$progress_fh $warn_fh $modifiers
%group2modcmd %group2used);
+$|=1;
$quis= $0; $quis =~ s,.*/,,;
$mode= '';
$slave_prefix= '';
$slave_suffix= '';
-use vars qw(@self_ns @self_soa @self_addr @forbid_addr @conv_glueless);
-@self_ns= @self_soa= @self_addr= @forbid_addr= ();
+use vars qw(@self_ns @self_soa @self_addr @forbid_addr @forbid_slave
+ @conv_glueless @indirect_glue);
+@self_ns= @self_soa= @self_addr= @forbid_addr= @forbid_slave= @indirect_glue= ();
@conv_glueless= qw(in-addr.arpa ip6.arpa ip6.int);
use vars qw(%zone_cfg @zone_cfg_list);
@self_soa= @self if $1 ne '-ns';
} elsif (m/^serverless\-glueless\s+(\S.*\S)/) {
@conv_glueless= split /\s+/, $1;
+ } elsif (m/^allow\-indirect\-glue\s+(\S.*\S)/) {
+ @indirect_glue= split /\s+/, $1;
} elsif (m/^self\-addr\s+([0-9. \t]+)/) {
@self_addr= split /\s+/, $1;
} elsif (m/^forbid\-addr(?:\s+([0-9. \t]+))?/) {
@forbid_addr= defined $1 ? split /\s+/, $1 : ();
+ } elsif (m/^forbid\-slave(?:\s+([0-9. \t]+))?/) {
+ @forbid_slave= defined $1 ? split /\s+/, $1 : ();
} elsif (m,^
primary\-dir (\W*)
\s+ (\S+)/([^/ \t]*)
$zone_cfg{$zone}{'maildir'}= qualify($mail_state_dir);
$zone_cfg{$zone}{'mailmwarn'}= $mail_max_warnfreq;
}
- foreach $sfx (qw(self_soa self_ns self_addr forbid_addr conv_glueless)) {
+ foreach $sfx (qw(self_soa self_ns self_addr forbid_addr forbid_slave
+ conv_glueless indirect_glue)) {
{ no strict 'refs'; $aref= [ @$sfx ]; }
@$aref or cfg_fail("failed to specify $sfx before zone")
if $sfx =~ m/^self/;
use vars qw(%delgs); # $delgs{$nameserver_list} = [ $whosaidandwhy ]
use vars qw(%auths); # $auths{$nameserver_list} = [ $whosaidandwhy ]
use vars qw(%glue); # $glue{$name}{$addr_list} = [ $whosaidandwhy ]
-use vars qw(%soas); # $soa{"$serial $origin"} = [ $whosaidandwhy ]
+use vars qw(%soas); # $soa{"$serial $mname"} = [ $whosaidandwhy ]
use vars qw(%addr_is_ok %warned);
use vars qw($delg_to_us);
use vars qw(@to_check); # ($addr,$whyask,$name_if_auth,$glueless_ok, ...)
@glue= @{ $s2g{$s} };
if (!@glue) {
zone_warning("glueless NS $s", $ww)
- unless $glueless_ok || zone_style('~',!$needglue) ||
- grep { has_suffix_of($zone,".$_"); }
- @{ $cfg->{'conv_glueless'} };
+ unless $glueless_ok
+ or zone_style('~',!$needglue)
+ or grep { has_suffix_of($zone,".$_"); }
+ @{ $cfg->{'conv_glueless'} }
+ or ((grep { has_suffix_of($s,".$_"); }
+ @{ $cfg->{'indirect_glue'} }) and
+ !(grep { has_suffix_of($zone,".$_"); }
+ @{ $cfg->{'indirect_glue'} }));
($rcode,@glue)= lookup($s,'a','0',"glueless NS from $ww");
foreach $a (@glue) {
$wwn= "glueless NS from $ww";
sub zone_server_addr ($$$$$) {
my ($addr,$name,$ww,$wwq,$is_soa) = @_;
- debug_trace("zone_server_addr ".join '|',@_);
+ debug_trace("zone_server_addr ".join('|',@_));
$addr_is_ok{$addr}= "$name ($wwq)"
if $is_soa || $cfg->{'s'} =~ m/u/;
zone_warning("forbidden nameserver address [$addr] $name",$ww)
if grep { $_ eq $addr } @{ $cfg->{'forbid_addr'} };
+ zone_warning("forbidden server address for our slave [$addr] $name",$ww)
+ if $cfg->{'s'} =~ m/p/ and
+ grep { $_ eq $addr } @{ $cfg->{'forbid_slave'} };
my ($name_is_self, $addr_is_self);
$name_is_self= grep { $_ eq $name }
}
if (!$name_is_self && !$addr_is_self &&
$is_soa && $cfg->{'s'} =~ m/p/) {
- zone_warning("SOA ORIGIN $name is not us (".
+ zone_warning("SOA MNAME $name is not us (".
