bin/named/server.c

135446Strhodes/*
262706Serwin * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
135446Strhodes * Copyright (C) 1999-2003  Internet Software Consortium.
135446Strhodes *
174187Sdougb * Permission to use, copy, modify, and/or distribute this software for any
135446Strhodes * purpose with or without fee is hereby granted, provided that the above
135446Strhodes * copyright notice and this permission notice appear in all copies.
135446Strhodes *
135446Strhodes * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
135446Strhodes * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
135446Strhodes * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
135446Strhodes * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
135446Strhodes * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
135446Strhodes * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
135446Strhodes * PERFORMANCE OF THIS SOFTWARE.
135446Strhodes */
135446Strhodes
254897Serwin/* $Id$ */
135446Strhodes
170222Sdougb/*! \file */
170222Sdougb
135446Strhodes#include <config.h>
135446Strhodes
135446Strhodes#include <stdlib.h>
186462Sdougb#include <unistd.h>
224092Sdougb#include <limits.h>
224092Sdougb#include <ctype.h>
224092Sdougb#include <sys/types.h>
224092Sdougb#include <sys/stat.h>
135446Strhodes
135446Strhodes#include <isc/app.h>
135446Strhodes#include <isc/base64.h>
135446Strhodes#include <isc/dir.h>
135446Strhodes#include <isc/entropy.h>
135446Strhodes#include <isc/file.h>
135446Strhodes#include <isc/hash.h>
254897Serwin#include <isc/hex.h>
193149Sdougb#include <isc/httpd.h>
135446Strhodes#include <isc/lex.h>
135446Strhodes#include <isc/parseint.h>
186462Sdougb#include <isc/portset.h>
135446Strhodes#include <isc/print.h>
254897Serwin#include <isc/refcount.h>
135446Strhodes#include <isc/resource.h>
224092Sdougb#include <isc/sha2.h>
186462Sdougb#include <isc/socket.h>
224092Sdougb#include <isc/stat.h>
193149Sdougb#include <isc/stats.h>
135446Strhodes#include <isc/stdio.h>
135446Strhodes#include <isc/string.h>
135446Strhodes#include <isc/task.h>
135446Strhodes#include <isc/timer.h>
135446Strhodes#include <isc/util.h>
193149Sdougb#include <isc/xml.h>
135446Strhodes
135446Strhodes#include <isccfg/namedconf.h>
135446Strhodes
135446Strhodes#include <bind9/check.h>
135446Strhodes
170222Sdougb#include <dns/acache.h>
135446Strhodes#include <dns/adb.h>
135446Strhodes#include <dns/cache.h>
135446Strhodes#include <dns/db.h>
135446Strhodes#include <dns/dispatch.h>
170222Sdougb#include <dns/dlz.h>
224092Sdougb#include <dns/dns64.h>
135446Strhodes#include <dns/forward.h>
135446Strhodes#include <dns/journal.h>
135446Strhodes#include <dns/keytable.h>
224092Sdougb#include <dns/keyvalues.h>
170222Sdougb#include <dns/lib.h>
135446Strhodes#include <dns/master.h>
135446Strhodes#include <dns/masterdump.h>
135446Strhodes#include <dns/order.h>
135446Strhodes#include <dns/peer.h>
135446Strhodes#include <dns/portlist.h>
254897Serwin#include <dns/private.h>
193149Sdougb#include <dns/rbt.h>
135446Strhodes#include <dns/rdataclass.h>
262706Serwin#include <dns/rdatalist.h>
135446Strhodes#include <dns/rdataset.h>
135446Strhodes#include <dns/rdatastruct.h>
135446Strhodes#include <dns/resolver.h>
135446Strhodes#include <dns/rootns.h>
135446Strhodes#include <dns/secalg.h>
262706Serwin#include <dns/soa.h>
135446Strhodes#include <dns/stats.h>
135446Strhodes#include <dns/tkey.h>
193149Sdougb#include <dns/tsig.h>
135446Strhodes#include <dns/view.h>
135446Strhodes#include <dns/zone.h>
135446Strhodes#include <dns/zt.h>
135446Strhodes
135446Strhodes#include <dst/dst.h>
135446Strhodes#include <dst/result.h>
135446Strhodes
135446Strhodes#include <named/client.h>
135446Strhodes#include <named/config.h>
135446Strhodes#include <named/control.h>
135446Strhodes#include <named/interfacemgr.h>
135446Strhodes#include <named/log.h>
135446Strhodes#include <named/logconf.h>
135446Strhodes#include <named/lwresd.h>
135446Strhodes#include <named/main.h>
135446Strhodes#include <named/os.h>
135446Strhodes#include <named/server.h>
193149Sdougb#include <named/statschannel.h>
135446Strhodes#include <named/tkeyconf.h>
135446Strhodes#include <named/tsigconf.h>
135446Strhodes#include <named/zoneconf.h>
153816Sdougb#ifdef HAVE_LIBSCF
153816Sdougb#include <named/ns_smf_globals.h>
153816Sdougb#include <stdlib.h>
153816Sdougb#endif
135446Strhodes
224092Sdougb#ifndef PATH_MAX
224092Sdougb#define PATH_MAX 1024
224092Sdougb#endif
224092Sdougb
254897Serwin#ifndef SIZE_MAX
254897Serwin#define SIZE_MAX ((size_t)-1)
254897Serwin#endif
254897Serwin
170222Sdougb/*%
135446Strhodes * Check an operation for failure.  Assumes that the function
135446Strhodes * using it has a 'result' variable and a 'cleanup' label.
135446Strhodes */
135446Strhodes#define CHECK(op) \
193149Sdougb	do { result = (op);					 \
193149Sdougb	       if (result != ISC_R_SUCCESS) goto cleanup;	 \
135446Strhodes	} while (0)
135446Strhodes
135446Strhodes#define CHECKM(op, msg) \
193149Sdougb	do { result = (op);					  \
135446Strhodes	       if (result != ISC_R_SUCCESS) {			  \
135446Strhodes			isc_log_write(ns_g_lctx,		  \
135446Strhodes				      NS_LOGCATEGORY_GENERAL,	  \
135446Strhodes				      NS_LOGMODULE_SERVER,	  \
135446Strhodes				      ISC_LOG_ERROR,		  \
135446Strhodes				      "%s: %s", msg,		  \
135446Strhodes				      isc_result_totext(result)); \
135446Strhodes			goto cleanup;				  \
135446Strhodes		}						  \
135446Strhodes	} while (0)						  \
135446Strhodes
135446Strhodes#define CHECKMF(op, msg, file) \
193149Sdougb	do { result = (op);					  \
135446Strhodes	       if (result != ISC_R_SUCCESS) {			  \
135446Strhodes			isc_log_write(ns_g_lctx,		  \
135446Strhodes				      NS_LOGCATEGORY_GENERAL,	  \
135446Strhodes				      NS_LOGMODULE_SERVER,	  \
135446Strhodes				      ISC_LOG_ERROR,		  \
135446Strhodes				      "%s '%s': %s", msg, file,	  \
135446Strhodes				      isc_result_totext(result)); \
135446Strhodes			goto cleanup;				  \
135446Strhodes		}						  \
135446Strhodes	} while (0)						  \
135446Strhodes
135446Strhodes#define CHECKFATAL(op, msg) \
193149Sdougb	do { result = (op);					  \
135446Strhodes	       if (result != ISC_R_SUCCESS)			  \
135446Strhodes			fatal(msg, result);			  \
135446Strhodes	} while (0)						  \
135446Strhodes
224092Sdougb/*%
224092Sdougb * Maximum ADB size for views that share a cache.  Use this limit to suppress
224092Sdougb * the total of memory footprint, which should be the main reason for sharing
224092Sdougb * a cache.  Only effective when a finite max-cache-size is specified.
224092Sdougb * This is currently defined to be 8MB.
224092Sdougb */
254402Serwin#define MAX_ADB_SIZE_FOR_CACHESHARE	8388608U
224092Sdougb
135446Strhodesstruct ns_dispatch {
135446Strhodes	isc_sockaddr_t			addr;
135446Strhodes	unsigned int			dispatchgen;
135446Strhodes	dns_dispatch_t			*dispatch;
135446Strhodes	ISC_LINK(struct ns_dispatch)	link;
135446Strhodes};
135446Strhodes
224092Sdougbstruct ns_cache {
224092Sdougb	dns_cache_t			*cache;
224092Sdougb	dns_view_t			*primaryview;
224092Sdougb	isc_boolean_t			needflush;
224092Sdougb	isc_boolean_t			adbsizeadjusted;
224092Sdougb	ISC_LINK(ns_cache_t)		link;
224092Sdougb};
224092Sdougb
135446Strhodesstruct dumpcontext {
135446Strhodes	isc_mem_t			*mctx;
135446Strhodes	isc_boolean_t			dumpcache;
135446Strhodes	isc_boolean_t			dumpzones;
135446Strhodes	FILE				*fp;
135446Strhodes	ISC_LIST(struct viewlistentry)	viewlist;
135446Strhodes	struct viewlistentry		*view;
135446Strhodes	struct zonelistentry		*zone;
135446Strhodes	dns_dumpctx_t			*mdctx;
135446Strhodes	dns_db_t			*db;
135446Strhodes	dns_db_t			*cache;
135446Strhodes	isc_task_t			*task;
135446Strhodes	dns_dbversion_t			*version;
135446Strhodes};
135446Strhodes
135446Strhodesstruct viewlistentry {
135446Strhodes	dns_view_t			*view;
135446Strhodes	ISC_LINK(struct viewlistentry)	link;
135446Strhodes	ISC_LIST(struct zonelistentry)	zonelist;
135446Strhodes};
135446Strhodes
135446Strhodesstruct zonelistentry {
135446Strhodes	dns_zone_t			*zone;
135446Strhodes	ISC_LINK(struct zonelistentry)	link;
135446Strhodes};
135446Strhodes
224092Sdougb/*%
224092Sdougb * Configuration context to retain for each view that allows
225361Sdougb * new zones to be added at runtime.
224092Sdougb */
224092Sdougbstruct cfg_context {
224092Sdougb	isc_mem_t *			mctx;
225361Sdougb	cfg_parser_t *			parser;
224092Sdougb	cfg_obj_t *			config;
225361Sdougb	cfg_parser_t *			nzparser;
225361Sdougb	cfg_obj_t *			nzconfig;
225361Sdougb	cfg_aclconfctx_t *		actx;
224092Sdougb};
224092Sdougb
254897Serwin/*%
254897Serwin * Holds state information for the initial zone loading process.
254897Serwin * Uses the isc_refcount structure to count the number of views
254897Serwin * with pending zone loads, dereferencing as each view finishes.
254897Serwin */
254897Serwintypedef struct {
254897Serwin		ns_server_t *server;
254897Serwin		isc_refcount_t refs;
254897Serwin} ns_zoneload_t;
254897Serwin
170222Sdougb/*
170222Sdougb * These zones should not leak onto the Internet.
