From 2002390578132e80664a3c08e840c0f987db2504 Mon Sep 17 00:00:00 2001 From: ianmdlvl Date: Fri, 21 Sep 2007 22:28:25 +0000 Subject: [PATCH] * chiark-named-conf improvements: - set $|=1 to make output better with eg 2>&1 |less - new allow-indirect-glue directive - new forbid-slave directive - remove incorrect references to SOA ORIGIN - should be MNAME --- debian/changelog | 10 ++++++++ scripts/named-conf | 57 ++++++++++++++++++++++++++++---------------- scripts/named-conf.8 | 27 +++++++++++++++++++++ 3 files changed, 73 insertions(+), 21 deletions(-) diff --git a/debian/changelog b/debian/changelog index 34709a8..d0e3dfa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +chiark-utils (4.1.22) unstable; urgency=low + + * chiark-named-conf improvements: + - set $|=1 to make output better with eg 2>&1 |less + - new allow-indirect-glue directive + - new forbid-slave directive + - remove incorrect references to SOA ORIGIN - should be MNAME + + -- + chiark-utils (4.1.21) unstable; urgency=low * backup-snaprsync: pass -I to rsync when copying rsums. diff --git a/scripts/named-conf b/scripts/named-conf index 1f02e21..53d6a75 100755 --- a/scripts/named-conf +++ b/scripts/named-conf @@ -73,6 +73,7 @@ use vars qw($quis $stdout_fh $stderr_fh $progress_fh $warn_fh $modifiers %group2modcmd %group2used); +$|=1; $quis= $0; $quis =~ s,.*/,,; $mode= ''; @@ -185,8 +186,9 @@ $slave_dir= 'slave'; $slave_prefix= ''; $slave_suffix= ''; -use vars qw(@self_ns @self_soa @self_addr @forbid_addr @conv_glueless); -@self_ns= @self_soa= @self_addr= @forbid_addr= (); +use vars qw(@self_ns @self_soa @self_addr @forbid_addr @forbid_slave + @conv_glueless @indirect_glue); +@self_ns= @self_soa= @self_addr= @forbid_addr= @forbid_slave= @indirect_glue= (); @conv_glueless= qw(in-addr.arpa ip6.arpa ip6.int); use vars qw(%zone_cfg @zone_cfg_list); @@ -244,10 +246,14 @@ sub read_config ($) { @self_soa= @self if $1 ne '-ns'; } elsif (m/^serverless\-glueless\s+(\S.*\S)/) { @conv_glueless= split /\s+/, $1; + } elsif (m/^allow\-indirect\-glue\s+(\S.*\S)/) { + @indirect_glue= split /\s+/, $1; } elsif (m/^self\-addr\s+([0-9. \t]+)/) { @self_addr= split /\s+/, $1; } elsif (m/^forbid\-addr(?:\s+([0-9. \t]+))?/) { @forbid_addr= defined $1 ? split /\s+/, $1 : (); + } elsif (m/^forbid\-slave(?:\s+([0-9. \t]+))?/) { + @forbid_slave= defined $1 ? split /\s+/, $1 : (); } elsif (m,^ primary\-dir (\W*) \s+ (\S+)/([^/ \t]*) @@ -372,7 +378,8 @@ sub zone_conf ($$$$$@) { $zone_cfg{$zone}{'maildir'}= qualify($mail_state_dir); $zone_cfg{$zone}{'mailmwarn'}= $mail_max_warnfreq; } - foreach $sfx (qw(self_soa self_ns self_addr forbid_addr conv_glueless)) { + foreach $sfx (qw(self_soa self_ns self_addr forbid_addr forbid_slave + conv_glueless indirect_glue)) { { no strict 'refs'; $aref= [ @$sfx ]; } @$aref or cfg_fail("failed to specify $sfx before zone") if $sfx =~ m/^self/; @@ -452,7 +459,7 @@ sub process_zones (@) { use vars qw(%delgs); # $delgs{$nameserver_list} = [ $whosaidandwhy ] use vars qw(%auths); # $auths{$nameserver_list} = [ $whosaidandwhy ] use vars qw(%glue); # $glue{$name}{$addr_list} = [ $whosaidandwhy ] -use vars qw(%soas); # $soa{"$serial $origin"} = [ $whosaidandwhy ] +use vars qw(%soas); # $soa{"$serial $mname"} = [ $whosaidandwhy ] use vars qw(%addr_is_ok %warned); use vars qw($delg_to_us); use vars qw(@to_check); # ($addr,$whyask,$name_if_auth,$glueless_ok, ...) @@ -570,9 +577,14 @@ sub zone_check_nsrrset ($$$$) { @glue= @{ $s2g{$s} }; if (!