths); # $auths{$nameserver_list} = [ $whosaidandwhy ]
use vars qw(%glue);  # $glue{$name}{$addr_list} = [ $whosaidandwhy ]
use vars qw(%soas);  # $soa{"$origin $serial"} = [ $whosaidandwhy ]
use vars qw(%addr_is_ok);
use vars qw(@to_check); # ($addr,$whyask,$is_auth,$glueless_ok, ...)
use vars qw(@to_check_soa); # ($addr,$whyask, ...)

sub zone_check () {
    my ($super_zone, @super_nsnames,
        $super_ns, @super_ns_addrs, $s, $wa, $is_auth,
        %nsrrset_checked, %soa_checked, $addr, $glueless_ok, $rcode);

    %delgs= %auths= %glue= %soas= %addr_is_ok= ();
    @to_check= @to_check_soa= ();

    $super_zone= $zone;
    for (;;) {
        debug_trace("zone $zone superzone $super_zone");
        $super_zone =~ s/^[^.]+\.// or die "no superzone ? ($super_zone)\n";
        ($rcode,@super_nsnames)= lookup($super_zone,'ns-','06');
        last if !$rcode;
    }
    for $super_ns (@super_nsnames) {
        $super_ns= lc $super_ns;
        ($rcode,@super_ns_addrs)= lookup($super_ns,'a','0');
        foreach $addr (@super_ns_addrs) {
            push @to_check,
                 $addr,
                 "$super_ns, server for $super_zone",
                 0, 0;
        }
    }
    for (;;) {
        # We do these in order so that we always do NS RRset checks on
        # nameservers that came from other NS RRsets first; otherwise
        # we might set nsrrset_checked due to a glueless_ok check,
        # and then not check for gluefulness later.
        debug_dump('@to_check @to_check_soa');
        if (($addr,$wa,$is_auth,$glueless_ok,@to_check) = @to_check) {
            push @to_check_soa, $addr, $wa if $is_auth;
            next if $nsrrset_checked{$addr}++;
            zone_check_nsrrset($addr, "[$addr] $wa",
                               $is_auth, $glueless_ok);
        } elsif (($addr,$wa,@to_check_soa) = @to_check_soa) {
            next if $soa_checked{$addr}++;
            zone_check_soa($addr,"[$addr] $wa");
        } else {
            last;
        }
    }
    zone_consistency();
}

sub zone_check_nsrrset ($$$$) {
    my ($uaddr,$ww, $is_auth, $glueless_ok) = @_;
    my (@s, $s, %s2g, @glue, $glue, $delgs_or_auths);
    verbose("checking delegation by $ww");
    dig(sub {
        if ($dig_type eq 'ns' && $dig_owner eq $zone) {
            $s2g{lc $dig_rdata} = [ ];
        } elsif ($dig_type eq 'a' && exists $s2g{$dig_owner}) {
            push @to_check,
                 $dig_rdata,
                 "$dig_owner, in glue from $ww",
                 1, 0;
            $addr_is_ok{$dig_rdata}= "$dig_owner (NS [$uaddr])"
                if $cfg->{'style'} eq 'stealth';
            push @{ $s2g{$dig_owner} }, $dig_rdata;
        }
    },
             $zone,'ns',$uaddr);
    if (!%s2g) { zone_warning("unable to find NS RRset at $ww"); return; }
    elsif (keys %s2g == 1) { zone_warning("only one nameserver at $ww"); }
    @s= sort keys %s2g;
    foreach $s (@s) {
        @glue= @{ $s2g{$s} };
        if (!@glue) {
            zone_warning("glueless NS $s, from $ww") unless $glueless_ok;
            next;
        }
        $glue= join ' ', sort @glue;
        push @{ $glue{$s}{$glue} }, $ww;
    }
    $s= join ' ', @s;
    $delgs_or_auths= $is_auth ? \%auths : \%delgs;
    push @{ $delgs_or_auths->{$s} }, $ww;
}