170222Sdougb */
254897Serwinconst char *empty_zones[] = {
170222Sdougb	/* RFC 1918 */
254897Serwin	"10.IN-ADDR.ARPA",
254897Serwin	"16.172.IN-ADDR.ARPA",
254897Serwin	"17.172.IN-ADDR.ARPA",
254897Serwin	"18.172.IN-ADDR.ARPA",
254897Serwin	"19.172.IN-ADDR.ARPA",
254897Serwin	"20.172.IN-ADDR.ARPA",
254897Serwin	"21.172.IN-ADDR.ARPA",
254897Serwin	"22.172.IN-ADDR.ARPA",
254897Serwin	"23.172.IN-ADDR.ARPA",
254897Serwin	"24.172.IN-ADDR.ARPA",
254897Serwin	"25.172.IN-ADDR.ARPA",
254897Serwin	"26.172.IN-ADDR.ARPA",
254897Serwin	"27.172.IN-ADDR.ARPA",
254897Serwin	"28.172.IN-ADDR.ARPA",
254897Serwin	"29.172.IN-ADDR.ARPA",
254897Serwin	"30.172.IN-ADDR.ARPA",
254897Serwin	"31.172.IN-ADDR.ARPA",
254897Serwin	"168.192.IN-ADDR.ARPA",
170222Sdougb
254402Serwin	/* RFC 6598 */
254897Serwin	"64.100.IN-ADDR.ARPA",
254897Serwin	"65.100.IN-ADDR.ARPA",
254897Serwin	"66.100.IN-ADDR.ARPA",
254897Serwin	"67.100.IN-ADDR.ARPA",
254897Serwin	"68.100.IN-ADDR.ARPA",
254897Serwin	"69.100.IN-ADDR.ARPA",
254897Serwin	"70.100.IN-ADDR.ARPA",
254897Serwin	"71.100.IN-ADDR.ARPA",
254897Serwin	"72.100.IN-ADDR.ARPA",
254897Serwin	"73.100.IN-ADDR.ARPA",
254897Serwin	"74.100.IN-ADDR.ARPA",
254897Serwin	"75.100.IN-ADDR.ARPA",
254897Serwin	"76.100.IN-ADDR.ARPA",
254897Serwin	"77.100.IN-ADDR.ARPA",
254897Serwin	"78.100.IN-ADDR.ARPA",
254897Serwin	"79.100.IN-ADDR.ARPA",
254897Serwin	"80.100.IN-ADDR.ARPA",
254897Serwin	"81.100.IN-ADDR.ARPA",
254897Serwin	"82.100.IN-ADDR.ARPA",
254897Serwin	"83.100.IN-ADDR.ARPA",
254897Serwin	"84.100.IN-ADDR.ARPA",
254897Serwin	"85.100.IN-ADDR.ARPA",
254897Serwin	"86.100.IN-ADDR.ARPA",
254897Serwin	"87.100.IN-ADDR.ARPA",
254897Serwin	"88.100.IN-ADDR.ARPA",
254897Serwin	"89.100.IN-ADDR.ARPA",
254897Serwin	"90.100.IN-ADDR.ARPA",
254897Serwin	"91.100.IN-ADDR.ARPA",
254897Serwin	"92.100.IN-ADDR.ARPA",
254897Serwin	"93.100.IN-ADDR.ARPA",
254897Serwin	"94.100.IN-ADDR.ARPA",
254897Serwin	"95.100.IN-ADDR.ARPA",
254897Serwin	"96.100.IN-ADDR.ARPA",
254897Serwin	"97.100.IN-ADDR.ARPA",
254897Serwin	"98.100.IN-ADDR.ARPA",
254897Serwin	"99.100.IN-ADDR.ARPA",
254897Serwin	"100.100.IN-ADDR.ARPA",
254897Serwin	"101.100.IN-ADDR.ARPA",
254897Serwin	"102.100.IN-ADDR.ARPA",
254897Serwin	"103.100.IN-ADDR.ARPA",
254897Serwin	"104.100.IN-ADDR.ARPA",
254897Serwin	"105.100.IN-ADDR.ARPA",
254897Serwin	"106.100.IN-ADDR.ARPA",
254897Serwin	"107.100.IN-ADDR.ARPA",
254897Serwin	"108.100.IN-ADDR.ARPA",
254897Serwin	"109.100.IN-ADDR.ARPA",
254897Serwin	"110.100.IN-ADDR.ARPA",
254897Serwin	"111.100.IN-ADDR.ARPA",
254897Serwin	"112.100.IN-ADDR.ARPA",
254897Serwin	"113.100.IN-ADDR.ARPA",
254897Serwin	"114.100.IN-ADDR.ARPA",
254897Serwin	"115.100.IN-ADDR.ARPA",
254897Serwin	"116.100.IN-ADDR.ARPA",
254897Serwin	"117.100.IN-ADDR.ARPA",
254897Serwin	"118.100.IN-ADDR.ARPA",
254897Serwin	"119.100.IN-ADDR.ARPA",
254897Serwin	"120.100.IN-ADDR.ARPA",
254897Serwin	"121.100.IN-ADDR.ARPA",
254897Serwin	"122.100.IN-ADDR.ARPA",
254897Serwin	"123.100.IN-ADDR.ARPA",
254897Serwin	"124.100.IN-ADDR.ARPA",
254897Serwin	"125.100.IN-ADDR.ARPA",
254897Serwin	"126.100.IN-ADDR.ARPA",
254897Serwin	"127.100.IN-ADDR.ARPA",
254402Serwin
218384Sdougb	/* RFC 5735 and RFC 5737 */
254897Serwin	"0.IN-ADDR.ARPA",	/* THIS NETWORK */
254897Serwin	"127.IN-ADDR.ARPA",	/* LOOPBACK */
254897Serwin	"254.169.IN-ADDR.ARPA",	/* LINK LOCAL */
254897Serwin	"2.0.192.IN-ADDR.ARPA",	/* TEST NET */
254897Serwin	"100.51.198.IN-ADDR.ARPA",	/* TEST NET 2 */
254897Serwin	"113.0.203.IN-ADDR.ARPA",	/* TEST NET 3 */
254897Serwin	"255.255.255.255.IN-ADDR.ARPA",	/* BROADCAST */
170222Sdougb
170222Sdougb	/* Local IPv6 Unicast Addresses */
254897Serwin	"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA",
254897Serwin	"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA",
193149Sdougb	/* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */
254897Serwin	"D.F.IP6.ARPA",
254897Serwin	"8.E.F.IP6.ARPA",	/* LINK LOCAL */
254897Serwin	"9.E.F.IP6.ARPA",	/* LINK LOCAL */
254897Serwin	"A.E.F.IP6.ARPA",	/* LINK LOCAL */
254897Serwin	"B.E.F.IP6.ARPA",	/* LINK LOCAL */
170222Sdougb
218384Sdougb	/* Example Prefix, RFC 3849. */
254897Serwin	"8.B.D.0.1.0.0.2.IP6.ARPA",
218384Sdougb
254897Serwin	NULL
170222Sdougb};
170222Sdougb
224092SdougbISC_PLATFORM_NORETURN_PRE static void
224092Sdougbfatal(const char *msg, isc_result_t result) ISC_PLATFORM_NORETURN_POST;
135446Strhodes
135446Strhodesstatic void
135446Strhodesns_server_reload(isc_task_t *task, isc_event_t *event);
135446Strhodes
135446Strhodesstatic isc_result_t
165071Sdougbns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
170222Sdougb			cfg_aclconfctx_t *actx,
135446Strhodes			isc_mem_t *mctx, ns_listenelt_t **target);
135446Strhodesstatic isc_result_t
165071Sdougbns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
170222Sdougb			 cfg_aclconfctx_t *actx,
135446Strhodes			 isc_mem_t *mctx, ns_listenlist_t **target);
135446Strhodes
135446Strhodesstatic isc_result_t
165071Sdougbconfigure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
165071Sdougb		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype);
135446Strhodes
135446Strhodesstatic isc_result_t
165071Sdougbconfigure_alternates(const cfg_obj_t *config, dns_view_t *view,
165071Sdougb		     const cfg_obj_t *alternates);
135446Strhodes
135446Strhodesstatic isc_result_t
165071Sdougbconfigure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
165071Sdougb	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
224092Sdougb	       cfg_aclconfctx_t *aclconf, isc_boolean_t added);
135446Strhodes
224092Sdougbstatic isc_result_t
224092Sdougbadd_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx);
224092Sdougb
135446Strhodesstatic void
135446Strhodesend_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
135446Strhodes
224092Sdougbstatic void
225361Sdougbnewzone_cfgctx_destroy(void **cfgp);
224092Sdougb
262706Serwinstatic isc_result_t
262706Serwinputstr(isc_buffer_t *b, const char *str);
262706Serwin
262706Serwinisc_result_t
262706Serwinadd_comment(FILE *fp, const char *viewname);
262706Serwin
170222Sdougb/*%
193149Sdougb * Configure a single view ACL at '*aclp'.  Get its configuration from
193149Sdougb * 'vconfig' (for per-view configuration) and maybe from 'config'
135446Strhodes */
135446Strhodesstatic isc_result_t
165071Sdougbconfigure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
224092Sdougb		   const char *aclname, const char *acltuplename,
224092Sdougb		   cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp)
135446Strhodes{
135446Strhodes	isc_result_t result;
165071Sdougb	const cfg_obj_t *maps[3];
165071Sdougb	const cfg_obj_t *aclobj = NULL;
135446Strhodes	int i = 0;
135446Strhodes
135446Strhodes	if (*aclp != NULL)
135446Strhodes		dns_acl_detach(aclp);
135446Strhodes	if (vconfig != NULL)
135446Strhodes		maps[i++] = cfg_tuple_get(vconfig, "options");
135446Strhodes	if (config != NULL) {
165071Sdougb		const cfg_obj_t *options = NULL;
135446Strhodes		(void)cfg_map_get(config, "options", &options);
135446Strhodes		if (options != NULL)
135446Strhodes			maps[i++] = options;
135446Strhodes	}
135446Strhodes	maps[i] = NULL;
135446Strhodes
165071Sdougb	(void)ns_config_get(maps, aclname, &aclobj);
135446Strhodes	if (aclobj == NULL)
135446Strhodes		/*
193149Sdougb		 * No value available.	*aclp == NULL.
135446Strhodes		 */
135446Strhodes		return (ISC_R_SUCCESS);
135446Strhodes
224092Sdougb	if (acltuplename != NULL) {
224092Sdougb		/*
224092Sdougb		 * If the ACL is given in an optional tuple, retrieve it.
224092Sdougb		 * The parser should have ensured that a valid object be
224092Sdougb		 * returned.
224092Sdougb		 */
224092Sdougb		aclobj = cfg_tuple_get(aclobj, acltuplename);
224092Sdougb	}
224092Sdougb
170222Sdougb	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
193149Sdougb				    actx, mctx, 0, aclp);
135446Strhodes
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
193149Sdougb/*%
193149Sdougb * Configure a sortlist at '*aclp'.  Essentially the same as
193149Sdougb * configure_view_acl() except it calls cfg_acl_fromconfig with a
193149Sdougb * nest_level value of 2.
193149Sdougb */
135446Strhodesstatic isc_result_t
193149Sdougbconfigure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
193149Sdougb			cfg_aclconfctx_t *actx, isc_mem_t *mctx,
193149Sdougb			dns_acl_t **aclp)
193149Sdougb{
193149Sdougb	isc_result_t result;
193149Sdougb	const cfg_obj_t *maps[3];
193149Sdougb	const cfg_obj_t *aclobj = NULL;
193149Sdougb	int i = 0;
193149Sdougb
193149Sdougb	if (*aclp != NULL)
193149Sdougb		dns_acl_detach(aclp);
193149Sdougb	if (vconfig != NULL)
193149Sdougb		maps[i++] = cfg_tuple_get(vconfig, "options");
193149Sdougb	if (config != NULL) {
193149Sdougb		const cfg_obj_t *options = NULL;
193149Sdougb		(void)cfg_map_get(config, "options", &options);
193149Sdougb		if (options != NULL)
193149Sdougb			maps[i++] = options;
193149Sdougb	}
193149Sdougb	maps[i] = NULL;
193149Sdougb
193149Sdougb	(void)ns_config_get(maps, "sortlist", &aclobj);
193149Sdougb	if (aclobj == NULL)
193149Sdougb		return (ISC_R_SUCCESS);
193149Sdougb
193149Sdougb	/*
193149Sdougb	 * Use a nest level of 3 for the "top level" of the sortlist;
193149Sdougb	 * this means each entry in the top three levels will be stored
193149Sdougb	 * as lists of separate, nested ACLs, rather than merged together
193149Sdougb	 * into IP tables as is usually done with ACLs.
193149Sdougb	 */
193149Sdougb	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
193149Sdougb				    actx, mctx, 3, aclp);
193149Sdougb
193149Sdougb	return (result);
193149Sdougb}
193149Sdougb
193149Sdougbstatic isc_result_t
224092Sdougbconfigure_view_nametable(const cfg_obj_t *vconfig, const cfg_obj_t *config,
224092Sdougb			 const char *confname, const char *conftuplename,
224092Sdougb			 isc_mem_t *mctx, dns_rbt_t **rbtp)
135446Strhodes{
224092Sdougb	isc_result_t result;
224092Sdougb	const cfg_obj_t *maps[3];
224092Sdougb	const cfg_obj_t *obj = NULL;
224092Sdougb	const cfg_listelt_t *element;
224092Sdougb	int i = 0;
224092Sdougb	dns_fixedname_t fixed;
224092Sdougb	dns_name_t *name;
224092Sdougb	isc_buffer_t b;
224092Sdougb	const char *str;
224092Sdougb	const cfg_obj_t *nameobj;
224092Sdougb
224092Sdougb	if (*rbtp != NULL)
224092Sdougb		dns_rbt_destroy(rbtp);
224092Sdougb	if (vconfig != NULL)
224092Sdougb		maps[i++] = cfg_tuple_get(vconfig, "options");
224092Sdougb	if (config != NULL) {
224092Sdougb		const cfg_obj_t *options = NULL;
224092Sdougb		(void)cfg_map_get(config, "options", &options);
224092Sdougb		if (options != NULL)
224092Sdougb			maps[i++] = options;
224092Sdougb	}
224092Sdougb	maps[i] = NULL;
224092Sdougb
224092Sdougb	(void)ns_config_get(maps, confname, &obj);
224092Sdougb	if (obj == NULL)
224092Sdougb		/*
224092Sdougb		 * No value available.	*rbtp == NULL.
