7 use vars qw($etcfile $where);
8 $etcfile= "/etc/bind/chiark-conf-gen.zones";
11 use vars qw($mode $verbosity $debug);
16 use vars qw($dig_owner $dig_type $dig_rdata);
18 while (@ARGV && $ARGV[0] =~ m/^\-/) {
22 if (m/^quiet$/) { $verbosity=0; }
23 elsif (m/^verbose$/) { $verbosity=2; }
24 elsif (m/^(yes|no|force)$/) { m/^./; $mode= $&; }
25 elsif (m/^config$/) { $etcfile= loarg(); $where= '--config option'; }
26 else { usageerr("unknown option --$_"); }
31 if (s/^[ynf]//) { $mode=$&; }
32 elsif (s/^v//) { $verbosity=2; }
33 elsif (s/^q//) { $verbosity=0; }
34 elsif (s/^D//) { $debug++; }
35 elsif (s/^C//) { $etcfile= soarg(); $where= '-C option'; }
36 else { usageerr("unknown option -$&"); }
41 sub loarg() { usageerr("missing option value") if !@ARGV; return shift @ARGV; }
42 sub soarg() { my ($rv); $rv=$_; $_=''; return length $rv ? $rv : loarg(); }
44 usageerr("must specify either -f|-y|-n or zones (and not both)")
45 if !!$mode == !!@ARGV;
50 usage: named-conf-regen [-rvq] -f|-y|-n|<zone>...\n".
52 " -f --force install without checking\n".
53 " -y --yes check and install\n".
54 " -n --no check only\n".
55 "additional options:\n".
56 " -q --quiet no output for OK zones\n".
57 " -v --verbose extra verbose\n";
60 cfg_fail("config filename $etcfile should have been absolute path of a file")
61 unless $etcfile =~ m,^/, && $etcfile !~ m,/$,;
63 use vars qw($default_dir);
64 $default_dir= $etcfile;
65 $default_dir =~ s,/[^/]+$,,;
67 use vars qw($slave_dir $slave_prefix $slave_suffix);
72 use vars qw(@self_ns @self_soa);
73 @self_ns= @self_soa= ();
75 use vars qw(%zone_cfg @zone_cfg_list);
79 use vars qw($output $default_output %output_contents);
84 use vars qw($check $install);
85 $check= $mode !~ m/^f/;
86 $install= $mode =~ m/^[yf]/;
88 read_config($etcfile);
89 debug_dump('@zone_cfg_list %zone_cfg');
90 process_zones($mode ? @zone_cfg_list : @ARGV);
91 debug_dump('%output_contents');
94 #-------------------- configuration reading
96 sub cfg_fail ($) { die "$0: $where:\n $_[0]\n"; }
100 my ($fh,$z,@self, $dir,$prefix,$suffix,$lprefix,$lsuffix);
103 $fh= new IO::File $if,'r' or cfg_fail("open $if:\n $!");
105 if (!defined($_= <$fh>)) {
106 cfg_fail("read config file $if:\n $!") if $fh->error();
110 s/^\s+//; chomp; s/\s+$//;
114 if (m/^self(\-ns|\-soa|)\s+(\S.*\S)/) {
115 @self= split /\s+/, $2;
116 @self_ns= @self if $1 ne '-soa';
117 @self_soa= @self if $1 ne '-ns';
118 } elsif (m/^primary\-dir\s+(\S+)((?:\s+(\S+))??:\s+(\S+))?$/) {
119 ($dir, $prefix, $suffix) = (qualify($1),$2,$3);
120 $suffix= '_db' if !length $suffix;
121 opendir D, $dir or cfg_fail("open primary-dir $dir:\n $!");
122 $lprefix= length $prefix; $lsuffix= length $suffix;
123 while ($!=0, $_= readdir D) {
124 next if m/^\./ && !$lprefix;
125 next unless length > $lprefix+$lsuffix;
