* chiark-named-conf improvements:

  - set $|=1 to make output better with eg  2>&1 |less
  - new allow-indirect-glue directive
  - new forbid-slave directive
  - remove incorrect references to SOA ORIGIN - should be MNAME

diff --git a/debian/changelog b/debian/changelog
index 34709a88db41c86e6b494c39c647b08433182c00..d0e3dfac0fa56920eabfe98c64650098c171448a 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+chiark-utils (4.1.22) unstable; urgency=low
+
+  * chiark-named-conf improvements:
+    - set $|=1 to make output better with eg  2>&1 |less
+    - new allow-indirect-glue directive
+    - new forbid-slave directive
+    - remove incorrect references to SOA ORIGIN - should be MNAME
+
+ --
+

 chiark-utils (4.1.21) unstable; urgency=low
 
   * backup-snaprsync: pass -I to rsync when copying rsums.
 chiark-utils (4.1.21) unstable; urgency=low
 
   * backup-snaprsync: pass -I to rsync when copying rsums.

diff --git a/scripts/named-conf b/scripts/named-conf
index 1f02e2152a6ede0361532f98a585c0ffa4ec4f91..53d6a75300184f80d804356471a881d4d7662cca 100755 (executable)
--- a/scripts/named-conf
+++ b/scripts/named-conf
@@ -73,6 +73,7 @@ use vars qw($quis $stdout_fh $stderr_fh
            $progress_fh $warn_fh $modifiers
            %group2modcmd %group2used);
 
            $progress_fh $warn_fh $modifiers
            %group2modcmd %group2used);
 

+$|=1;

 $quis= $0; $quis =~ s,.*/,,;
 
 $mode= '';
 $quis= $0; $quis =~ s,.*/,,;
 
 $mode= '';


@@ -185,8 +186,9 @@ $slave_dir= 'slave';
 $slave_prefix= '';
 $slave_suffix= '';
 
 $slave_prefix= '';
 $slave_suffix= '';
 

-use vars qw(@self_ns @self_soa @self_addr @forbid_addr @conv_glueless);
-@self_ns= @self_soa= @self_addr= @forbid_addr= ();
+use vars qw(@self_ns @self_soa @self_addr @forbid_addr @forbid_slave
+           @conv_glueless @indirect_glue);
+@self_ns= @self_soa= @self_addr= @forbid_addr= @forbid_slave= @indirect_glue= ();

 @conv_glueless= qw(in-addr.arpa ip6.arpa ip6.int);
 
 use vars qw(%zone_cfg @zone_cfg_list);
 @conv_glueless= qw(in-addr.arpa ip6.arpa ip6.int);
 
 use vars qw(%zone_cfg @zone_cfg_list);


@@ -244,10 +246,14 @@ sub read_config ($) {
            @self_soa= @self if $1 ne '-ns';
        } elsif (m/^serverless\-glueless\s+(\S.*\S)/) {
            @conv_glueless= split /\s+/, $1;
            @self_soa= @self if $1 ne '-ns';
        } elsif (m/^serverless\-glueless\s+(\S.*\S)/) {
            @conv_glueless= split /\s+/, $1;

+       } elsif (m/^allow\-indirect\-glue\s+(\S.*\S)/) {
+           @indirect_glue= split /\s+/, $1;

        } elsif (m/^self\-addr\s+([0-9. \t]+)/) {
            @self_addr= split /\s+/, $1;
        } elsif (m/^forbid\-addr(?:\s+([0-9. \t]+))?/) {
            @forbid_addr= defined $1 ? split /\s+/, $1 : ();
        } elsif (m/^self\-addr\s+([0-9. \t]+)/) {
            @self_addr= split /\s+/, $1;
        } elsif (m/^forbid\-addr(?:\s+([0-9. \t]+))?/) {
            @forbid_addr= defined $1 ? split /\s+/, $1 : ();

+       } elsif (m/^forbid\-slave(?:\s+([0-9. \t]+))?/) {
+           @forbid_slave= defined $1 ? split /\s+/, $1 : ();