sub zone_check_soa ($$) {
    my ($uaddr,$ww) = @_;
    my ($lame,$origin,$got,$rcode,@soa_addrs,$soa_addr);
    verbose("checking service at $ww");
    $lame= 'dead or lame';
    dig(sub {
        if ($dig_type eq 'flags:') {
            $lame= $dig_rdata =~ m/ aa / ? '' : 'lame';
        } elsif ($dig_type eq 'soa' && $dig_owner eq $zone && !$lame) {
            die "several SOAs ? $ww" if defined $origin;
            $got= $dig_rdata;
            $got =~ m/^(\S+) \d+/ or die "$got ?";
            $origin= $1;
        }
    },
             $zone,'soa',$uaddr);
    $lame= 'broken' if !$lame && !defined $origin;
    if ($lame) { zone_warning("$lame server $ww"); return; }
    push @{ $soas{$got} }, $ww;
    ($rcode,@soa_addrs)= lookup($origin,'a','0');
    foreach $soa_addr (@soa_addrs) {
        $addr_is_ok{$soa_addr}= "$origin (SOA [$uaddr])";
        push @to_check,
             $soa_addr,
             "$origin, SOA ORIGIN from $ww";
    }
}

sub zone_consistency() {
    my ($d, $org_ser, $origin, $a, $showok, $h);
    zone_consistency_set('delegations',\%delgs);
    foreach $d (keys %delgs) { delete $auths{$d}; }
    zone_consistency_set('zone nameserver rrset',\%auths);
    foreach $h (keys %glue) {
        zone_consistency_set("glue for $h", $glue{$h});
    }
    zone_consistency_set("SOA ORIGIN and SERIAL",\%soas);
    if ($cfg->{'style'} eq 'primary') {
        foreach $org_ser (keys %soas) {
            $org_ser =~ m/^(\S+) \d+$/ or die "$org_ser ?";
            $origin= $1;
            next if grep { $_ eq $origin } @self_soa;
            zone_warning("our name(s) @self_soa not in SOA ORIGIN $origin,".
                         " eg from ".((values %{ $soas{$org_ser} })[1]));
        }
    }
    if (%addr_is_ok) {
        $showok= 0;
        foreach $a (@{ $cfg->{'servers'} }) {
            next if exists $addr_is_ok{$a};
            zone_warning("we slave from $a"); $showok=1;
        }
        if ($showok) {
            foreach $a (keys %addr_is_ok) {
                zone_warnmore("permitted master [$a] $addr_is_ok{$a}");
            }
        }
    }
}

sub zone_consistency_set ($%) {
    my ($msg,$set) = @_;
    my ($d,$o);
    if (keys(%$set) > 1) {
        zone_warning("inconsistent $msg:");
        foreach $d (keys %$set) {
            foreach $o (@{ $set->{$d} }) { zone_warnmore(" $d from $o"); }
        }
    }
}


#-------------------- outputting

sub zone_output () {
    $output_contents{$$cfg{'output'}}.=
        sprintf(<<'END',
zone "%s" {
    type %s;
    file "%s";
};
END
                $zone,
                $$cfg{'style'} eq 'primary' ? 'master' : 'slave',
                $$cfg{'file'});
}


#-------------------- general utilities

sub debug_dump ($) {
    my ($vn);
    return unless $debug>1;
    local $Data::Dumper::Terse=1;
    foreach $vn (split /\s+/, $_[0]) {
        print "$vn := ", eval "Dumper(\\$vn)";
    }
}

sub debug_trace ($) {
    return unless $debug;
    print "D $_[0]\n";
}

sub lookup ($$$) {
    my ($domain,$type,$okrcodes) = @_;
    my ($c,$h,@result);
    debug_trace("lookup ==> (->$okrcodes) $domain $type");
    $h= new IO::Handle;

    defined($c= open $h, "-|") or die "$0: fork adnshost:\n $!\n";
    if (!$c) {
        exec 'adnshost','-Fi','+Do','+Dt','+Dc','-Cf',"-t$type",
             '-',"$domain.";
        die "$0: exec adnshost:\n $!\n";
    }
    @result= $h->getlines();
    $h->error and die "$0: read from adnshost:\n $!\n";
    chomp @result;
    $!=0; $h->close;
    die "$0: lookup -t$type $domain $okrcodes failed $? $!\n"
        if $! or $?>6 or index($okrcodes,$?)<0;
    debug_trace("lookup <== $? @result");
    return ($?,@result);
}


sub dig (&$$$) {
    my ($eachrr, $qowner,$qtype,$qaddr) = @_;
    # also pseudo-rr with type `flags:'
    my ($h,$inmid,$irdata,$c);
    local ($_);

    debug_trace("dig ==> \@$qaddr $qowner $qtype");