126 next unless substr($_,0,$lprefix) eq $prefix;
127 next unless substr($_,length($_)-$lsuffix) eq $suffix;
128 $z= substr($_,$lprefix,length($_)-($lprefix+$lsuffix));
129 zone_conf($z,'primary',"$dir/$_");
131 $! and cfg_fail("read primary-dir $dir:\n $!");
132 closedir D or cfg_fail("close primary-dir $dir:\n $!");
133 } elsif (m/^primary\s+(\S+)\s+(\S+)$/) {
134 zone_conf($1,'primary',qualify($2));
135 } elsif (m/^secondary\s+(\S+)\s+([0-9.\t]+)$/) {
136 zone_conf($1,'secondary','',$2);
137 } elsif (m/^stealth\s+(\S+)\s+([0-9. \t]+)$/) {
138 zone_conf($1,'stealth','',split /\s+/, $2);
139 } elsif (m/^slave\-dir\s+(\S+)((?:\s+(\S+))??:\s+(\S+))?$/) {
140 ($slave_dir, $slave_prefix, $slave_suffix) = (qualify($1),$2,$3);
141 } elsif (m/^output\s+bind8\+(\S+)$/) {
142 cfg_fail("default output may not apply to only some zones")
143 if @zone_cfg_list && length $default_output;
144 set_output(qualify($1));
145 } elsif (m/^include\s+(\S+)$/) {
148 cfg_fail("unknown configuration directive".
149 " or incorrect syntax or arguments");
152 $fh->close or cfg_fail("close config file $if:\n $!");
157 $i= "$default_dir/$i" unless $i =~ m,^/,;
160 sub zone_conf ($$@) {
161 my ($zone,$style,$file,@servers) = @_;
162 $file= qualify("$slave_dir/$slave_prefix".$zone.$slave_suffix)
164 if (!length $output) {
165 $default_output= qualify('chiark-conf-gen.bind8')
166 unless length $default_output;
167 set_output($default_output);
169 cfg_fail("redefined zone $zone") if exists $zone_cfg{$zone};
170 $zone_cfg{$zone}{'file'}= $file;
171 $zone_cfg{$zone}{'style'}= $style;
172 $zone_cfg{$zone}{'servers'}= [ @servers ];
173 $zone_cfg{$zone}{'self_soa'}= [ @self_soa ];
174 $zone_cfg{$zone}{'self_ns'}= [ @self_ns ];
175 $zone_cfg{$zone}{'output'}= $output;
176 push @zone_cfg_list, $zone;
182 $output_contents{$output}= '';
186 #-------------------- checking
188 use vars qw($zone $cfg $warnings);
192 return if !$verbosity;
197 return if $verbosity<2;
201 sub process_zones (@) {
205 foreach $zone (@zones) {
206 $cfg= $zone_cfg{$zone} || {
207 'style' => 'foreign',
210 progress(sprintf "%-40s %s", $zone, $$cfg{'style'});
212 eval { zone_check() };
213 zone_warning("checks failed: $@") if length $@;
215 zone_output() if $install;
219 sub zone_warning ($) {
223 print STDERR "$zone: warning: $w\n" or die $!;
227 sub zone_warnmore ($) {
228 print STDERR " $_[0]\n" or die $!;
231 use vars qw(%delgs); # $delgs{$nameserver_list} = [ $whosaidandwhy ]
232 use vars qw(%auths); # $auths{$nameserver_list} = [ $whosaidandwhy ]
233 use vars qw(%glue); # $glue{$name}{$addr_list} = [ $whosaidandwhy ]
234 use vars qw(%soas); # $soa{"$origin $serial"} = [ $whosaidandwhy ]
235 use vars qw(%addr_is_ok);
236 use vars qw(@to_check); # ($addr,$whyask,$is_auth,$glueless_ok, ...)
237 use vars qw(@to_check_soa); # ($addr,$whyask, ...)