        } elsif (m,^
                 primary\-dir (\W*)
                 \s+ (\S+)/([^/ \t]*)
        } elsif (m,^
                 primary\-dir (\W*)
                 \s+ (\S+)/([^/ \t]*)


@@ -372,7 +378,8 @@ sub zone_conf ($$$$$@) {
        $zone_cfg{$zone}{'maildir'}= qualify($mail_state_dir);
        $zone_cfg{$zone}{'mailmwarn'}= $mail_max_warnfreq;
     }
        $zone_cfg{$zone}{'maildir'}= qualify($mail_state_dir);
        $zone_cfg{$zone}{'mailmwarn'}= $mail_max_warnfreq;
     }

-    foreach $sfx (qw(self_soa self_ns self_addr forbid_addr conv_glueless)) {
+    foreach $sfx (qw(self_soa self_ns self_addr forbid_addr forbid_slave
+                    conv_glueless indirect_glue)) {

        { no strict 'refs'; $aref= [ @$sfx ]; }
        @$aref or cfg_fail("failed to specify $sfx before zone")
            if $sfx =~ m/^self/;
        { no strict 'refs'; $aref= [ @$sfx ]; }
        @$aref or cfg_fail("failed to specify $sfx before zone")
            if $sfx =~ m/^self/;


@@ -452,7 +459,7 @@ sub process_zones (@) {
 use vars qw(%delgs); # $delgs{$nameserver_list} = [ $whosaidandwhy ]
 use vars qw(%auths); # $auths{$nameserver_list} = [ $whosaidandwhy ]
 use vars qw(%glue);  # $glue{$name}{$addr_list} = [ $whosaidandwhy ]
 use vars qw(%delgs); # $delgs{$nameserver_list} = [ $whosaidandwhy ]
 use vars qw(%auths); # $auths{$nameserver_list} = [ $whosaidandwhy ]
 use vars qw(%glue);  # $glue{$name}{$addr_list} = [ $whosaidandwhy ]

-use vars qw(%soas);  # $soa{"$serial $origin"} = [ $whosaidandwhy ]
+use vars qw(%soas);  # $soa{"$serial $mname"} = [ $whosaidandwhy ]

 use vars qw(%addr_is_ok %warned);
 use vars qw($delg_to_us);
 use vars qw(@to_check); # ($addr,$whyask,$name_if_auth,$glueless_ok, ...)
 use vars qw(%addr_is_ok %warned);
 use vars qw($delg_to_us);
 use vars qw(@to_check); # ($addr,$whyask,$name_if_auth,$glueless_ok, ...)


@@ -570,9 +577,14 @@ sub zone_check_nsrrset ($$$$) {
        @glue= @{ $s2g{$s} };
        if (!@glue) {
            zone_warning("glueless NS $s", $ww)
        @glue= @{ $s2g{$s} };
        if (!@glue) {
            zone_warning("glueless NS $s", $ww)

-               unless $glueless_ok || zone_style('~',!$needglue) || 
-                      grep { has_suffix_of($zone,".$_"); }
-                          @{ $cfg->{'conv_glueless'} };
+               unless $glueless_ok
+                    or zone_style('~',!$needglue)
+                   or grep { has_suffix_of($zone,".$_"); }
+                          @{ $cfg->{'conv_glueless'} }
+                   or ((grep { has_suffix_of($s,".$_"); }
+                          @{ $cfg->{'indirect_glue'} }) and
+                        !(grep { has_suffix_of($zone,".$_"); }
+                          @{ $cfg->{'indirect_glue'} }));

            ($rcode,@glue)= lookup($s,'a','0',"glueless NS from $ww");
            foreach $a (@glue) {
                $wwn= "glueless NS from $ww";
            ($rcode,@glue)= lookup($s,'a','0',"glueless NS from $ww");
            foreach $a (@glue) {
                $wwn= "glueless NS from $ww";