    $h= new IO::Handle;
    defined($c= open $h, "-|") or die "$0: fork dig:\n $!\n";
    if (!$c) {
        open STDERR, ">&STDOUT" or die $!;
        exec ('dig',
              '+nodef','+nosea','+nodebug','+norecurse',
              "\@$qaddr",'-t',$qtype,$qowner);
        die "$0: exec dig:\n $!\n";
    }
    $inmid='';
    for (;;) {
        if (!defined($_= $h->getline())) {
            $h->error() and die "$0: read from dig:\n $!\n";
            last;
        }
        chomp;
        if (length $inmid) {
            s/^\s+/ / or die "$inmid // $_ ?";
            s/\;.*$//;
            $_= $inmid.$_;
            $inmid='';
            s/$/ \(/ unless s/\s*\)\s*$//;
        }
        if (s/\s*\(\s*$//) { $inmid= $_; next; }
        if (m/^\;\; flags\:( [-0-9a-z ]+)\;/) {
            $dig_owner=''; $dig_type='flags:'; $dig_rdata= "$1 ";
            debug_trace("dig  f: $dig_rdata");
            &$eachrr;
        } elsif (m/^\;/) {
        } elsif (!m/\S/) {
        } elsif (m/^([-.0-9a-z]+)\s+\d\w+\s+in\s+([a-z]+)\s+(\S.*)/i) {
            $dig_owner=domain_canon($1); $dig_type=lc $2; $irdata=$3;
            if ($dig_type eq 'a') {
                $irdata =~ m/^[.0-9]+$/ or die "$irdata ?";
                $dig_rdata= $&;
            } elsif ($dig_type eq 'ns') {
                $irdata =~ m/^[-.0-9a-z]+$/i or die "bad nameserver $irdata ?";
                $dig_rdata= domain_canon($irdata);
            } elsif ($dig_type eq 'soa') {
                $irdata =~ m/^([-.0-9a-z]+)\s+.*\s+(\d+)(?:\s+\d\w+){4}$/i
                    or die "bad SOA $irdata ?";
                $dig_rdata= domain_canon($1).' '.$2;
            } else {
                debug_trace("ignoring uknown RR type $dig_type");
                next;
            }
            debug_trace("dig  $dig_owner $dig_type $dig_rdata");
            &$eachrr;
        } else {
            debug_trace("ignoring unknown dig output $_");
        }
    }
    $h->close;
    debug_trace("dig <== gave $?");
}

sub domain_canon ($) {
    local ($_) = @_;
    s/(.)\.$/$1/;
    return lc $_;
}

__DATA__




sub lookup1 ($$) {
    my ($type,$domain) = @_;
    my (@result)= lookup($type,$domain);
    @result==1 or die "$0: lookup -t$type $domain gave more than one RR\n";
    return $result[0];
}

sub check () {
    return unless $check;
    eval {
        $soa= lookup1('soa',$zone);
        $soa_origin=$soa; $soa_origin =~ s/ .*//;
        $soa_origin_addr= lookup1('a',$soa_origin);

        @zone_ns= lookup('ns-',$zone);

        @ok_sources= ($soa_origin_addr);
        $ok_sources_descr= "SOA ORIGIN $soa_origin [$soa_origin_addr]";

        if ($style eq 'unoff' || $style eq 'backup') {
            for $zone_ns (@zone_ns) {
                @zone_ns_addrs= lookup('a',$zone_ns);
                push @ok_sources, @zone_ns_addrs;
                $ok_sources_descr.= ", NS $zone_ns [@zone_ns_addrs]";
            }
        }

        for $server (@servers) {
            grep { $server eq $_ } @ok_sources
                or warn "secondarying from $server which is not ".
                        "$ok_sources_desc\n";
        }

        if ($style eq 'secondary') {
            grep { $zone_ns=$_, grep { $myname eq $_ } @mynames } @zone_n
                or warn "supposedly published secondary but we ".
                        "(@mynames) are not published ($@zone_ns)\n";
        }
    }
    check_after_eval();
    