240 my ($super_zone, @super_nsnames,
241 $super_ns, @super_ns_addrs, $s, $wa, $is_auth,
242 %nsrrset_checked, %soa_checked, $addr, $glueless_ok, $rcode);
244 %delgs= %auths= %glue= %soas= %addr_is_ok= ();
245 @to_check= @to_check_soa= ();
249 debug_trace("zone $zone superzone $super_zone");
250 $super_zone =~ s/^[^.]+\.// or die "no superzone ? ($super_zone)\n";
251 ($rcode,@super_nsnames)= lookup($super_zone,'ns-','06');
254 for $super_ns (@super_nsnames) {
255 $super_ns= lc $super_ns;
256 ($rcode,@super_ns_addrs)= lookup($super_ns,'a','0');
257 foreach $addr (@super_ns_addrs) {
260 "$super_ns, server for $super_zone",
265 # We do these in order so that we always do NS RRset checks on
266 # nameservers that came from other NS RRsets first; otherwise
267 # we might set nsrrset_checked due to a glueless_ok check,
268 # and then not check for gluefulness later.
269 debug_dump('@to_check @to_check_soa');
270 if (($addr,$wa,$is_auth,$glueless_ok,@to_check) = @to_check) {
271 push @to_check_soa, $addr, $wa if $is_auth;
272 next if $nsrrset_checked{$addr}++;
273 zone_check_nsrrset($addr, "[$addr] $wa",
274 $is_auth, $glueless_ok);
275 } elsif (($addr,$wa,@to_check_soa) = @to_check_soa) {
276 next if $soa_checked{$addr}++;
277 zone_check_soa($addr,"[$addr] $wa");
285 sub zone_check_nsrrset ($$$$) {
286 my ($uaddr,$ww, $is_auth, $glueless_ok) = @_;
287 my (@s, $s, %s2g, @glue, $glue, $delgs_or_auths);
288 verbose("checking delegation by $ww");
290 if ($dig_type eq 'ns' && $dig_owner eq $zone) {
291 $s2g{lc $dig_rdata} = [ ];
292 } elsif ($dig_type eq 'a' && exists $s2g{$dig_owner}) {
295 "$dig_owner, in glue from $ww",
297 $addr_is_ok{$dig_rdata}= "$dig_owner (NS [$uaddr])"
298 if $cfg->{'style'} eq 'stealth';
299 push @{ $s2g{$dig_owner} }, $dig_rdata;
303 if (!%s2g) { zone_warning("unable to find NS RRset at $ww"); return; }
304 elsif (keys %s2g == 1) { zone_warning("only one nameserver at $ww"); }
307 @glue= @{ $s2g{$s} };
309 zone_warning("glueless NS $s, from $ww") unless $glueless_ok;
312 $glue= join ' ', sort @glue;
313 push @{ $glue{$s}{$glue} }, $ww;
316 $delgs_or_auths= $is_auth ? \%auths : \%delgs;
317 push @{ $delgs_or_auths->{$s} }, $ww;
320 sub zone_check_soa ($$) {
321 my ($uaddr,$ww) = @_;
322 my ($lame,$origin,$got,$rcode,@soa_addrs,$soa_addr);
323 verbose("checking service at $ww");
324 $lame= 'dead or lame';
326 if ($dig_type eq 'flags:') {
327 $lame= $dig_rdata =~ m/ aa / ? '' : 'lame';
328 } elsif ($dig_type eq 'soa' && $dig_owner eq $zone && !$lame) {
329 die "several SOAs ? $ww" if defined $origin;
331 $got =~ m/^(\S+) \d+/ or die "$got ?";
336 $lame= 'broken' if !$lame && !defined $origin;
337 if ($lame) { zone_warning("$lame server $ww"); return; }
338 push @{ $soas{$got} }, $ww;
339 ($rcode,@soa_addrs)= lookup($origin,'a','0');
340 foreach $soa_addr (@soa_addrs) {
341 $addr_is_ok{$soa_addr}= "$origin (SOA [$uaddr])";
344 "$origin, SOA ORIGIN from $ww";
348 sub zone_consistency() {
349 my ($d, $org_ser, $origin, $a, $showok, $h);
350 zone_consistency_set('delegations',\%delgs);
351 foreach $d (keys %delgs) { delete $auths{$d}; }
352 zone_consistency_set('zone nameserver rrset',\%auths);
353 foreach $h (keys %glue) {
354 zone_consistency_set("glue for $h", $glue{$h});
356 zone_consistency_set("SOA ORIGIN and SERIAL",\%soas);
357 if ($cfg->{'style'} eq 'primary') {
358 foreach $org_ser (keys %soas) {
359 $org_ser =~ m/^(\S+) \d+$/ or die "$org_ser ?";
361 next if grep { $_ eq $origin } @self_soa;
362 zone_warning("our name(s) @self_soa not in SOA ORIGIN $origin,".