@@ -612,11 +624,14 @@ sub zone_server_queue ($$$$$) {
 
 sub zone_server_addr ($$$$$) {
     my ($addr,$name,$ww,$wwq,$is_soa) = @_;
 
 sub zone_server_addr ($$$$$) {
     my ($addr,$name,$ww,$wwq,$is_soa) = @_;

-    debug_trace("zone_server_addr ".join '|',@_);
+    debug_trace("zone_server_addr ".join('|',@_));

     $addr_is_ok{$addr}= "$name ($wwq)"
        if $is_soa || $cfg->{'s'} =~ m/u/;
     zone_warning("forbidden nameserver address [$addr] $name",$ww)
        if grep { $_ eq $addr } @{ $cfg->{'forbid_addr'} };
     $addr_is_ok{$addr}= "$name ($wwq)"
        if $is_soa || $cfg->{'s'} =~ m/u/;
     zone_warning("forbidden nameserver address [$addr] $name",$ww)
        if grep { $_ eq $addr } @{ $cfg->{'forbid_addr'} };

+    zone_warning("forbidden server address for our slave [$addr] $name",$ww)
+       if $cfg->{'s'} =~ m/p/ and
+           grep { $_ eq $addr } @{ $cfg->{'forbid_slave'} };

 
     my ($name_is_self, $addr_is_self);
     $name_is_self= grep { $_ eq $name }
 
     my ($name_is_self, $addr_is_self);
     $name_is_self= grep { $_ eq $name }


@@ -634,7 +649,7 @@ sub zone_server_addr ($$$$$) {
     }
     if (!$name_is_self && !$addr_is_self &&
        $is_soa && $cfg->{'s'} =~ m/p/) {
     }
     if (!$name_is_self && !$addr_is_self &&
        $is_soa && $cfg->{'s'} =~ m/p/) {

-       zone_warning("SOA ORIGIN $name is not us (".
+       zone_warning("SOA MNAME $name is not us (".

                     (join ' ', @{ $cfg->{'self_soa'} }).")", $ww);
     }
     $delg_to_us=1 if $addr_is_self && !$is_soa;
                     (join ' ', @{ $cfg->{'self_soa'} }).")", $ww);
     }
     $delg_to_us=1 if $addr_is_self && !$is_soa;


@@ -642,7 +657,7 @@ sub zone_server_addr ($$$$$) {
 
 sub zone_check_soa ($$$$) {
     my ($uaddr,$wa,$name,$is_ns) = @_;
 
 sub zone_check_soa ($$$$) {
     my ($uaddr,$wa,$name,$is_ns) = @_;

-    my ($lame,$serial,$origin,$got,$rcode,@soa_addrs,$soa_addr,$ww,$wwn);
+    my ($lame,$serial,$mname,$got,$rcode,@soa_addrs,$soa_addr,$ww,$wwn);

     verbose("checking service at [$uaddr] $name");
     $lame= 'dead or lame';
     $ww= "[$uaddr] $wa";
     verbose("checking service at [$uaddr] $name");
     $lame= 'dead or lame';
     $ww= "[$uaddr] $wa";


@@ -650,34 +665,34 @@ sub zone_check_soa ($$$$) {
        if ($dig_type eq 'flags:') {
            $lame= $dig_rdata =~ m/ aa / ? '' : 'lame';
        } elsif ($dig_type eq 'soa' && $dig_owner eq $zone && !$lame) {
        if ($dig_type eq 'flags:') {
            $lame= $dig_rdata =~ m/ aa / ? '' : 'lame';
        } elsif ($dig_type eq 'soa' && $dig_owner eq $zone && !$lame) {

-           die "several SOAs ? $ww" if defined $origin;
+           die "several SOAs ? $ww" if defined $mname;

            $got= $dig_rdata;
            $got =~ m/^(\d+) (\S+)$/ or die "$got ?";
            $got= $dig_rdata;
            $got =~ m/^(\d+) (\S+)$/ or die "$got ?";