(join ' ', @{ $cfg->{'self_soa'} }).")", $ww);
}
$delg_to_us=1 if $addr_is_self && !$is_soa;
sub zone_check_soa ($$$$) {
my ($uaddr,$wa,$name,$is_ns) = @_;
- my ($lame,$serial,$origin,$got,$rcode,@soa_addrs,$soa_addr,$ww,$wwn);
+ my ($lame,$serial,$mname,$got,$rcode,@soa_addrs,$soa_addr,$ww,$wwn);
verbose("checking service at [$uaddr] $name");
$lame= 'dead or lame';
$ww= "[$uaddr] $wa";
if ($dig_type eq 'flags:') {
$lame= $dig_rdata =~ m/ aa / ? '' : 'lame';
} elsif ($dig_type eq 'soa' && $dig_owner eq $zone && !$lame) {
- die "several SOAs ? $ww" if defined $origin;
+ die "several SOAs ? $ww" if defined $mname;
$got= $dig_rdata;
$got =~ m/^(\d+) (\S+)$/ or die "$got ?";
- ($serial,$origin) = ($1,$2);
+ ($serial,$mname) = ($1,$2);
}
},
$zone,'soa',$uaddr);
- $lame= 'broken' if !$lame && !defined $origin;
+ $lame= 'broken' if !$lame && !defined $mname;
if ($lame) { zone_warning("$lame server [$uaddr]",$wa); return; }
progress(2, sprintf "%-16s %46s has %s%s",
$zone, "$name [$uaddr]", $serial, $is_ns ? '' : '*');
push @{ $soas{$got} }, $ww;
- ($rcode,@soa_addrs)= lookup($origin,'a','0',"SOA ORIGIN");
- $wwn= "SOA ORIGIN from $ww";
+ ($rcode,@soa_addrs)= lookup($mname,'a','0',"SOA MNAME");
+ $wwn= "SOA MNAME from $ww";
foreach $soa_addr (@soa_addrs) {
- zone_server_queue($soa_addr,$origin,$wwn,"SOA [$uaddr]",1);
+ zone_server_queue($soa_addr,$mname,$wwn,"SOA [$uaddr]",1);
}
}
sub zone_consistency() {
- my ($d, $org_ser, $origin, $a, $h, $self_soa, $wa);
+ my ($d, $org_ser, $mname, $a, $h, $self_soa, $wa);
zone_consistency_set('delegations',\%delgs);
foreach $d (keys %delgs) { delete $auths{$d}; }
zone_consistency_set('zone nameserver rrset',\%auths);
foreach $h (keys %glue) {
zone_consistency_set("glue for $h", $glue{$h});
}
- zone_consistency_set("serial number and/or SOA ORIGIN",\%soas);
+ zone_consistency_set("serial number and/or SOA MNAME",\%soas);
$self_soa= $cfg->{'self_soa'};
}
}
sub zone_servers_simplefind () {
- my ($rcode,@nsnames,$ns,@soas,$origin);
+ my ($rcode,@nsnames,$ns,@soas,$mname);
($rcode,@nsnames)= lookup($zone,'ns-','0',"zone's servers");
foreach $ns (@nsnames) {
}
$delgs{join ' ', sort @nsnames} = [ "zone's servers" ];
- ($rcode,@soas)= lookup($zone,'soa','0',"SOA ORIGIN");
+ ($rcode,@soas)= lookup($zone,'soa','0',"SOA MNAME");
die "multiple SOA RRs in set! @soas ?" if @soas!=1;
$soas[0] =~ m/^(\S+)\s/ or die "SOA ? $_";
zone_server_simple(domain_canon($1,"lookup $zone SOA"),'SOA',1);
my ($name,$ww,$is_soa) = @_;
my ($rcode,@addrs,$addr);
($rcode,@addrs)= lookup($name,'a','0', "server - ".
- ($is_soa ? "SOA ORIGIN" : "NS"));
+ ($is_soa ? "SOA MNAME" : "NS"));
foreach $addr (@addrs) { zone_server_addr($addr,$name,$ww,$ww,$is_soa); }
}
Specifies the list of addresses that are forbidden as any nameserver
for any zone. The default is no such addresses.
.TP
+\fBforbid\-addr\fP [\fIip-address ...\fP]
+Specifies the list of addresses that are forbidden as a nameserver
+for a zone for which we are the primary - ie, the list of our old or
+to-be-obsoleted slaves. The default is no such addresses.
+.TP
\fBserverless\-glueless\fP \fIdomain ...\fP
Specifies a list of domains under which we do not expect to find any
nameservers; for these zones it is OK to find glueless referrals.
devoid of nameservers, and therefore fine to provide glueless
referrals for. See GLUELESSNESS below.
.TP
+\fBallow-\-indirect\-glue\fP \fInameserver-superdomain ...\fP
+Specifies a list of domains under which we expect to find glueless
+nameservers, with up to one layer of indirection.
+For nameservers under these domains it is OK to to find glueless
+referrals, but only when listed as a nameserver for a zone which is
+not itself a subdomain of an \fBallow-indirect-glue\fR
+\fInameserver-superdomain\fR.
+
+This supports to common configuration style where DNS operator(s) set
+up all of their nameservers with names within a small subsection of
+the DNS (the portions under \fInameserver-superdomain\fRs), and
+provide glueless referrals naming these nameservers for all other
+zones. This provides at most one level of missing glue.
+
+Note that if the DNS administrators collectively able to influence the
+service for some zone (including the admins for its superzones, the
+zones containing its nameservers, and their superzones and so forth)
+are not in sufficiently close communication do not all agree on the
+proper set of \fInameserver-superdomain\fR then they might still set
+up circular glue and \fBchiark-named-conf\fR would not necessarily be
+able to detect this even if it was run on every relevant nameserver.
+.TP
\fBmail\-state\-dir\fP \fIdirectory\fP
Uses
.I directory
~ian / chiark-utils.git / commitdiff