224092Sdougb		 */
224092Sdougb		return (ISC_R_SUCCESS);
224092Sdougb
224092Sdougb	if (conftuplename != NULL) {
224092Sdougb		obj = cfg_tuple_get(obj, conftuplename);
224092Sdougb		if (cfg_obj_isvoid(obj))
224092Sdougb			return (ISC_R_SUCCESS);
224092Sdougb	}
224092Sdougb
224092Sdougb	result = dns_rbt_create(mctx, NULL, NULL, rbtp);
224092Sdougb	if (result != ISC_R_SUCCESS)
224092Sdougb		return (result);
224092Sdougb
224092Sdougb	dns_fixedname_init(&fixed);
224092Sdougb	name = dns_fixedname_name(&fixed);
224092Sdougb	for (element = cfg_list_first(obj);
224092Sdougb	     element != NULL;
224092Sdougb	     element = cfg_list_next(element)) {
224092Sdougb		nameobj = cfg_listelt_value(element);
224092Sdougb		str = cfg_obj_asstring(nameobj);
254402Serwin		isc_buffer_constinit(&b, str, strlen(str));
224092Sdougb		isc_buffer_add(&b, strlen(str));
224092Sdougb		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
224092Sdougb		/*
224092Sdougb		 * We don't need the node data, but need to set dummy data to
224092Sdougb		 * avoid a partial match with an empty node.  For example, if
224092Sdougb		 * we have foo.example.com and bar.example.com, we'd get a match
224092Sdougb		 * for baz.example.com, which is not the expected result.
224092Sdougb		 * We simply use (void *)1 as the dummy data.
224092Sdougb		 */
224092Sdougb		result = dns_rbt_addname(*rbtp, name, (void *)1);
224092Sdougb		if (result != ISC_R_SUCCESS) {
224092Sdougb			cfg_obj_log(nameobj, ns_g_lctx, ISC_LOG_ERROR,
224092Sdougb				    "failed to add %s for %s: %s",
224092Sdougb				    str, confname, isc_result_totext(result));
224092Sdougb			goto cleanup;
224092Sdougb		}
224092Sdougb
224092Sdougb	}
224092Sdougb
224092Sdougb	return (result);
224092Sdougb
224092Sdougb  cleanup:
224092Sdougb	dns_rbt_destroy(rbtp);
224092Sdougb	return (result);
224092Sdougb
224092Sdougb}
224092Sdougb
224092Sdougbstatic isc_result_t
224092Sdougbdstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
224092Sdougb		  isc_boolean_t managed, dst_key_t **target, isc_mem_t *mctx)
224092Sdougb{
135446Strhodes	dns_rdataclass_t viewclass;
135446Strhodes	dns_rdata_dnskey_t keystruct;
135446Strhodes	isc_uint32_t flags, proto, alg;
165071Sdougb	const char *keystr, *keynamestr;
135446Strhodes	unsigned char keydata[4096];
135446Strhodes	isc_buffer_t keydatabuf;
135446Strhodes	unsigned char rrdata[4096];
135446Strhodes	isc_buffer_t rrdatabuf;
135446Strhodes	isc_region_t r;
135446Strhodes	dns_fixedname_t fkeyname;
135446Strhodes	dns_name_t *keyname;
135446Strhodes	isc_buffer_t namebuf;
135446Strhodes	isc_result_t result;
135446Strhodes	dst_key_t *dstkey = NULL;
135446Strhodes
224092Sdougb	INSIST(target != NULL && *target == NULL);
224092Sdougb
135446Strhodes	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
135446Strhodes	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
135446Strhodes	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
135446Strhodes	keyname = dns_fixedname_name(&fkeyname);
135446Strhodes	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
135446Strhodes
224092Sdougb	if (managed) {
224092Sdougb		const char *initmethod;
224092Sdougb		initmethod = cfg_obj_asstring(cfg_tuple_get(key, "init"));
224092Sdougb
224092Sdougb		if (strcasecmp(initmethod, "initial-key") != 0) {
224092Sdougb			cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
224092Sdougb				    "managed key '%s': "
224092Sdougb				    "invalid initialization method '%s'",
224092Sdougb				    keynamestr, initmethod);
224092Sdougb			result = ISC_R_FAILURE;
224092Sdougb			goto cleanup;
224092Sdougb		}
224092Sdougb	}
224092Sdougb
135446Strhodes	if (vconfig == NULL)
135446Strhodes		viewclass = dns_rdataclass_in;
135446Strhodes	else {
165071Sdougb		const cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
135446Strhodes		CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
135446Strhodes					 &viewclass));
135446Strhodes	}
135446Strhodes	keystruct.common.rdclass = viewclass;
135446Strhodes	keystruct.common.rdtype = dns_rdatatype_dnskey;
135446Strhodes	/*
135446Strhodes	 * The key data in keystruct is not dynamically allocated.
135446Strhodes	 */
135446Strhodes	keystruct.mctx = NULL;
135446Strhodes
135446Strhodes	ISC_LINK_INIT(&keystruct.common, link);
135446Strhodes
135446Strhodes	if (flags > 0xffff)
135446Strhodes		CHECKM(ISC_R_RANGE, "key flags");
135446Strhodes	if (proto > 0xff)
135446Strhodes		CHECKM(ISC_R_RANGE, "key protocol");
135446Strhodes	if (alg > 0xff)
135446Strhodes		CHECKM(ISC_R_RANGE, "key algorithm");
135446Strhodes	keystruct.flags = (isc_uint16_t)flags;
135446Strhodes	keystruct.protocol = (isc_uint8_t)proto;
135446Strhodes	keystruct.algorithm = (isc_uint8_t)alg;
135446Strhodes
135446Strhodes	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
135446Strhodes	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
135446Strhodes
135446Strhodes	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
135446Strhodes	CHECK(isc_base64_decodestring(keystr, &keydatabuf));
135446Strhodes	isc_buffer_usedregion(&keydatabuf, &r);
135446Strhodes	keystruct.datalen = r.length;
135446Strhodes	keystruct.data = r.base;
135446Strhodes
170222Sdougb	if ((keystruct.algorithm == DST_ALG_RSASHA1 ||
170222Sdougb	     keystruct.algorithm == DST_ALG_RSAMD5) &&
170222Sdougb	    r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
170222Sdougb		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
224092Sdougb			    "%s key '%s' has a weak exponent",
224092Sdougb			    managed ? "managed" : "trusted",
170222Sdougb			    keynamestr);
170222Sdougb
135446Strhodes	CHECK(dns_rdata_fromstruct(NULL,
135446Strhodes				   keystruct.common.rdclass,
135446Strhodes				   keystruct.common.rdtype,
135446Strhodes				   &keystruct, &rrdatabuf));
135446Strhodes	dns_fixedname_init(&fkeyname);
254402Serwin	isc_buffer_constinit(&namebuf, keynamestr, strlen(keynamestr));
135446Strhodes	isc_buffer_add(&namebuf, strlen(keynamestr));
224092Sdougb	CHECK(dns_name_fromtext(keyname, &namebuf, dns_rootname, 0, NULL));
135446Strhodes	CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
135446Strhodes			      mctx, &dstkey));
135446Strhodes
224092Sdougb	*target = dstkey;
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes
135446Strhodes cleanup:
135446Strhodes	if (result == DST_R_NOCRYPTO) {
135446Strhodes		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
224092Sdougb			    "ignoring %s key for '%s': no crypto support",
224092Sdougb			    managed ? "managed" : "trusted",
135446Strhodes			    keynamestr);
224092Sdougb	} else if (result == DST_R_UNSUPPORTEDALG) {
224092Sdougb		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
224092Sdougb			    "skipping %s key for '%s': %s",
224092Sdougb			    managed ? "managed" : "trusted",
224092Sdougb			    keynamestr, isc_result_totext(result));
135446Strhodes	} else {
135446Strhodes		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
224092Sdougb			    "configuring %s key for '%s': %s",
224092Sdougb			    managed ? "managed" : "trusted",
135446Strhodes			    keynamestr, isc_result_totext(result));
135446Strhodes		result = ISC_R_FAILURE;
135446Strhodes	}
135446Strhodes
135446Strhodes	if (dstkey != NULL)
135446Strhodes		dst_key_free(&dstkey);
135446Strhodes
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
224092Sdougbstatic isc_result_t
224092Sdougbload_view_keys(const cfg_obj_t *keys, const cfg_obj_t *vconfig,
224092Sdougb	       dns_view_t *view, isc_boolean_t managed,
224092Sdougb	       dns_name_t *keyname, isc_mem_t *mctx)
224092Sdougb{
224092Sdougb	const cfg_listelt_t *elt, *elt2;
224092Sdougb	const cfg_obj_t *key, *keylist;
224092Sdougb	dst_key_t *dstkey = NULL;
224092Sdougb	isc_result_t result;
224092Sdougb	dns_keytable_t *secroots = NULL;
224092Sdougb
224092Sdougb	CHECK(dns_view_getsecroots(view, &secroots));
224092Sdougb
224092Sdougb	for (elt = cfg_list_first(keys);
224092Sdougb	     elt != NULL;
224092Sdougb	     elt = cfg_list_next(elt)) {
224092Sdougb		keylist = cfg_listelt_value(elt);
224092Sdougb
224092Sdougb		for (elt2 = cfg_list_first(keylist);
224092Sdougb		     elt2 != NULL;
224092Sdougb		     elt2 = cfg_list_next(elt2)) {
224092Sdougb			key = cfg_listelt_value(elt2);
224092Sdougb			result = dstkey_fromconfig(vconfig, key, managed,
224092Sdougb						   &dstkey, mctx);
224092Sdougb			if (result ==  DST_R_UNSUPPORTEDALG) {
224092Sdougb				result = ISC_R_SUCCESS;
224092Sdougb				continue;
224092Sdougb			}
224092Sdougb			if (result != ISC_R_SUCCESS)
224092Sdougb				goto cleanup;
224092Sdougb
224092Sdougb			/*
224092Sdougb			 * If keyname was specified, we only add that key.
224092Sdougb			 */
224092Sdougb			if (keyname != NULL &&
224092Sdougb			    !dns_name_equal(keyname, dst_key_name(dstkey)))
224092Sdougb			{
224092Sdougb				dst_key_free(&dstkey);
224092Sdougb				continue;
224092Sdougb			}
224092Sdougb
224092Sdougb			CHECK(dns_keytable_add(secroots, managed, &dstkey));
224092Sdougb		}
224092Sdougb	}
224092Sdougb
224092Sdougb cleanup:
224092Sdougb	if (dstkey != NULL)
224092Sdougb		dst_key_free(&dstkey);
224092Sdougb	if (secroots != NULL)
224092Sdougb		dns_keytable_detach(&secroots);
224092Sdougb	if (result == DST_R_NOCRYPTO)
224092Sdougb		result = ISC_R_SUCCESS;
224092Sdougb	return (result);
224092Sdougb}
224092Sdougb
170222Sdougb/*%
224092Sdougb * Configure DNSSEC keys for a view.
135446Strhodes *
135446Strhodes * The per-view configuration values and the server-global defaults are read
224092Sdougb * from 'vconfig' and 'config'.
135446Strhodes */
135446Strhodesstatic isc_result_t
224092Sdougbconfigure_view_dnsseckeys(dns_view_t *view, const cfg_obj_t *vconfig,
224092Sdougb			  const cfg_obj_t *config, const cfg_obj_t *bindkeys,
224092Sdougb			  isc_boolean_t auto_dlv, isc_boolean_t auto_root,
224092Sdougb			  isc_mem_t *mctx)
135446Strhodes{
224092Sdougb	isc_result_t result = ISC_R_SUCCESS;
224092Sdougb	const cfg_obj_t *view_keys = NULL;
224092Sdougb	const cfg_obj_t *global_keys = NULL;
224092Sdougb	const cfg_obj_t *view_managed_keys = NULL;
224092Sdougb	const cfg_obj_t *global_managed_keys = NULL;
224092Sdougb	const cfg_obj_t *maps[4];
165071Sdougb	const cfg_obj_t *voptions = NULL;
224092Sdougb	const cfg_obj_t *options = NULL;
224092Sdougb	const cfg_obj_t *obj = NULL;
224092Sdougb	const char *directory;
224092Sdougb	int i = 0;
135446Strhodes
224092Sdougb	/* We don't need trust anchors for the _bind view */
224092Sdougb	if (strcmp(view->name, "_bind") == 0 &&
224092Sdougb	    view->rdclass == dns_rdataclass_chaos) {
224092Sdougb		return (ISC_R_SUCCESS);
224092Sdougb	}
135446Strhodes
224092Sdougb	if (vconfig != NULL) {
135446Strhodes		voptions = cfg_tuple_get(vconfig, "options");
224092Sdougb		if (voptions != NULL) {
224092Sdougb			(void) cfg_map_get(voptions, "trusted-keys",
224092Sdougb					   &view_keys);
224092Sdougb			(void) cfg_map_get(voptions, "managed-keys",
224092Sdougb					   &view_managed_keys);
224092Sdougb			maps[i++] = voptions;
224092Sdougb		}
224092Sdougb	}
135446Strhodes
224092Sdougb	if (config != NULL) {
224092Sdougb		(void)cfg_map_get(config, "trusted-keys", &global_keys);
224092Sdougb		(void)cfg_map_get(config, "managed-keys", &global_managed_keys);
224092Sdougb		(void)cfg_map_get(config, "options", &options);
224092Sdougb		if (options != NULL) {
224092Sdougb			maps[i++] = options;
224092Sdougb		}
224092Sdougb	}
135446Strhodes
224092Sdougb	maps[i++] = ns_g_defaults;
224092Sdougb	maps[i] = NULL;
224092Sdougb
224092Sdougb	result = dns_view_initsecroots(view, mctx);
224092Sdougb	if (result != ISC_R_SUCCESS) {
224092Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
224092Sdougb			      "couldn't create keytable");
224092Sdougb		return (ISC_R_UNEXPECTED);
224092Sdougb	}
224092Sdougb
224092Sdougb	if (auto_dlv && view->rdclass == dns_rdataclass_in) {
224092Sdougb		const cfg_obj_t *builtin_keys = NULL;
224092Sdougb		const cfg_obj_t *builtin_managed_keys = NULL;
224092Sdougb
224092Sdougb		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
224092Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
224092Sdougb			      "using built-in DLV key for view %s",
224092Sdougb			      view->name);
224092Sdougb
224092Sdougb		/*
224092Sdougb		 * If bind.keys exists, it overrides the managed-keys
224092Sdougb		 * clause hard-coded in ns_g_config.