-           ($serial,$origin) = ($1,$2);
+           ($serial,$mname) = ($1,$2);

        }
     },
             $zone,'soa',$uaddr);
        }
     },
             $zone,'soa',$uaddr);

-    $lame= 'broken' if !$lame && !defined $origin;
+    $lame= 'broken' if !$lame && !defined $mname;

     if ($lame) { zone_warning("$lame server [$uaddr]",$wa); return; }
     progress(2, sprintf "%-16s %46s has %s%s",
             $zone, "$name [$uaddr]", $serial, $is_ns ? '' : '*');
     push @{ $soas{$got} }, $ww;
     if ($lame) { zone_warning("$lame server [$uaddr]",$wa); return; }
     progress(2, sprintf "%-16s %46s has %s%s",
             $zone, "$name [$uaddr]", $serial, $is_ns ? '' : '*');
     push @{ $soas{$got} }, $ww;

-    ($rcode,@soa_addrs)= lookup($origin,'a','0',"SOA ORIGIN");
-    $wwn= "SOA ORIGIN from $ww";
+    ($rcode,@soa_addrs)= lookup($mname,'a','0',"SOA MNAME");
+    $wwn= "SOA MNAME from $ww";

     foreach $soa_addr (@soa_addrs) {
     foreach $soa_addr (@soa_addrs) {

-       zone_server_queue($soa_addr,$origin,$wwn,"SOA [$uaddr]",1);
+       zone_server_queue($soa_addr,$mname,$wwn,"SOA [$uaddr]",1);

     }
 }
 
 sub zone_consistency() {
     }
 }
 
 sub zone_consistency() {

-    my ($d, $org_ser, $origin, $a, $h, $self_soa, $wa);
+    my ($d, $org_ser, $mname, $a, $h, $self_soa, $wa);

     zone_consistency_set('delegations',\%delgs);
     foreach $d (keys %delgs) { delete $auths{$d}; }
     zone_consistency_set('zone nameserver rrset',\%auths);
     foreach $h (keys %glue) {
        zone_consistency_set("glue for $h", $glue{$h});
     }
     zone_consistency_set('delegations',\%delgs);
     foreach $d (keys %delgs) { delete $auths{$d}; }
     zone_consistency_set('zone nameserver rrset',\%auths);
     foreach $h (keys %glue) {
        zone_consistency_set("glue for $h", $glue{$h});
     }

-    zone_consistency_set("serial number and/or SOA ORIGIN",\%soas);
+    zone_consistency_set("serial number and/or SOA MNAME",\%soas);

     $self_soa= $cfg->{'self_soa'};
 }
 
     $self_soa= $cfg->{'self_soa'};
 }
 


@@ -721,7 +736,7 @@ sub zone_check_local () {
 }
 
 sub zone_servers_simplefind () {
 }
 
 sub zone_servers_simplefind () {

-    my ($rcode,@nsnames,$ns,@soas,$origin);
+    my ($rcode,@nsnames,$ns,@soas,$mname);

 
     ($rcode,@nsnames)= lookup($zone,'ns-','0',"zone's servers");
     foreach $ns (@nsnames) {
 
     ($rcode,@nsnames)= lookup($zone,'ns-','0',"zone's servers");
     foreach $ns (@nsnames) {


@@ -730,7 +745,7 @@ sub zone_servers_simplefind () {
     }
     $delgs{join ' ', sort @nsnames} = [ "zone's servers" ];
 
     }
     $delgs{join ' ', sort @nsnames} = [ "zone's servers" ];
 

-    ($rcode,@soas)= lookup($zone,'soa','0',"SOA ORIGIN");
+    ($rcode,@soas)= lookup($zone,'soa','0',"SOA MNAME");

     die "multiple SOA RRs in set!  @soas ?" if @soas!=1;
     $soas[0] =~ m/^(\S+)\s/ or die "SOA ? $_";
     zone_server_simple(domain_canon($1,"lookup $zone SOA"),'SOA',1);
     die "multiple SOA RRs in set!  @soas ?" if @soas!=1;
     $soas[0] =~ m/^(\S+)\s/ or die "SOA ? $_";
     zone_server_simple(domain_canon($1,"lookup $zone SOA"),'SOA',1);