                         
#       $superzone= $zone; $superzone =~ s/^[^\.]+\.//;
#       @super_ns= lookup('ns-',$zone);
    }

    eval {

        for $super_ns (@super_ns) {
            @deleg_ns= ();
            open DIG, "dig @$super_ns. -t ns +norecurse $zone."
                or die "$0: fork for dig:\n $!\n";
            while (<DIG>) {
                

            split /\n/, lookup("
        
                case "$style" in
                secondary|backup)
                        if [ $meadvert = 0 ]
                        then
                                warning "$myname unlisted NS $nsnames"
                        fi
                        ;;
                unoff)
                        if $meadvert = 0
                        then
                                warning "$myname advertised NS $nsnames"
                        fi
                        ;;
                esac

                addrs=''
                for ns in $names
                do
                        set -e; a="`host -t a \"$ns\".`"; set +e
                        taddrs="`echo \" $a\" | expand | sed -n '
                                 1s/^ //
                                s/^[^ ][^ ]*  *A  *\([0-9][.0-9]*\)/\1/p
                        '`"
                        equlines "A $ns" "$a" "$taddrs"
                        addrs="$addrs $taddrs"
                done
        fi

        cat <<END
zone "$zone" {
        type slave;
        file "$file";
        masters {
END
        for server in $servers
        do
                echo "          $server;"
                if $check
                then
                        notfound=1
                        for addr in $addrs
                        do
                                if [ "x$addr" = "x$server" ]
                                then
                                        notfound=0
                                fi
                        done
                        if $notfound
                        then
 warning "server $server? but $rectype $names" $addrs
                        fi
                fi
        done
        cat <<END
        };
};
END
        hostfirstwarn=1
        if $hostdelg
        then
                checkhostout -C
        fi
        if $hostzone
        then
                checkhostout -val localhost
        fi
done
endfile

    
chdir "$base/primary" or die "$0: chdir $base/primary:\n $!";
beginfile('primary.zones');

for $f (<*_db>) {
    $zone= $f; $zone =~ s/_db$//;
    

for f in $zones
do
        zone="`echo $f | sed -e 's/_db$//'`"
END
done
endfile


    
sub beginfile ($) {
    $currentfile= $_[0];
    $currentfile_opened= $install ? "$conf/$currentfile.new" : "/dev/null";
    open CFF, "> $toopen" or die "$0: begin $currentfile_opened:\n $!\n";
}

endfile () {
    close CFF or die "$0: close $currentfile_opened:\n $!\n";
    push @files, $currentfile;
}

sub installfiles () {
    return unless $install;
    chdir $conf or die "$0: chdir $conf:\n $!\n";
    for $f (@files) {
        rename "$f.new", $f or die "$0: install new $f:\n $!\n";
    }
}

warning () {
        echo >&2 "$zone $style: $*"
        warnings=$[$warnings+1]
}

equlines () {
        if [ "x`echo \" $2\" | wc -l`" != "x`echo \" $3\" | wc -l`" ]
        then
                warning "$1 >$2|$3<"
        fi
}

checkhostout () {
        set +e
        hostout="`host $1 \"$zone\" 2>&1 >/dev/null $2 | egrep -v \
'^ \!\!\! .* SOA primary .* is not advertised via NS$'`"
        set -e
        if [ "x$hostout" = x ]; then return; fi
        if $hostfirstwarn
        then
                warning "warnings from host:"
                hostfirstwarn=0
        fi
        echo >&2 "$hostout"
}

progress () {
        if $progress
        then
                echo -n "$zone $style                    " >&2
                echo -ne '\r' >&2
        fi
}

myname=''

if [ $warnings != 0 ]
then
        echo >&2 "$warnings warnings                                        "
fi

installfiles