363 " eg from ".((values %{ $soas{$org_ser} })[1]));
368 foreach $a (@{ $cfg->{'servers'} }) {
369 next if exists $addr_is_ok{$a};
370 zone_warning("we slave from $a"); $showok=1;
373 foreach $a (keys %addr_is_ok) {
374 zone_warnmore("permitted master [$a] $addr_is_ok{$a}");
380 sub zone_consistency_set ($%) {
383 if (keys(%$set) > 1) {
384 zone_warning("inconsistent $msg:");
385 foreach $d (keys %$set) {
386 foreach $o (@{ $set->{$d} }) { zone_warnmore(" $d from $o"); }
392 #-------------------- outputting
395 $output_contents{$$cfg{'output'}}.=
403 $$cfg{'style'} eq 'primary' ? 'master' : 'slave',
408 #-------------------- general utilities
412 return unless $debug>1;
413 local $Data::Dumper::Terse=1;
414 foreach $vn (split /\s+/, $_[0]) {
415 print "$vn := ", eval "Dumper(\\$vn)";
419 sub debug_trace ($) {
420 return unless $debug;
425 my ($domain,$type,$okrcodes) = @_;
427 debug_trace("lookup ==> (->$okrcodes) $domain $type");
430 defined($c= open $h, "-|") or die "$0: fork adnshost:\n $!\n";
432 exec 'adnshost','-Fi','+Do','+Dt','+Dc','-Cf',"-t$type",
434 die "$0: exec adnshost:\n $!\n";
436 @result= $h->getlines();
437 $h->error and die "$0: read from adnshost:\n $!\n";
440 die "$0: lookup -t$type $domain $okrcodes failed $? $!\n"
441 if $! or $?>6 or index($okrcodes,$?)<0;
442 debug_trace("lookup <== $? @result");
448 my ($eachrr, $qowner,$qtype,$qaddr) = @_;
449 # also pseudo-rr with type `flags:'
450 my ($h,$inmid,$irdata,$c);
453 debug_trace("dig ==> \@$qaddr $qowner $qtype");
456 defined($c= open $h, "-|") or die "$0: fork dig:\n $!\n";
458 open STDERR, ">&STDOUT" or die $!;
460 '+nodef','+nosea','+nodebug','+norecurse',
461 "\@$qaddr",'-t',$qtype,$qowner);
462 die "$0: exec dig:\n $!\n";
466 if (!defined($_= $h->getline())) {
467 $h->error() and die "$0: read from dig:\n $!\n";
472 s/^\s+/ / or die "$inmid // $_ ?";
476 s/$/ \(/ unless s/\s*\)\s*$//;
478 if (s/\s*\(\s*$//) { $inmid= $_; next; }
479 if (m/^\;\; flags\:( [-0-9a-z ]+)\;/) {
480 $dig_owner=''; $dig_type='flags:'; $dig_rdata= "$1 ";
481 debug_trace("dig f: $dig_rdata");
485 } elsif (m/^([-.0-9a-z]+)\s+\d\w+\s+in\s+([a-z]+)\s+(\S.*)/i) {
486 $dig_owner=domain_canon($1); $dig_type=lc $2; $irdata=$3;
487 if ($dig_type eq 'a') {
488 $irdata =~ m/^[.0-9]+$/ or die "$irdata ?";
490 } elsif ($dig_type eq 'ns') {
491 $irdata =~ m/^[-.0-9a-z]+$/i or die "bad nameserver $irdata ?";
492 $dig_rdata= domain_canon($irdata);
493 } elsif ($dig_type eq 'soa') {
494 $irdata =~ m/^([-.0-9a-z]+)\s+.*\s+(\d+)(?:\s+\d\w+){4}$/i
495 or die "bad SOA $irdata ?";
496 $dig_rdata= domain_canon($1).' '.$2;
498 debug_trace("ignoring uknown RR type $dig_type");
501 debug_trace("dig $dig_owner $dig_type $dig_rdata");
504 debug_trace("ignoring unknown dig output $_");