@glue) { zone_warning("glueless NS $s", $ww) - unless $glueless_ok || zone_style('~',!$needglue) || - grep { has_suffix_of($zone,".$_"); } - @{ $cfg->{'conv_glueless'} }; + unless $glueless_ok + or zone_style('~',!$needglue) + or grep { has_suffix_of($zone,".$_"); } + @{ $cfg->{'conv_glueless'} } + or ((grep { has_suffix_of($s,".$_"); } + @{ $cfg->{'indirect_glue'} }) and + !(grep { has_suffix_of($zone,".$_"); } + @{ $cfg->{'indirect_glue'} })); ($rcode,@glue)= lookup($s,'a','0',"glueless NS from $ww"); foreach $a (@glue) { $wwn= "glueless NS from $ww"; @@ -612,11 +624,14 @@ sub zone_server_queue ($$$$$) { sub zone_server_addr ($$$$$) { my ($addr,$name,$ww,$wwq,$is_soa) = @_; - debug_trace("zone_server_addr ".join '|',@_); + debug_trace("zone_server_addr ".join('|',@_)); $addr_is_ok{$addr}= "$name ($wwq)" if $is_soa || $cfg->{'s'} =~ m/u/; zone_warning("forbidden nameserver address [$addr] $name",$ww) if grep { $_ eq $addr } @{ $cfg->{'forbid_addr'} }; + zone_warning("forbidden server address for our slave [$addr] $name",$ww) + if $cfg->{'s'} =~ m/p/ and + grep { $_ eq $addr } @{ $cfg->{'forbid_slave'} }; my ($name_is_self, $addr_is_self); $name_is_self= grep { $_ eq $name } @@ -634,7 +649,7 @@ sub zone_server_addr ($$$$$) { } if (!$name_is_self && !$addr_is_self && $is_soa && $cfg->{'s'} =~ m/p/) { - zone_warning("SOA ORIGIN $name is not us (". + zone_warning("SOA MNAME $name is not us (". (join ' ', @{ $cfg->{'self_soa'} }).")", $ww); } $delg_to_us=1 if $addr_is_self && !$is_soa; @@ -642,7 +657,7 @@ sub zone_server_addr ($$$$$) { sub zone_check_soa ($$$$) { my ($uaddr,$wa,$name,$is_ns) = @_; - my ($lame,$serial,$origin,$got,$rcode,@soa_addrs,$soa_addr,$ww,$wwn); + my ($lame,$serial,$mname,$got,$rcode,@soa_addrs,$soa_addr,$ww,$wwn); verbose("checking service at [$uaddr] $name"); $lame= 'dead or lame'; $ww= "[$uaddr] $wa"; @@ -650,34 +665,34 @@ sub zone_check_soa ($$$$) { if ($dig_type eq 'flags:') { $lame= $dig_rdata =~ m/ aa / ? '' : 'lame'; } elsif ($dig_type eq 'soa' && $dig_owner eq $zone && !$lame) { - die "several SOAs ? $ww" if defined $origin; + die "several SOAs ? $ww" if defined $mname; $got= $dig_rdata; $got =~ m/^(\d+) (\S+)$/ or die "$got ?"; - ($serial,$origin) = ($1,$2); + ($serial,$mname) = ($1,$2); } }, $zone,'soa',$uaddr); - $lame= 'broken' if !$lame && !defined $origin; + $lame= 'broken' if !$lame && !defined $mname; if ($lame) { zone_warning("$lame server [$uaddr]",$wa); return; } progress(2, sprintf "%-16s %46s has %s%s", $zone, "$name [$uaddr]", $serial, $is_ns ? '' : '*'); push @{ $soas{$got} }, $ww; - ($rcode,@soa_addrs)= lookup($origin,'a','0',"SOA ORIGIN"); - $wwn= "SOA ORIGIN from $ww"; + ($rcode,@soa_addrs)= lookup($mname,'a','0',"SOA MNAME"); + $wwn= "SOA MNAME from $ww"; foreach $soa_addr (@soa_addrs) { - zone_server_queue($soa_addr,$origin,$wwn,"SOA [$uaddr]",1); + zone_server_queue($soa_addr,$mname,$wwn,"SOA [$uaddr]",1); } } sub zone_consistency() { - my ($d, $org_ser, $origin, $a, $h, $self_soa, $wa); + my ($d, $org_ser, $mname, $a, $h, $self_soa, $wa); zone_consistency_set('delegations',\%delgs); foreach $d (keys %delgs) { delete $auths{$d}; } zone_consistency_set('zone nameserver rrset',\%auths); foreach $h (keys %glue) { zone_consistency_set("glue