224092Sdougb		 */
224092Sdougb		if (bindkeys != NULL) {
224092Sdougb			(void)cfg_map_get(bindkeys, "trusted-keys",
224092Sdougb					  &builtin_keys);
224092Sdougb			(void)cfg_map_get(bindkeys, "managed-keys",
224092Sdougb					  &builtin_managed_keys);
224092Sdougb		} else {
224092Sdougb			(void)cfg_map_get(ns_g_config, "trusted-keys",
224092Sdougb					  &builtin_keys);
224092Sdougb			(void)cfg_map_get(ns_g_config, "managed-keys",
224092Sdougb					  &builtin_managed_keys);
135446Strhodes		}
224092Sdougb
224092Sdougb		if (builtin_keys != NULL)
224092Sdougb			CHECK(load_view_keys(builtin_keys, vconfig, view,
224092Sdougb					     ISC_FALSE, view->dlv, mctx));
224092Sdougb		if (builtin_managed_keys != NULL)
224092Sdougb			CHECK(load_view_keys(builtin_managed_keys, vconfig,
224092Sdougb					     view, ISC_TRUE, view->dlv, mctx));
135446Strhodes	}
135446Strhodes
224092Sdougb	if (auto_root && view->rdclass == dns_rdataclass_in) {
224092Sdougb		const cfg_obj_t *builtin_keys = NULL;
224092Sdougb		const cfg_obj_t *builtin_managed_keys = NULL;
186462Sdougb
224092Sdougb		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
224092Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
224092Sdougb			      "using built-in root key for view %s",
224092Sdougb			      view->name);
224092Sdougb
224092Sdougb		/*
224092Sdougb		 * If bind.keys exists, it overrides the managed-keys
224092Sdougb		 * clause hard-coded in ns_g_config.
224092Sdougb		 */
224092Sdougb		if (bindkeys != NULL) {
224092Sdougb			(void)cfg_map_get(bindkeys, "trusted-keys",
224092Sdougb					  &builtin_keys);
224092Sdougb			(void)cfg_map_get(bindkeys, "managed-keys",
224092Sdougb					  &builtin_managed_keys);
224092Sdougb		} else {
224092Sdougb			(void)cfg_map_get(ns_g_config, "trusted-keys",
224092Sdougb					  &builtin_keys);
224092Sdougb			(void)cfg_map_get(ns_g_config, "managed-keys",
224092Sdougb					  &builtin_managed_keys);
224092Sdougb		}
224092Sdougb
224092Sdougb		if (builtin_keys != NULL)
224092Sdougb			CHECK(load_view_keys(builtin_keys, vconfig, view,
224092Sdougb					     ISC_FALSE, dns_rootname, mctx));
224092Sdougb		if (builtin_managed_keys != NULL)
224092Sdougb			CHECK(load_view_keys(builtin_managed_keys, vconfig,
224092Sdougb					     view, ISC_TRUE, dns_rootname,
224092Sdougb					     mctx));
224092Sdougb	}
224092Sdougb
224092Sdougb	CHECK(load_view_keys(view_keys, vconfig, view, ISC_FALSE,
224092Sdougb			     NULL, mctx));
224092Sdougb	CHECK(load_view_keys(view_managed_keys, vconfig, view, ISC_TRUE,
224092Sdougb			     NULL, mctx));
224092Sdougb
224092Sdougb	if (view->rdclass == dns_rdataclass_in) {
224092Sdougb		CHECK(load_view_keys(global_keys, vconfig, view, ISC_FALSE,
224092Sdougb				     NULL, mctx));
224092Sdougb		CHECK(load_view_keys(global_managed_keys, vconfig, view,
224092Sdougb				     ISC_TRUE, NULL, mctx));
224092Sdougb	}
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Add key zone for managed-keys.
224092Sdougb	 */
224092Sdougb	obj = NULL;
224092Sdougb	(void)ns_config_get(maps, "managed-keys-directory", &obj);
254402Serwin	directory = (obj != NULL ? cfg_obj_asstring(obj) : NULL);
254402Serwin	if (directory != NULL)
254402Serwin		result = isc_file_isdirectory(directory);
254402Serwin	if (result != ISC_R_SUCCESS) {
254402Serwin		isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
254402Serwin			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
254402Serwin			      "invalid managed-keys-directory %s: %s",
254402Serwin			      directory, isc_result_totext(result));
254402Serwin		goto cleanup;
254402Serwin
254402Serwin	}
224092Sdougb	CHECK(add_keydata_zone(view, directory, ns_g_mctx));
224092Sdougb
224092Sdougb  cleanup:
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
224092Sdougbmustbesecure(const cfg_obj_t *mbs, dns_resolver_t *resolver) {
165071Sdougb	const cfg_listelt_t *element;
165071Sdougb	const cfg_obj_t *obj;
135446Strhodes	const char *str;
135446Strhodes	dns_fixedname_t fixed;
135446Strhodes	dns_name_t *name;
135446Strhodes	isc_boolean_t value;
135446Strhodes	isc_result_t result;
135446Strhodes	isc_buffer_t b;
186462Sdougb
135446Strhodes	dns_fixedname_init(&fixed);
135446Strhodes	name = dns_fixedname_name(&fixed);
135446Strhodes	for (element = cfg_list_first(mbs);
135446Strhodes	     element != NULL;
135446Strhodes	     element = cfg_list_next(element))
135446Strhodes	{
135446Strhodes		obj = cfg_listelt_value(element);
135446Strhodes		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
254402Serwin		isc_buffer_constinit(&b, str, strlen(str));
135446Strhodes		isc_buffer_add(&b, strlen(str));
224092Sdougb		CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
135446Strhodes		value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
135446Strhodes		CHECK(dns_resolver_setmustbesecure(resolver, name, value));
135446Strhodes	}
135446Strhodes
135446Strhodes	result = ISC_R_SUCCESS;
186462Sdougb
135446Strhodes cleanup:
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
170222Sdougb/*%
135446Strhodes * Get a dispatch appropriate for the resolver of a given view.
135446Strhodes */
135446Strhodesstatic isc_result_t
165071Sdougbget_view_querysource_dispatch(const cfg_obj_t **maps,
186462Sdougb			      int af, dns_dispatch_t **dispatchp,
186462Sdougb			      isc_boolean_t is_firstview)
135446Strhodes{
225361Sdougb	isc_result_t result = ISC_R_FAILURE;
135446Strhodes	dns_dispatch_t *disp;
135446Strhodes	isc_sockaddr_t sa;
135446Strhodes	unsigned int attrs, attrmask;
165071Sdougb	const cfg_obj_t *obj = NULL;
186462Sdougb	unsigned int maxdispatchbuffers;
135446Strhodes
135446Strhodes	switch (af) {
135446Strhodes	case AF_INET:
135446Strhodes		result = ns_config_get(maps, "query-source", &obj);
135446Strhodes		INSIST(result == ISC_R_SUCCESS);
135446Strhodes		break;
135446Strhodes	case AF_INET6:
135446Strhodes		result = ns_config_get(maps, "query-source-v6", &obj);
135446Strhodes		INSIST(result == ISC_R_SUCCESS);
135446Strhodes		break;
135446Strhodes	default:
135446Strhodes		INSIST(0);
135446Strhodes	}
135446Strhodes
135446Strhodes	sa = *(cfg_obj_assockaddr(obj));
135446Strhodes	INSIST(isc_sockaddr_pf(&sa) == af);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * If we don't support this address family, we're done!
135446Strhodes	 */
135446Strhodes	switch (af) {
135446Strhodes	case AF_INET:
135446Strhodes		result = isc_net_probeipv4();
135446Strhodes		break;
135446Strhodes	case AF_INET6:
135446Strhodes		result = isc_net_probeipv6();
135446Strhodes		break;
135446Strhodes	default:
135446Strhodes		INSIST(0);
135446Strhodes	}
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (ISC_R_SUCCESS);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Try to find a dispatcher that we can share.
135446Strhodes	 */
135446Strhodes	attrs = 0;
135446Strhodes	attrs |= DNS_DISPATCHATTR_UDP;
135446Strhodes	switch (af) {
135446Strhodes	case AF_INET:
135446Strhodes		attrs |= DNS_DISPATCHATTR_IPV4;
135446Strhodes		break;
135446Strhodes	case AF_INET6:
135446Strhodes		attrs |= DNS_DISPATCHATTR_IPV6;
135446Strhodes		break;
135446Strhodes	}
186462Sdougb	if (isc_sockaddr_getport(&sa) == 0) {
186462Sdougb		attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
186462Sdougb		maxdispatchbuffers = 4096;
186462Sdougb	} else {
180477Sdougb		INSIST(obj != NULL);
186462Sdougb		if (is_firstview) {
186462Sdougb			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
186462Sdougb				    "using specific query-source port "
186462Sdougb				    "suppresses port randomization and can be "
186462Sdougb				    "insecure.");
186462Sdougb		}
186462Sdougb		maxdispatchbuffers = 1000;
180477Sdougb	}
180477Sdougb
135446Strhodes	attrmask = 0;
135446Strhodes	attrmask |= DNS_DISPATCHATTR_UDP;
135446Strhodes	attrmask |= DNS_DISPATCHATTR_TCP;
135446Strhodes	attrmask |= DNS_DISPATCHATTR_IPV4;
135446Strhodes	attrmask |= DNS_DISPATCHATTR_IPV6;
135446Strhodes
135446Strhodes	disp = NULL;
135446Strhodes	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
135446Strhodes				     ns_g_taskmgr, &sa, 4096,
186462Sdougb				     maxdispatchbuffers, 32768, 16411, 16433,
135446Strhodes				     attrs, attrmask, &disp);
135446Strhodes	if (result != ISC_R_SUCCESS) {
135446Strhodes		isc_sockaddr_t any;
135446Strhodes		char buf[ISC_SOCKADDR_FORMATSIZE];
135446Strhodes
135446Strhodes		switch (af) {
135446Strhodes		case AF_INET:
135446Strhodes			isc_sockaddr_any(&any);
135446Strhodes			break;
135446Strhodes		case AF_INET6:
135446Strhodes			isc_sockaddr_any6(&any);
135446Strhodes			break;
135446Strhodes		}
135446Strhodes		if (isc_sockaddr_equal(&sa, &any))
135446Strhodes			return (ISC_R_SUCCESS);
135446Strhodes		isc_sockaddr_format(&sa, buf, sizeof(buf));
135446Strhodes		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
135446Strhodes			      "could not get query source dispatcher (%s)",
135446Strhodes			      buf);
135446Strhodes		return (result);
135446Strhodes	}
135446Strhodes
135446Strhodes	*dispatchp = disp;
135446Strhodes
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
165071Sdougbconfigure_order(dns_order_t *order, const cfg_obj_t *ent) {
135446Strhodes	dns_rdataclass_t rdclass;
135446Strhodes	dns_rdatatype_t rdtype;
165071Sdougb	const cfg_obj_t *obj;
135446Strhodes	dns_fixedname_t fixed;
135446Strhodes	unsigned int mode = 0;
135446Strhodes	const char *str;
135446Strhodes	isc_buffer_t b;
135446Strhodes	isc_result_t result;
143731Sdougb	isc_boolean_t addroot;
135446Strhodes
135446Strhodes	result = ns_config_getclass(cfg_tuple_get(ent, "class"),
135446Strhodes				    dns_rdataclass_any, &rdclass);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes
135446Strhodes	result = ns_config_gettype(cfg_tuple_get(ent, "type"),
135446Strhodes				   dns_rdatatype_any, &rdtype);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes
135446Strhodes	obj = cfg_tuple_get(ent, "name");
186462Sdougb	if (cfg_obj_isstring(obj))
135446Strhodes		str = cfg_obj_asstring(obj);
135446Strhodes	else
135446Strhodes		str = "*";
143731Sdougb	addroot = ISC_TF(strcmp(str, "*") == 0);
254402Serwin	isc_buffer_constinit(&b, str, strlen(str));
135446Strhodes	isc_buffer_add(&b, strlen(str));
135446Strhodes	dns_fixedname_init(&fixed);
135446Strhodes	result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
224092Sdougb				   dns_rootname, 0, NULL);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes
135446Strhodes	obj = cfg_tuple_get(ent, "ordering");
135446Strhodes	INSIST(cfg_obj_isstring(obj));
135446Strhodes	str = cfg_obj_asstring(obj);
135446Strhodes	if (!strcasecmp(str, "fixed"))
135446Strhodes		mode = DNS_RDATASETATTR_FIXEDORDER;
135446Strhodes	else if (!strcasecmp(str, "random"))
135446Strhodes		mode = DNS_RDATASETATTR_RANDOMIZE;
135446Strhodes	else if (!strcasecmp(str, "cyclic"))
135446Strhodes		mode = 0;
135446Strhodes	else
135446Strhodes		INSIST(0);
135446Strhodes
143731Sdougb	/*
143731Sdougb	 * "*" should match everything including the root (BIND 8 compat).