508 debug_trace("dig <== gave $?");
511 sub domain_canon ($) {
523 my ($type,$domain) = @_;
524 my (@result)= lookup($type,$domain);
525 @result==1 or die "$0: lookup -t$type $domain gave more than one RR\n";
530 return unless $check;
532 $soa= lookup1('soa',$zone);
533 $soa_origin=$soa; $soa_origin =~ s/ .*//;
534 $soa_origin_addr= lookup1('a',$soa_origin);
536 @zone_ns= lookup('ns-',$zone);
538 @ok_sources= ($soa_origin_addr);
539 $ok_sources_descr= "SOA ORIGIN $soa_origin [$soa_origin_addr]";
541 if ($style eq 'unoff' || $style eq 'backup') {
542 for $zone_ns (@zone_ns) {
543 @zone_ns_addrs= lookup('a',$zone_ns);
544 push @ok_sources, @zone_ns_addrs;
545 $ok_sources_descr.= ", NS $zone_ns [@zone_ns_addrs]";
549 for $server (@servers) {
550 grep { $server eq $_ } @ok_sources
551 or warn "secondarying from $server which is not ".
552 "$ok_sources_desc\n";
555 if ($style eq 'secondary') {
556 grep { $zone_ns=$_, grep { $myname eq $_ } @mynames } @zone_n
557 or warn "supposedly published secondary but we ".
558 "(@mynames) are not published ($@zone_ns)\n";
565 # $superzone= $zone; $superzone =~ s/^[^\.]+\.//;
566 # @super_ns= lookup('ns-',$zone);
571 for $super_ns (@super_ns) {
573 open DIG, "dig @$super_ns. -t ns +norecurse $zone."
574 or die "$0: fork for dig:\n $!\n";
584 warning "$myname unlisted NS $nsnames"
590 warning "$myname advertised NS $nsnames"
598 set -e; a="`host -t a \"$ns\".`"; set +e
599 taddrs="`echo \" $a\" | expand | sed -n '
601 s/^[^ ][^ ]* *A *\([0-9][.0-9]*\)/\1/p
603 equlines "A $ns" "$a" "$taddrs"
604 addrs="$addrs $taddrs"
614 for server in $servers
622 if [ "x$addr" = "x$server" ]
629 warning "server $server? but $rectype $names" $addrs
644 checkhostout -val localhost
650 chdir "$base/primary" or die "$0: chdir $base/primary:\n $!";
651 beginfile('primary.zones');
654 $zone= $f; $zone =~ s/_db$//;
659 zone="`echo $f | sed -e 's/_db$//'`"
668 $currentfile_opened= $install ? "$conf/$currentfile.new" : "/dev/null";
669 open CFF, "> $toopen" or die "$0: begin $currentfile_opened:\n $!\n";
673 close CFF or die "$0: close $currentfile_opened:\n $!\n";
674 push @files, $currentfile;
677 sub installfiles () {
678 return unless $install;
679 chdir $conf or die "$0: chdir $conf:\n $!\n";
681 rename "$f.new", $f or die "$0: install new $f:\n $!\n";
686 echo >&2 "$zone $style: $*"
687 warnings=$[$warnings+1]
691 if [ "x`echo \" $2\" | wc -l`" != "x`echo \" $3\" | wc -l`" ]
699 hostout="`host $1 \"$zone\" 2>&1 >/dev/null $2 | egrep -v \
700 '^ \!\!\! .* SOA primary .* is not advertised via NS$'`"
702 if [ "x$hostout" = x ]; then return; fi
705 warning "warnings from host:"
714 echo -n "$zone $style " >&2
721 if [ $warnings != 0 ]
723 echo >&2 "$warnings warnings "