for $h", $glue{$h}); } - zone_consistency_set("serial number and/or SOA ORIGIN",\%soas); + zone_consistency_set("serial number and/or SOA MNAME",\%soas); $self_soa= $cfg->{'self_soa'}; } @@ -721,7 +736,7 @@ sub zone_check_local () { } sub zone_servers_simplefind () { - my ($rcode,@nsnames,$ns,@soas,$origin); + my ($rcode,@nsnames,$ns,@soas,$mname); ($rcode,@nsnames)= lookup($zone,'ns-','0',"zone's servers"); foreach $ns (@nsnames) { @@ -730,7 +745,7 @@ sub zone_servers_simplefind () { } $delgs{join ' ', sort @nsnames} = [ "zone's servers" ]; - ($rcode,@soas)= lookup($zone,'soa','0',"SOA ORIGIN"); + ($rcode,@soas)= lookup($zone,'soa','0',"SOA MNAME"); die "multiple SOA RRs in set! @soas ?" if @soas!=1; $soas[0] =~ m/^(\S+)\s/ or die "SOA ? $_"; zone_server_simple(domain_canon($1,"lookup $zone SOA"),'SOA',1); @@ -740,7 +755,7 @@ sub zone_server_simple ($$$) { my ($name,$ww,$is_soa) = @_; my ($rcode,@addrs,$addr); ($rcode,@addrs)= lookup($name,'a','0', "server - ". - ($is_soa ? "SOA ORIGIN" : "NS")); + ($is_soa ? "SOA MNAME" : "NS")); foreach $addr (@addrs) { zone_server_addr($addr,$name,$ww,$ww,$is_soa); } } diff --git a/scripts/named-conf.8 b/scripts/named-conf.8 index 7246994..c72706e 100644 --- a/scripts/named-conf.8 +++ b/scripts/named-conf.8 @@ -174,6 +174,11 @@ option is specified. Specifies the list of addresses that are forbidden as any nameserver for any zone. The default is no such addresses. .TP +\fBforbid\-addr\fP [\fIip-address ...\fP] +Specifies the list of addresses that are forbidden as a nameserver +for a zone for which we are the primary - ie, the list of our old or +to-be-obsoleted slaves. The default is no such addresses. +.TP \fBserverless\-glueless\fP \fIdomain ...\fP Specifies a list of domains under which we do not expect to find any nameservers; for these zones it is OK to find glueless referrals. @@ -188,6 +193,28 @@ believes that only the reverse lookup namespaces are conventionally devoid of nameservers, and therefore fine to provide glueless referrals for. See GLUELESSNESS below. .TP +\fBallow-\-indirect\-glue\fP \fInameserver-superdomain ...\fP +Specifies a list of domains under which we expect to find glueless +nameservers, with up to one layer of indirection. +For nameservers under these domains it is OK to to find glueless +referrals, but only when listed as a nameserver for a zone which is +not itself a subdomain of an \fBallow-indirect-glue\fR +\fInameserver-superdomain\fR. + +This supports to common configuration style where DNS operator(s) set +up all of their nameservers with names within a small subsection of +the DNS (the portions under \fInameserver-superdomain\fRs), and +provide glueless referrals naming these nameservers for all other +zones. This provides at most one level of missing glue. + +Note that if the DNS administrators collectively able to influence the +service for some zone (including the admins for its superzones, the +zones containing its nameservers, and their superzones and so forth) +are not in sufficiently close communication do not all agree on the +proper set of \fInameserver-superdomain\fR then they might still set +up circular glue and \fBchiark-named-conf\fR would not necessarily be +able to detect this even if it was run on every relevant nameserver. +.TP \fBmail\-state\-dir\fP \fIdirectory\fP Uses .I directory -- 2.30.2