143731Sdougb	 * As dns_name_matcheswildcard(".", "*.") returns FALSE add a
165071Sdougb	 * explicit entry for "." when the name is "*".
143731Sdougb	 */
143731Sdougb	if (addroot) {
143731Sdougb		result = dns_order_add(order, dns_rootname,
143731Sdougb				       rdtype, rdclass, mode);
143731Sdougb		if (result != ISC_R_SUCCESS)
143731Sdougb			return (result);
143731Sdougb	}
143731Sdougb
135446Strhodes	return (dns_order_add(order, dns_fixedname_name(&fixed),
135446Strhodes			      rdtype, rdclass, mode));
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
165071Sdougbconfigure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
135446Strhodes	isc_netaddr_t na;
135446Strhodes	dns_peer_t *peer;
165071Sdougb	const cfg_obj_t *obj;
165071Sdougb	const char *str;
135446Strhodes	isc_result_t result;
170222Sdougb	unsigned int prefixlen;
135446Strhodes
170222Sdougb	cfg_obj_asnetprefix(cfg_map_getname(cpeer), &na, &prefixlen);
135446Strhodes
135446Strhodes	peer = NULL;
186462Sdougb	result = dns_peer_newprefix(mctx, &na, prefixlen, &peer);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	(void)cfg_map_get(cpeer, "bogus", &obj);
135446Strhodes	if (obj != NULL)
135446Strhodes		CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	(void)cfg_map_get(cpeer, "provide-ixfr", &obj);
135446Strhodes	if (obj != NULL)
135446Strhodes		CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	(void)cfg_map_get(cpeer, "request-ixfr", &obj);
135446Strhodes	if (obj != NULL)
135446Strhodes		CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
135446Strhodes
135446Strhodes	obj = NULL;
193149Sdougb	(void)cfg_map_get(cpeer, "request-nsid", &obj);
193149Sdougb	if (obj != NULL)
193149Sdougb		CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj)));
193149Sdougb
193149Sdougb	obj = NULL;
135446Strhodes	(void)cfg_map_get(cpeer, "edns", &obj);
135446Strhodes	if (obj != NULL)
135446Strhodes		CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
135446Strhodes
135446Strhodes	obj = NULL;
170222Sdougb	(void)cfg_map_get(cpeer, "edns-udp-size", &obj);
170222Sdougb	if (obj != NULL) {
170222Sdougb		isc_uint32_t udpsize = cfg_obj_asuint32(obj);
170222Sdougb		if (udpsize < 512)
170222Sdougb			udpsize = 512;
170222Sdougb		if (udpsize > 4096)
170222Sdougb			udpsize = 4096;
170222Sdougb		CHECK(dns_peer_setudpsize(peer, (isc_uint16_t)udpsize));
170222Sdougb	}
170222Sdougb
170222Sdougb	obj = NULL;
170222Sdougb	(void)cfg_map_get(cpeer, "max-udp-size", &obj);
170222Sdougb	if (obj != NULL) {
170222Sdougb		isc_uint32_t udpsize = cfg_obj_asuint32(obj);
170222Sdougb		if (udpsize < 512)
170222Sdougb			udpsize = 512;
170222Sdougb		if (udpsize > 4096)
170222Sdougb			udpsize = 4096;
170222Sdougb		CHECK(dns_peer_setmaxudp(peer, (isc_uint16_t)udpsize));
170222Sdougb	}
170222Sdougb
170222Sdougb	obj = NULL;
135446Strhodes	(void)cfg_map_get(cpeer, "transfers", &obj);
135446Strhodes	if (obj != NULL)
135446Strhodes		CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	(void)cfg_map_get(cpeer, "transfer-format", &obj);
135446Strhodes	if (obj != NULL) {
135446Strhodes		str = cfg_obj_asstring(obj);
135446Strhodes		if (strcasecmp(str, "many-answers") == 0)
135446Strhodes			CHECK(dns_peer_settransferformat(peer,
135446Strhodes							 dns_many_answers));
135446Strhodes		else if (strcasecmp(str, "one-answer") == 0)
135446Strhodes			CHECK(dns_peer_settransferformat(peer,
135446Strhodes							 dns_one_answer));
135446Strhodes		else
135446Strhodes			INSIST(0);
135446Strhodes	}
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	(void)cfg_map_get(cpeer, "keys", &obj);
135446Strhodes	if (obj != NULL) {
135446Strhodes		result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj));
135446Strhodes		if (result != ISC_R_SUCCESS)
135446Strhodes			goto cleanup;
135446Strhodes	}
135446Strhodes
135446Strhodes	obj = NULL;
170222Sdougb	if (na.family == AF_INET)
135446Strhodes		(void)cfg_map_get(cpeer, "transfer-source", &obj);
135446Strhodes	else
135446Strhodes		(void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
135446Strhodes	if (obj != NULL) {
135446Strhodes		result = dns_peer_settransfersource(peer,
135446Strhodes						    cfg_obj_assockaddr(obj));
135446Strhodes		if (result != ISC_R_SUCCESS)
135446Strhodes			goto cleanup;
170222Sdougb		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
135446Strhodes	}
170222Sdougb
170222Sdougb	obj = NULL;
170222Sdougb	if (na.family == AF_INET)
170222Sdougb		(void)cfg_map_get(cpeer, "notify-source", &obj);
170222Sdougb	else
170222Sdougb		(void)cfg_map_get(cpeer, "notify-source-v6", &obj);
170222Sdougb	if (obj != NULL) {
170222Sdougb		result = dns_peer_setnotifysource(peer,
170222Sdougb						  cfg_obj_assockaddr(obj));
170222Sdougb		if (result != ISC_R_SUCCESS)
170222Sdougb			goto cleanup;
170222Sdougb		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
170222Sdougb	}
170222Sdougb
170222Sdougb	obj = NULL;
170222Sdougb	if (na.family == AF_INET)
170222Sdougb		(void)cfg_map_get(cpeer, "query-source", &obj);
170222Sdougb	else
170222Sdougb		(void)cfg_map_get(cpeer, "query-source-v6", &obj);
170222Sdougb	if (obj != NULL) {
170222Sdougb		result = dns_peer_setquerysource(peer,
170222Sdougb						 cfg_obj_assockaddr(obj));
170222Sdougb		if (result != ISC_R_SUCCESS)
170222Sdougb			goto cleanup;
170222Sdougb		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
170222Sdougb	}
170222Sdougb
135446Strhodes	*peerp = peer;
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes
135446Strhodes cleanup:
135446Strhodes	dns_peer_detach(&peer);
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
165071Sdougbdisable_algorithms(const cfg_obj_t *disabled, dns_resolver_t *resolver) {
135446Strhodes	isc_result_t result;
165071Sdougb	const cfg_obj_t *algorithms;
165071Sdougb	const cfg_listelt_t *element;
135446Strhodes	const char *str;
135446Strhodes	dns_fixedname_t fixed;
135446Strhodes	dns_name_t *name;
135446Strhodes	isc_buffer_t b;
135446Strhodes
135446Strhodes	dns_fixedname_init(&fixed);
135446Strhodes	name = dns_fixedname_name(&fixed);
135446Strhodes	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
254402Serwin	isc_buffer_constinit(&b, str, strlen(str));
135446Strhodes	isc_buffer_add(&b, strlen(str));
224092Sdougb	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
135446Strhodes
135446Strhodes	algorithms = cfg_tuple_get(disabled, "algorithms");
135446Strhodes	for (element = cfg_list_first(algorithms);
135446Strhodes	     element != NULL;
135446Strhodes	     element = cfg_list_next(element))
135446Strhodes	{
135446Strhodes		isc_textregion_t r;
135446Strhodes		dns_secalg_t alg;
135446Strhodes
165071Sdougb		DE_CONST(cfg_obj_asstring(cfg_listelt_value(element)), r.base);
135446Strhodes		r.length = strlen(r.base);
135446Strhodes
135446Strhodes		result = dns_secalg_fromtext(&alg, &r);
135446Strhodes		if (result != ISC_R_SUCCESS) {
135446Strhodes			isc_uint8_t ui;
135446Strhodes			result = isc_parse_uint8(&ui, r.base, 10);
135446Strhodes			alg = ui;
135446Strhodes		}
135446Strhodes		if (result != ISC_R_SUCCESS) {
135446Strhodes			cfg_obj_log(cfg_listelt_value(element),
135446Strhodes				    ns_g_lctx, ISC_LOG_ERROR,
135446Strhodes				    "invalid algorithm");
135446Strhodes			CHECK(result);
135446Strhodes		}
135446Strhodes		CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
135446Strhodes	}
135446Strhodes cleanup:
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
170222Sdougbstatic isc_boolean_t
170222Sdougbon_disable_list(const cfg_obj_t *disablelist, dns_name_t *zonename) {
170222Sdougb	const cfg_listelt_t *element;
170222Sdougb	dns_fixedname_t fixed;
170222Sdougb	dns_name_t *name;
170222Sdougb	isc_result_t result;
170222Sdougb	const cfg_obj_t *value;
170222Sdougb	const char *str;
170222Sdougb	isc_buffer_t b;
170222Sdougb
170222Sdougb	dns_fixedname_init(&fixed);
170222Sdougb	name = dns_fixedname_name(&fixed);
186462Sdougb
170222Sdougb	for (element = cfg_list_first(disablelist);
170222Sdougb	     element != NULL;
170222Sdougb	     element = cfg_list_next(element))
170222Sdougb	{
170222Sdougb		value = cfg_listelt_value(element);
170222Sdougb		str = cfg_obj_asstring(value);
254402Serwin		isc_buffer_constinit(&b, str, strlen(str));
170222Sdougb		isc_buffer_add(&b, strlen(str));
170222Sdougb		result = dns_name_fromtext(name, &b, dns_rootname,
224092Sdougb					   0, NULL);
170222Sdougb		RUNTIME_CHECK(result == ISC_R_SUCCESS);
170222Sdougb		if (dns_name_equal(name, zonename))
170222Sdougb			return (ISC_TRUE);
170222Sdougb	}
170222Sdougb	return (ISC_FALSE);
170222Sdougb}
170222Sdougb
262706Serwinstatic isc_result_t
262706Serwincheck_dbtype(dns_zone_t *zone, unsigned int dbtypec, const char **dbargv,
170222Sdougb	     isc_mem_t *mctx)
170222Sdougb{
170222Sdougb	char **argv = NULL;
170222Sdougb	unsigned int i;
262706Serwin	isc_result_t result = ISC_R_SUCCESS;
170222Sdougb
262706Serwin	CHECK(dns_zone_getdbtype(zone, &argv, mctx));
170222Sdougb
170222Sdougb	/*
170222Sdougb	 * Check that all the arguments match.
170222Sdougb	 */
170222Sdougb	for (i = 0; i < dbtypec; i++)
170222Sdougb		if (argv[i] == NULL || strcmp(argv[i], dbargv[i]) != 0) {
262706Serwin			CHECK(ISC_R_FAILURE);
170222Sdougb			break;
170222Sdougb		}
170222Sdougb
170222Sdougb	/*
170222Sdougb	 * Check that there are not extra arguments.