@@ -740,7 +755,7 @@ sub zone_server_simple ($$$) {
     my ($name,$ww,$is_soa) = @_;
     my ($rcode,@addrs,$addr);
     ($rcode,@addrs)= lookup($name,'a','0', "server - ".
     my ($name,$ww,$is_soa) = @_;
     my ($rcode,@addrs,$addr);
     ($rcode,@addrs)= lookup($name,'a','0', "server - ".

-                           ($is_soa ? "SOA ORIGIN" : "NS"));
+                           ($is_soa ? "SOA MNAME" : "NS"));

     foreach $addr (@addrs) { zone_server_addr($addr,$name,$ww,$ww,$is_soa); }
 }
 
     foreach $addr (@addrs) { zone_server_addr($addr,$name,$ww,$ww,$is_soa); }
 }
 

diff --git a/scripts/named-conf.8 b/scripts/named-conf.8
index 724699489a982516d95a0a1b0bc4a1856792d85a..c72706e3ac629a7c637354e7b372bc46cc645875 100644 (file)
--- a/scripts/named-conf.8
+++ b/scripts/named-conf.8
@@ -174,6 +174,11 @@ option is specified.
 Specifies the list of addresses that are forbidden as any nameserver
 for any zone.  The default is no such addresses.
 .TP
 Specifies the list of addresses that are forbidden as any nameserver
 for any zone.  The default is no such addresses.
 .TP

+\fBforbid\-addr\fP [\fIip-address ...\fP]
+Specifies the list of addresses that are forbidden as a nameserver
+for a zone for which we are the primary - ie, the list of our old or
+to-be-obsoleted slaves.  The default is no such addresses.
+.TP

 \fBserverless\-glueless\fP \fIdomain ...\fP
 Specifies a list of domains under which we do not expect to find any
 nameservers; for these zones it is OK to find glueless referrals.
 \fBserverless\-glueless\fP \fIdomain ...\fP
 Specifies a list of domains under which we do not expect to find any
 nameservers; for these zones it is OK to find glueless referrals.


@@ -188,6 +193,28 @@ believes that only the reverse lookup namespaces are conventionally
 devoid of nameservers, and therefore fine to provide glueless
 referrals for.  See GLUELESSNESS below.
 .TP
 devoid of nameservers, and therefore fine to provide glueless
 referrals for.  See GLUELESSNESS below.
 .TP

+\fBallow-\-indirect\-glue\fP \fInameserver-superdomain ...\fP
+Specifies a list of domains under which we expect to find glueless
+nameservers, with up to one layer of indirection.
+For nameservers under these domains it is OK to to find glueless
+referrals, but only when listed as a nameserver for a zone which is
+not itself a subdomain of an \fBallow-indirect-glue\fR
+\fInameserver-superdomain\fR.
+
+This supports to common configuration style where DNS operator(s) set
+up all of their nameservers with names within a small subsection of
+the DNS (the portions under \fInameserver-superdomain\fRs), and
+provide glueless referrals naming these nameservers for all other
+zones.  This provides at most one level of missing glue.
+
+Note that if the DNS administrators collectively able to influence the
+service for some zone (including the admins for its superzones, the
+zones containing its nameservers, and their superzones and so forth)
+are not in sufficiently close communication do not all agree on the
+proper set of \fInameserver-superdomain\fR then they might still set
+up circular glue and \fBchiark-named-conf\fR would not necessarily be
+able to detect this even if it was run on every relevant nameserver.
+.TP

 \fBmail\-state\-dir\fP \fIdirectory\fP
 Uses
 .I directory
 \fBmail\-state\-dir\fP \fIdirectory\fP
 Uses
 .I directory