170222Sdougb	 */
170222Sdougb	if (i == dbtypec && argv[i] != NULL)
262706Serwin		result = ISC_R_FAILURE;
262706Serwin
262706Serwin cleanup:
170222Sdougb	isc_mem_free(mctx, argv);
262706Serwin	return (result);
170222Sdougb}
170222Sdougb
193149Sdougbstatic isc_result_t
254897Serwinsetquerystats(dns_zone_t *zone, isc_mem_t *mctx, dns_zonestat_level_t level) {
193149Sdougb	isc_result_t result;
193149Sdougb	isc_stats_t *zoneqrystats;
170222Sdougb
254897Serwin	dns_zone_setstatlevel(zone, level);
254897Serwin
193149Sdougb	zoneqrystats = NULL;
254897Serwin	if (level == dns_zonestat_full) {
193149Sdougb		result = isc_stats_create(mctx, &zoneqrystats,
193149Sdougb					  dns_nsstatscounter_max);
193149Sdougb		if (result != ISC_R_SUCCESS)
193149Sdougb			return (result);
193149Sdougb	}
193149Sdougb	dns_zone_setrequeststats(zone, zoneqrystats);
193149Sdougb	if (zoneqrystats != NULL)
193149Sdougb		isc_stats_detach(&zoneqrystats);
193149Sdougb
193149Sdougb	return (ISC_R_SUCCESS);
193149Sdougb}
193149Sdougb
224092Sdougbstatic ns_cache_t *
224092Sdougbcachelist_find(ns_cachelist_t *cachelist, const char *cachename) {
224092Sdougb	ns_cache_t *nsc;
224092Sdougb
224092Sdougb	for (nsc = ISC_LIST_HEAD(*cachelist);
224092Sdougb	     nsc != NULL;
224092Sdougb	     nsc = ISC_LIST_NEXT(nsc, link)) {
224092Sdougb		if (strcmp(dns_cache_getname(nsc->cache), cachename) == 0)
224092Sdougb			return (nsc);
224092Sdougb	}
224092Sdougb
224092Sdougb	return (NULL);
224092Sdougb}
224092Sdougb
193149Sdougbstatic isc_boolean_t
193149Sdougbcache_reusable(dns_view_t *originview, dns_view_t *view,
193149Sdougb	       isc_boolean_t new_zero_no_soattl)
193149Sdougb{
193149Sdougb	if (originview->checknames != view->checknames ||
193149Sdougb	    dns_resolver_getzeronosoattl(originview->resolver) !=
193149Sdougb	    new_zero_no_soattl ||
193149Sdougb	    originview->acceptexpired != view->acceptexpired ||
193149Sdougb	    originview->enablevalidation != view->enablevalidation ||
193149Sdougb	    originview->maxcachettl != view->maxcachettl ||
193149Sdougb	    originview->maxncachettl != view->maxncachettl) {
193149Sdougb		return (ISC_FALSE);
193149Sdougb	}
193149Sdougb
193149Sdougb	return (ISC_TRUE);
193149Sdougb}
193149Sdougb
224092Sdougbstatic isc_boolean_t
224092Sdougbcache_sharable(dns_view_t *originview, dns_view_t *view,
224092Sdougb	       isc_boolean_t new_zero_no_soattl,
224092Sdougb	       unsigned int new_cleaning_interval,
254897Serwin	       isc_uint64_t new_max_cache_size)
224092Sdougb{
224092Sdougb	/*
224092Sdougb	 * If the cache cannot even reused for the same view, it cannot be
224092Sdougb	 * shared with other views.
224092Sdougb	 */
224092Sdougb	if (!cache_reusable(originview, view, new_zero_no_soattl))
224092Sdougb		return (ISC_FALSE);
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Check other cache related parameters that must be consistent among
224092Sdougb	 * the sharing views.
224092Sdougb	 */
224092Sdougb	if (dns_cache_getcleaninginterval(originview->cache) !=
224092Sdougb	    new_cleaning_interval ||
224092Sdougb	    dns_cache_getcachesize(originview->cache) != new_max_cache_size) {
224092Sdougb		return (ISC_FALSE);
224092Sdougb	}
224092Sdougb
224092Sdougb	return (ISC_TRUE);
224092Sdougb}
224092Sdougb
135446Strhodes/*
224092Sdougb * Callback from DLZ configure when the driver sets up a writeable zone
224092Sdougb */
224092Sdougbstatic isc_result_t
224092Sdougbdlzconfigure_callback(dns_view_t *view, dns_zone_t *zone) {
224092Sdougb	dns_name_t *origin = dns_zone_getorigin(zone);
224092Sdougb	dns_rdataclass_t zclass = view->rdclass;
224092Sdougb	isc_result_t result;
224092Sdougb
224092Sdougb	result = dns_zonemgr_managezone(ns_g_server->zonemgr, zone);
224092Sdougb	if (result != ISC_R_SUCCESS)
254897Serwin		return (result);
224092Sdougb	dns_zone_setstats(zone, ns_g_server->zonestats);
224092Sdougb
254897Serwin	return (ns_zone_configure_writeable_dlz(view->dlzdatabase,
254897Serwin						zone, zclass, origin));
224092Sdougb}
224092Sdougb
224092Sdougbstatic isc_result_t
224092Sdougbdns64_reverse(dns_view_t *view, isc_mem_t *mctx, isc_netaddr_t *na,
224092Sdougb	      unsigned int prefixlen, const char *server,
224092Sdougb	      const char *contact)
224092Sdougb{
224092Sdougb	char *cp;
224092Sdougb	char reverse[48+sizeof("ip6.arpa.")];
236374Sdougb	const char *dns64_dbtype[4] = { "_dns64", "dns64", ".", "." };
224092Sdougb	const char *sep = ": view ";
224092Sdougb	const char *viewname = view->name;
224092Sdougb	const unsigned char *s6;
224092Sdougb	dns_fixedname_t fixed;
224092Sdougb	dns_name_t *name;
224092Sdougb	dns_zone_t *zone = NULL;
224092Sdougb	int dns64_dbtypec = 4;
224092Sdougb	isc_buffer_t b;
224092Sdougb	isc_result_t result;
224092Sdougb
224092Sdougb	REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
224092Sdougb		prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
224092Sdougb
224092Sdougb	if (!strcmp(viewname, "_default")) {
224092Sdougb		sep = "";
224092Sdougb		viewname = "";
224092Sdougb	}
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Construct the reverse name of the zone.
224092Sdougb	 */
224092Sdougb	cp = reverse;
224092Sdougb	s6 = na->type.in6.s6_addr;
224092Sdougb	while (prefixlen > 0) {
224092Sdougb		prefixlen -= 8;
224092Sdougb		sprintf(cp, "%x.%x.", s6[prefixlen/8] & 0xf,
224092Sdougb			(s6[prefixlen/8] >> 4) & 0xf);
224092Sdougb		cp += 4;
224092Sdougb	}
224092Sdougb	strcat(cp, "ip6.arpa.");
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Create the actual zone.
224092Sdougb	 */
224092Sdougb	if (server != NULL)
224092Sdougb		dns64_dbtype[2] = server;
224092Sdougb	if (contact != NULL)
224092Sdougb		dns64_dbtype[3] = contact;
224092Sdougb	dns_fixedname_init(&fixed);
224092Sdougb	name = dns_fixedname_name(&fixed);
254402Serwin	isc_buffer_constinit(&b, reverse, strlen(reverse));
224092Sdougb	isc_buffer_add(&b, strlen(reverse));
224092Sdougb	CHECK(dns_name_fromtext(name, &b, dns_rootname, 0, NULL));
224092Sdougb	CHECK(dns_zone_create(&zone, mctx));
224092Sdougb	CHECK(dns_zone_setorigin(zone, name));
224092Sdougb	dns_zone_setview(zone, view);
224092Sdougb	CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
224092Sdougb	dns_zone_setclass(zone, view->rdclass);
224092Sdougb	dns_zone_settype(zone, dns_zone_master);
224092Sdougb	dns_zone_setstats(zone, ns_g_server->zonestats);
224092Sdougb	CHECK(dns_zone_setdbtype(zone, dns64_dbtypec, dns64_dbtype));
224092Sdougb	if (view->queryacl != NULL)
224092Sdougb		dns_zone_setqueryacl(zone, view->queryacl);
224092Sdougb	if (view->queryonacl != NULL)
224092Sdougb		dns_zone_setqueryonacl(zone, view->queryonacl);
224092Sdougb	dns_zone_setdialup(zone, dns_dialuptype_no);
224092Sdougb	dns_zone_setnotifytype(zone, dns_notifytype_no);
224092Sdougb	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
254897Serwin	CHECK(setquerystats(zone, mctx, dns_zonestat_none));	/* XXXMPA */
224092Sdougb	CHECK(dns_view_addzone(view, zone));
224092Sdougb	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
224092Sdougb		      ISC_LOG_INFO, "dns64 reverse zone%s%s: %s", sep,
224092Sdougb		      viewname, reverse);
224092Sdougb
224092Sdougbcleanup:
224092Sdougb	if (zone != NULL)
224092Sdougb		dns_zone_detach(&zone);
224092Sdougb	return (result);
224092Sdougb}
224092Sdougb
224092Sdougbstatic isc_result_t
254402Serwinconfigure_rpz_name(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
254402Serwin		   const char *str, const char *msg)
254402Serwin{
254402Serwin	isc_result_t result;
254402Serwin
254402Serwin	result = dns_name_fromstring(name, str, DNS_NAME_DOWNCASE, view->mctx);
254402Serwin	if (result != ISC_R_SUCCESS)
254402Serwin		cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
254402Serwin			    "invalid %s '%s'", msg, str);
254402Serwin	return (result);
254402Serwin}
254402Serwin
254402Serwinstatic isc_result_t
254402Serwinconfigure_rpz_name2(dns_view_t *view, const cfg_obj_t *obj, dns_name_t *name,
254402Serwin		    const char *str, const dns_name_t *origin)
254402Serwin{
254402Serwin	isc_result_t result;
254402Serwin
254402Serwin	result = dns_name_fromstring2(name, str, origin, DNS_NAME_DOWNCASE,
254402Serwin				      view->mctx);
254402Serwin	if (result != ISC_R_SUCCESS)
254402Serwin		cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
254402Serwin			    "invalid zone '%s'", str);
254402Serwin	return (result);
254402Serwin}
254402Serwin
254402Serwinstatic isc_result_t
245163Serwinconfigure_rpz(dns_view_t *view, const cfg_listelt_t *element,
245163Serwin	      isc_boolean_t recursive_only_def, dns_ttl_t ttl_def)
245163Serwin{
254402Serwin	const cfg_obj_t *rpz_obj, *obj;
224092Sdougb	const char *str;
224092Sdougb	dns_rpz_zone_t *old, *new;
224092Sdougb	isc_result_t result;
224092Sdougb
254402Serwin	rpz_obj = cfg_listelt_value(element);
254402Serwin
224092Sdougb	new = isc_mem_get(view->mctx, sizeof(*new));
224092Sdougb	if (new == NULL) {
254402Serwin		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
254402Serwin			    "no memory for response policy zones");
254402Serwin		return (ISC_R_NOMEMORY);
224092Sdougb	}
224092Sdougb
224092Sdougb	memset(new, 0, sizeof(*new));
245163Serwin	dns_name_init(&new->origin, NULL);
224092Sdougb	dns_name_init(&new->nsdname, NULL);
254402Serwin	dns_name_init(&new->passthru, NULL);
224092Sdougb	dns_name_init(&new->cname, NULL);
224092Sdougb	ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link);
224092Sdougb
245163Serwin	obj = cfg_tuple_get(rpz_obj, "recursive-only");
245163Serwin	if (cfg_obj_isvoid(obj)) {
245163Serwin		new->recursive_only = recursive_only_def;
245163Serwin	} else {
245163Serwin		new->recursive_only = cfg_obj_asboolean(obj);
245163Serwin	}
245163Serwin	if (!new->recursive_only)
245163Serwin		view->rpz_recursive_only = ISC_FALSE;
245163Serwin
245163Serwin	obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
245163Serwin	if (cfg_obj_isuint32(obj)) {
245163Serwin		new->max_policy_ttl = cfg_obj_asuint32(obj);
245163Serwin	} else {
245163Serwin		new->max_policy_ttl = ttl_def;
245163Serwin	}
245163Serwin
245163Serwin	str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name"));
254402Serwin	result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone");
254402Serwin	if (result != ISC_R_SUCCESS)
254402Serwin		return (result);
254402Serwin	if (dns_name_equal(&new->origin, dns_rootname)) {
224092Sdougb		cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
254402Serwin			    "invalid zone name '%s'", str);
254402Serwin		return (DNS_R_EMPTYLABEL);
224092Sdougb	}
224092Sdougb	for (old = ISC_LIST_HEAD(view->rpz_zones);
224092Sdougb	     old != new;
224092Sdougb	     old = ISC_LIST_NEXT(old, link)) {
224092Sdougb		++new->num;
224092Sdougb		if (dns_name_equal(&old->origin, &new->origin)) {
224092Sdougb			cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
224092Sdougb				    "duplicate '%s'", str);
224092Sdougb			result = DNS_R_DUPLICATE;
254402Serwin			return (result);
224092Sdougb		}
224092Sdougb	}
224092Sdougb
254402Serwin	result = configure_rpz_name2(view, rpz_obj, &new->nsdname,
254402Serwin				     DNS_RPZ_NSDNAME_ZONE, &new->origin);
254402Serwin	if (result != ISC_R_SUCCESS)
254402Serwin		return (result);
254402Serwin
254402Serwin	result = configure_rpz_name(view, rpz_obj, &new->passthru,
254402Serwin				    DNS_RPZ_PASSTHRU_ZONE, "zone");
254402Serwin	if (result != ISC_R_SUCCESS)
254402Serwin		return (result);
254402Serwin
254402Serwin	obj = cfg_tuple_get(rpz_obj, "policy");
254402Serwin	if (cfg_obj_isvoid(obj)) {
254402Serwin		new->policy = DNS_RPZ_POLICY_GIVEN;
254402Serwin	} else {
254402Serwin		str = cfg_obj_asstring(cfg_tuple_get(obj, "policy name"));
254402Serwin		new->policy = dns_rpz_str2policy(str);
254402Serwin		INSIST(new->policy != DNS_RPZ_POLICY_ERROR);
254402Serwin		if (new->policy == DNS_RPZ_POLICY_CNAME) {
254402Serwin			str = cfg_obj_asstring(cfg_tuple_get(obj, "cname"));
254402Serwin			result = configure_rpz_name(view, rpz_obj, &new->cname,
254402Serwin						    str, "cname");
254402Serwin			if (result != ISC_R_SUCCESS)
254402Serwin				return (result);
224092Sdougb		}
224092Sdougb	}
224092Sdougb
224092Sdougb	return (ISC_R_SUCCESS);
224092Sdougb}
224092Sdougb
262706Serwin#ifdef USE_RRL
262706Serwin#define CHECK_RRL(cond, pat, val1, val2)				\
262706Serwin	do {								\
262706Serwin		if (!(cond)) {						\
262706Serwin			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,	\
262706Serwin				    pat, val1, val2);			\
262706Serwin			result = ISC_R_RANGE;				\
262706Serwin			goto cleanup;					\
262706Serwin		    }							\
262706Serwin	} while (0)
262706Serwin
262706Serwin#define CHECK_RRL_RATE(rate, def, max_rate, name)			\
262706Serwin	do {								\
262706Serwin		obj = NULL;						\
262706Serwin		rrl->rate.str = name;					\
262706Serwin		result = cfg_map_get(map, name, &obj);			\
262706Serwin		if (result == ISC_R_SUCCESS) {				\
262706Serwin			rrl->rate.r = cfg_obj_asuint32(obj);		\
262706Serwin			CHECK_RRL(rrl->rate.r <= max_rate,		\
262706Serwin				  name" %d > %d",			\
262706Serwin				  rrl->rate.r, max_rate);		\
262706Serwin		} else {						\
262706Serwin			rrl->rate.r = def;				\
262706Serwin		}							\
262706Serwin		rrl->rate.scaled = rrl->rate.r;				\
262706Serwin	} while (0)
262706Serwin
262706Serwinstatic isc_result_t
262706Serwinconfigure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) {
262706Serwin	const cfg_obj_t *obj;
262706Serwin	dns_rrl_t *rrl;
262706Serwin	isc_result_t result;
262706Serwin	int min_entries, i, j;
262706Serwin
262706Serwin	/*
262706Serwin	 * Most DNS servers have few clients, but intentinally open
262706Serwin	 * recursive and authoritative servers often have many.
262706Serwin	 * So start with a small number of entries unless told otherwise
262706Serwin	 * to reduce cold-start costs.
262706Serwin	 */
262706Serwin	min_entries = 500;
262706Serwin	obj = NULL;
262706Serwin	result = cfg_map_get(map, "min-table-size", &obj);
262706Serwin	if (result == ISC_R_SUCCESS) {
262706Serwin		min_entries = cfg_obj_asuint32(obj);
262706Serwin		if (min_entries < 1)
262706Serwin			min_entries = 1;
262706Serwin	}
262706Serwin	result = dns_rrl_init(&rrl, view, min_entries);
262706Serwin	if (result != ISC_R_SUCCESS)
262706Serwin		return (result);
262706Serwin
262706Serwin	i = ISC_MAX(20000, min_entries);
262706Serwin	obj = NULL;
262706Serwin	result = cfg_map_get(map, "max-table-size", &obj);
262706Serwin	if (result == ISC_R_SUCCESS) {
262706Serwin		i = cfg_obj_asuint32(obj);
262706Serwin		CHECK_RRL(i >= min_entries,
262706Serwin			  "max-table-size %d < min-table-size %d",
262706Serwin			  i, min_entries);
262706Serwin	}
262706Serwin	rrl->max_entries = i;
262706Serwin
262706Serwin	CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE,
262706Serwin		       "responses-per-second");
262706Serwin	CHECK_RRL_RATE(referrals_per_second,
262706Serwin		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
262706Serwin		       "referrals-per-second");
262706Serwin	CHECK_RRL_RATE(nodata_per_second,
262706Serwin		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
262706Serwin		       "nodata-per-second");
262706Serwin	CHECK_RRL_RATE(nxdomains_per_second,
262706Serwin		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
262706Serwin		       "nxdomains-per-second");
262706Serwin	CHECK_RRL_RATE(errors_per_second,
262706Serwin		       rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
262706Serwin		       "errors-per-second");
262706Serwin
262706Serwin	CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE,
262706Serwin		       "all-per-second");
262706Serwin
262706Serwin	CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP,
262706Serwin		       "slip");
262706Serwin
262706Serwin	i = 15;
262706Serwin	obj = NULL;
262706Serwin	result = cfg_map_get(map, "window", &obj);
262706Serwin	if (result == ISC_R_SUCCESS) {
262706Serwin		i = cfg_obj_asuint32(obj);
262706Serwin		CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW,
262706Serwin			  "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW);
262706Serwin	}
262706Serwin	rrl->window = i;
262706Serwin
262706Serwin	i = 0;
262706Serwin	obj = NULL;
262706Serwin	result = cfg_map_get(map, "qps-scale", &obj);
262706Serwin	if (result == ISC_R_SUCCESS) {
262706Serwin		i = cfg_obj_asuint32(obj);
262706Serwin		CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, "");
262706Serwin	}
262706Serwin	rrl->qps_scale = i;
262706Serwin	rrl->qps = 1.0;
262706Serwin
262706Serwin	i = 24;
262706Serwin	obj = NULL;
262706Serwin	result = cfg_map_get(map, "ipv4-prefix-length", &obj);
262706Serwin	if (result == ISC_R_SUCCESS) {
262706Serwin		i = cfg_obj_asuint32(obj);
262706Serwin		CHECK_RRL(i >= 8 && i <= 32,
262706Serwin			  "invalid 'ipv4-prefix-length %d'%s", i, "");
262706Serwin	}
262706Serwin	rrl->ipv4_prefixlen = i;
262706Serwin	if (i == 32)
262706Serwin		rrl->ipv4_mask = 0xffffffff;
262706Serwin	else
262706Serwin		rrl->ipv4_mask = htonl(0xffffffff << (32-i));
262706Serwin
262706Serwin	i = 56;
262706Serwin	obj = NULL;
262706Serwin	result = cfg_map_get(map, "ipv6-prefix-length", &obj);
262706Serwin	if (result == ISC_R_SUCCESS) {
262706Serwin		i = cfg_obj_asuint32(obj);
262706Serwin		CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX,
262706Serwin			  "ipv6-prefix-length %d < 16 or > %d",
262706Serwin			  i, DNS_RRL_MAX_PREFIX);
262706Serwin	}
262706Serwin	rrl->ipv6_prefixlen = i;
262706Serwin	for (j = 0; j < 4; ++j) {
262706Serwin		if (i <= 0) {
262706Serwin			rrl->ipv6_mask[j] = 0;
262706Serwin		} else if (i < 32) {
262706Serwin			rrl->ipv6_mask[j] = htonl(0xffffffff << (32-i));
262706Serwin		} else {
262706Serwin			rrl->ipv6_mask[j] = 0xffffffff;
262706Serwin		}
262706Serwin		i -= 32;
262706Serwin	}
262706Serwin
262706Serwin	obj = NULL;
262706Serwin	result = cfg_map_get(map, "exempt-clients", &obj);
262706Serwin	if (result == ISC_R_SUCCESS) {
262706Serwin		result = cfg_acl_fromconfig(obj, config, ns_g_lctx,
262706Serwin					    ns_g_aclconfctx, ns_g_mctx,
262706Serwin					    0, &rrl->exempt);
262706Serwin		CHECK_RRL(result == ISC_R_SUCCESS,
262706Serwin			  "invalid %s%s", "address match list", "");
262706Serwin	}
262706Serwin
262706Serwin	obj = NULL;
262706Serwin	result = cfg_map_get(map, "log-only", &obj);
262706Serwin	if (result == ISC_R_SUCCESS && cfg_obj_asboolean(obj))
262706Serwin		rrl->log_only = ISC_TRUE;
262706Serwin	else
262706Serwin		rrl->log_only = ISC_FALSE;
262706Serwin
262706Serwin	return (ISC_R_SUCCESS);
262706Serwin
262706Serwin cleanup:
262706Serwin	dns_rrl_view_destroy(view);
262706Serwin	return (result);
262706Serwin}
262706Serwin#endif /* USE_RRL */
262706Serwin
262706Serwinstatic isc_result_t
262706Serwinadd_soa(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
262706Serwin	dns_name_t *origin, dns_name_t *contact)
262706Serwin{
262706Serwin	dns_dbnode_t *node = NULL;
262706Serwin	dns_rdata_t rdata = DNS_RDATA_INIT;
262706Serwin	dns_rdatalist_t rdatalist;
262706Serwin	dns_rdataset_t rdataset;
262706Serwin	isc_result_t result;
262706Serwin	unsigned char buf[DNS_SOA_BUFFERSIZE];
262706Serwin
262706Serwin	dns_rdataset_init(&rdataset);
262706Serwin	dns_rdatalist_init(&rdatalist);
262706Serwin	CHECK(dns_soa_buildrdata(origin, contact, dns_db_class(db),
262706Serwin				 0, 28800, 7200, 604800, 86400, buf, &rdata));
262706Serwin	rdatalist.type = rdata.type;
262706Serwin	rdatalist.covers = 0;
262706Serwin	rdatalist.rdclass = rdata.rdclass;
262706Serwin	rdatalist.ttl = 86400;
262706Serwin	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
262706Serwin	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
262706Serwin	CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
262706Serwin	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
262706Serwin cleanup:
262706Serwin	if (node != NULL)
262706Serwin		dns_db_detachnode(db, &node);
262706Serwin	return (result);
262706Serwin}
262706Serwin
262706Serwinstatic isc_result_t
262706Serwinadd_ns(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
262706Serwin       dns_name_t *nsname)
262706Serwin{
262706Serwin	dns_dbnode_t *node = NULL;
262706Serwin	dns_rdata_ns_t ns;
262706Serwin	dns_rdata_t rdata = DNS_RDATA_INIT;
262706Serwin	dns_rdatalist_t rdatalist;
262706Serwin	dns_rdataset_t rdataset;
262706Serwin	isc_result_t result;
262706Serwin	isc_buffer_t b;
262706Serwin	unsigned char buf[DNS_NAME_MAXWIRE];
262706Serwin
262706Serwin	isc_buffer_init(&b, buf, sizeof(buf));
262706Serwin
262706Serwin	dns_rdataset_init(&rdataset);
262706Serwin	dns_rdatalist_init(&rdatalist);
262706Serwin	ns.common.rdtype = dns_rdatatype_ns;
262706Serwin	ns.common.rdclass = dns_db_class(db);
262706Serwin	ns.mctx = NULL;
262706Serwin	dns_name_init(&ns.name, NULL);
262706Serwin	dns_name_clone(nsname, &ns.name);
262706Serwin	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_ns,
262706Serwin				   &ns, &b));
262706Serwin	rdatalist.type = rdata.type;
262706Serwin	rdatalist.covers = 0;
262706Serwin	rdatalist.rdclass = rdata.rdclass;
262706Serwin	rdatalist.ttl = 86400;
262706Serwin	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
262706Serwin	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
262706Serwin	CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
262706Serwin	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
262706Serwin cleanup:
262706Serwin	if (node != NULL)
262706Serwin		dns_db_detachnode(db, &node);
262706Serwin	return (result);
262706Serwin}
262706Serwin
262706Serwinstatic isc_result_t
262706Serwincreate_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view,
262706Serwin		  const cfg_obj_t *zonelist, const char **empty_dbtype,
262706Serwin		  int empty_dbtypec, dns_zonestat_level_t statlevel)
262706Serwin{
262706Serwin	char namebuf[DNS_NAME_FORMATSIZE];
262706Serwin	const cfg_listelt_t *element;
262706Serwin	const cfg_obj_t *obj;
262706Serwin	const cfg_obj_t *zconfig;
262706Serwin	const cfg_obj_t *zoptions;
262706Serwin	const char *rbt_dbtype[4] = { "rbt" };
262706Serwin	const char *sep = ": view ";
262706Serwin	const char *str;
262706Serwin	const char *viewname = view->name;
262706Serwin	dns_db_t *db = NULL;
262706Serwin	dns_dbversion_t *version = NULL;
262706Serwin	dns_fixedname_t cfixed;
262706Serwin	dns_fixedname_t fixed;
262706Serwin	dns_fixedname_t nsfixed;
262706Serwin	dns_name_t *contact;
262706Serwin	dns_name_t *ns;
262706Serwin	dns_name_t *zname;
262706Serwin	dns_zone_t *myzone = NULL;
262706Serwin	int rbt_dbtypec = 1;
262706Serwin	isc_result_t result;
262706Serwin	dns_namereln_t namereln;
262706Serwin	int order;
262706Serwin	unsigned int nlabels;
262706Serwin
262706Serwin	dns_fixedname_init(&fixed);
262706Serwin	zname = dns_fixedname_name(&fixed);
262706Serwin	dns_fixedname_init(&nsfixed);
262706Serwin	ns = dns_fixedname_name(&nsfixed);
262706Serwin	dns_fixedname_init(&cfixed);
262706Serwin	contact = dns_fixedname_name(&cfixed);
262706Serwin
262706Serwin	/*
262706Serwin	 * Look for forward "zones" beneath this empty zone and if so
262706Serwin	 * create a custom db for the empty zone.
262706Serwin	 */
262706Serwin	for (element = cfg_list_first(zonelist);
262706Serwin	     element != NULL;
262706Serwin	     element = cfg_list_next(element)) {
262706Serwin
262706Serwin		zconfig = cfg_listelt_value(element);
262706Serwin		str = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
262706Serwin		CHECK(dns_name_fromstring(zname, str, 0, NULL));
262706Serwin		namereln = dns_name_fullcompare(zname, name, &order, &nlabels);
262706Serwin		if (namereln != dns_namereln_subdomain)
262706Serwin			continue;
262706Serwin
262706Serwin		zoptions = cfg_tuple_get(zconfig, "options");
262706Serwin
262706Serwin		obj = NULL;
262706Serwin		(void)cfg_map_get(zoptions, "type", &obj);
262706Serwin		INSIST(obj != NULL);
262706Serwin		if (strcasecmp(cfg_obj_asstring(obj), "forward") == 0) {
262706Serwin			obj = NULL;
262706Serwin			(void)cfg_map_get(zoptions, "forward", &obj);
262706Serwin			if (obj == NULL)
262706Serwin				continue;
262706Serwin			if (strcasecmp(cfg_obj_asstring(obj), "only") != 0)
262706Serwin				continue;
262706Serwin		}
262706Serwin		if (db == NULL) {
262706Serwin			CHECK(dns_db_create(view->mctx, "rbt", name,
262706Serwin					    dns_dbtype_zone, view->rdclass,
262706Serwin					    0, NULL, &db));
262706Serwin			CHECK(dns_db_newversion(db, &version));
262706Serwin			if (strcmp(empty_dbtype[2], "@") == 0)
262706Serwin				dns_name_clone(name, ns);
262706Serwin			else
262706Serwin				CHECK(dns_name_fromstring(ns, empty_dbtype[2],
262706Serwin							  0, NULL));
262706Serwin			CHECK(dns_name_fromstring(contact, empty_dbtype[3],
262706Serwin						  0, NULL));
262706Serwin			CHECK(add_soa(db, version, name, ns, contact));
262706Serwin			CHECK(add_ns(db, version, name, ns));
262706Serwin		}
262706Serwin		CHECK(add_ns(db, version, zname, dns_rootname));
262706Serwin	}
262706Serwin
262706Serwin	/*
262706Serwin	 * Is the existing zone the ok to use?
262706Serwin	 */
262706Serwin	if (zone != NULL) {
262706Serwin		unsigned int typec;
262706Serwin		const char **dbargv;
262706Serwin
262706Serwin		if (db != NULL) {
262706Serwin			typec = rbt_dbtypec;
262706Serwin			dbargv = rbt_dbtype;
262706Serwin		} else {
262706Serwin			typec = empty_dbtypec;
262706Serwin			dbargv = empty_dbtype;
262706Serwin		}
262706Serwin
262706Serwin		result = check_dbtype(zone, typec, dbargv, view->mctx);
262706Serwin		if (result != ISC_R_SUCCESS)
262706Serwin			zone = NULL;
262706Serwin
262706Serwin		if (zone != NULL && dns_zone_gettype(zone) != dns_zone_master)
262706Serwin			zone = NULL;
262706Serwin		if (zone != NULL && dns_zone_getfile(zone) != NULL)
262706Serwin			zone = NULL;
262706Serwin		if (zone != NULL) {
262706Serwin			dns_zone_getraw(zone, &myzone);
262706Serwin			if (myzone != NULL) {
262706Serwin				dns_zone_detach(&myzone);
262706Serwin				zone = NULL;
262706Serwin			}
262706Serwin		}
262706Serwin	}
262706Serwin
262706Serwin	if (zone == NULL) {
262706Serwin		CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &myzone));
262706Serwin		zone = myzone;
262706Serwin		CHECK(dns_zone_setorigin(zone, name));
262706Serwin		CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
262706Serwin		if (db == NULL)
262706Serwin			CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
262706Serwin						 empty_dbtype));
262706Serwin		dns_zone_setclass(zone, view->rdclass);
262706Serwin		dns_zone_settype(zone, dns_zone_master);
262706Serwin		dns_zone_setstats(zone, ns_g_server->zonestats);
262706Serwin	}
262706Serwin
262706Serwin	dns_zone_setoption(zone, ~DNS_ZONEOPT_NOCHECKNS, ISC_FALSE);
262706Serwin	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
262706Serwin	dns_zone_setnotifytype(zone, dns_notifytype_no);
262706Serwin	dns_zone_setdialup(zone, dns_dialuptype_no);
262706Serwin	if (view->queryacl)
262706Serwin		dns_zone_setqueryacl(zone, view->queryacl);
262706Serwin	else
262706Serwin		dns_zone_clearqueryacl(zone);
262706Serwin	if (view->queryonacl)
262706Serwin		dns_zone_setqueryonacl(zone, view->queryonacl);
262706Serwin	else
262706Serwin		dns_zone_clearqueryonacl(zone);
262706Serwin	dns_zone_clearupdateacl(zone);
262706Serwin	dns_zone_clearxfracl(zone);
262706Serwin
262706Serwin	CHECK(setquerystats(zone, view->mctx, statlevel));
262706Serwin	if (db != NULL) {
262706Serwin		dns_db_closeversion(db, &version, ISC_TRUE);
262706Serwin		CHECK(dns_zone_replacedb(zone, db, ISC_FALSE));
262706Serwin	}
262706Serwin	dns_zone_setview(zone, view);
262706Serwin	CHECK(dns_view_addzone(view, zone));
262706Serwin
262706Serwin	if (!strcmp(viewname, "_default")) {
262706Serwin		sep = "";
262706Serwin		viewname = "";
262706Serwin	}
262706Serwin	dns_name_format(name, namebuf, sizeof(namebuf));
262706Serwin	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
262706Serwin		      ISC_LOG_INFO, "automatic empty zone%s%s: %s",
262706Serwin		      sep, viewname, namebuf);
262706Serwin
262706Serwin cleanup:
262706Serwin	if (myzone != NULL)
262706Serwin		dns_zone_detach(&myzone);
262706Serwin	if (version != NULL)
262706Serwin		dns_db_closeversion(db, &version, ISC_FALSE);
262706Serwin	if (db != NULL)
262706Serwin		dns_db_detach(&db);
262706Serwin	return (result);
262706Serwin}
262706Serwin
224092Sdougb/*
135446Strhodes * Configure 'view' according to 'vconfig', taking defaults from 'config'
135446Strhodes * where values are missing in 'vconfig'.
135446Strhodes *
135446Strhodes * When configuring the default view, 'vconfig' will be NULL and the
135446Strhodes * global defaults in 'config' used exclusively.
135446Strhodes */
135446Strhodesstatic isc_result_t
225361Sdougbconfigure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
224092Sdougb	       ns_cachelist_t *cachelist, const cfg_obj_t *bindkeys,
224092Sdougb	       isc_mem_t *mctx, cfg_aclconfctx_t *actx,
224092Sdougb	       isc_boolean_t need_hints)
135446Strhodes{
165071Sdougb	const cfg_obj_t *maps[4];
165071Sdougb	const cfg_obj_t *cfgmaps[3];
224092Sdougb	const cfg_obj_t *optionmaps[3];
165071Sdougb	const cfg_obj_t *options = NULL;
165071Sdougb	const cfg_obj_t *voptions = NULL;
165071Sdougb	const cfg_obj_t *forwardtype;
165071Sdougb	const cfg_obj_t *forwarders;
165071Sdougb	const cfg_obj_t *alternates;
165071Sdougb	const cfg_obj_t *zonelist;
186462Sdougb	const cfg_obj_t *dlz;
186462Sdougb	unsigned int dlzargc;
186462Sdougb	char **dlzargv;
165071Sdougb	const cfg_obj_t *disabled;
165071Sdougb	const cfg_obj_t *obj;
165071Sdougb	const cfg_listelt_t *element;
135446Strhodes	in_port_t port;
135446Strhodes	dns_cache_t *cache = NULL;
135446Strhodes	isc_result_t result;
224092Sdougb	unsigned int cleaning_interval;
254897Serwin	size_t max_cache_size;
254897Serwin	size_t max_acache_size;
254897Serwin	size_t max_adb_size;
135446Strhodes	isc_uint32_t lame_ttl;
224092Sdougb	dns_tsig_keyring_t *ring = NULL;
135446Strhodes	dns_view_t *pview = NULL;	/* Production view */
225361Sdougb	isc_mem_t *cmctx = NULL, *hmctx = NULL;
135446Strhodes	dns_dispatch_t *dispatch4 = NULL;
135446Strhodes	dns_dispatch_t *dispatch6 = NULL;
135446Strhodes	isc_boolean_t reused_cache = ISC_FALSE;
224092Sdougb	isc_boolean_t shared_cache = ISC_FALSE;
224092Sdougb	int i = 0, j = 0, k = 0;
135446Strhodes	const char *str;
224092Sdougb	const char *cachename = NULL;
135446Strhodes	dns_order_t *order = NULL;
135446Strhodes	isc_uint32_t udpsize;
254897Serwin	isc_uint32_t maxbits;
193149Sdougb	unsigned int resopts = 0;
170222Sdougb	dns_zone_t *zone = NULL;
170222Sdougb	isc_uint32_t max_clients_per_query;
170222Sdougb	isc_boolean_t empty_zones_enable;
170222Sdougb	const cfg_obj_t *disablelist = NULL;
193149Sdougb	isc_stats_t *resstats = NULL;
193149Sdougb	dns_stats_t *resquerystats = NULL;
224092Sdougb	isc_boolean_t auto_dlv = ISC_FALSE;
224092Sdougb	isc_boolean_t auto_root = ISC_FALSE;
224092Sdougb	ns_cache_t *nsc;
193149Sdougb	isc_boolean_t zero_no_soattl;
224092Sdougb	dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL;
254897Serwin	unsigned int query_timeout, ndisp;
225361Sdougb	struct cfg_context *nzctx;
254402Serwin	dns_rpz_zone_t *rpz;
135446Strhodes
135446Strhodes	REQUIRE(DNS_VIEW_VALID(view));
135446Strhodes
135446Strhodes	if (config != NULL)
135446Strhodes		(void)cfg_map_get(config, "options", &options);
135446Strhodes
224092Sdougb	/*
224092Sdougb	 * maps: view options, options, defaults
224092Sdougb	 * cfgmaps: view options, config
224092Sdougb	 * optionmaps: view options, options
224092Sdougb	 */
135446Strhodes	if (vconfig != NULL) {
135446Strhodes		voptions = cfg_tuple_get(vconfig, "options");
135446Strhodes		maps[i++] = voptions;
224092Sdougb		optionmaps[j++] = voptions;
224092Sdougb		cfgmaps[k++] = voptions;
135446Strhodes	}
224092Sdougb	if (options != NULL) {
135446Strhodes		maps[i++] = options;
224092Sdougb		optionmaps[j++] = options;
224092Sdougb	}
224092Sdougb
135446Strhodes	maps[i++] = ns_g_defaults;
135446Strhodes	maps[i] = NULL;
224092Sdougb	optionmaps[j] = NULL;
135446Strhodes	if (config != NULL)
224092Sdougb		cfgmaps[k++] = config;
224092Sdougb	cfgmaps[k] = NULL;
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Set the view's port number for outgoing queries.
135446Strhodes	 */
135446Strhodes	CHECKM(ns_config_getport(config, &port), "port");
135446Strhodes	dns_view_setdstport(view, port);
135446Strhodes
135446Strhodes	/*
170222Sdougb	 * Create additional cache for this view and zones under the view
170222Sdougb	 * if explicitly enabled.
170222Sdougb	 * XXX950 default to on.
170222Sdougb	 */
170222Sdougb	obj = NULL;
170222Sdougb	(void)ns_config_get(maps, "acache-enable", &obj);
170222Sdougb	if (obj != NULL && cfg_obj_asboolean(obj)) {
170222Sdougb		cmctx = NULL;
170222Sdougb		CHECK(isc_mem_create(0, 0, &cmctx));
170222Sdougb		CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
170222Sdougb					ns_g_timermgr));
193149Sdougb		isc_mem_setname(cmctx, "acache", NULL);
170222Sdougb		isc_mem_detach(&cmctx);
170222Sdougb	}
170222Sdougb	if (view->acache != NULL) {
170222Sdougb		obj = NULL;
170222Sdougb		result = ns_config_get(maps, "acache-cleaning-interval", &obj);
170222Sdougb		INSIST(result == ISC_R_SUCCESS);
170222Sdougb		dns_acache_setcleaninginterval(view->acache,
170222Sdougb					       cfg_obj_asuint32(obj) * 60);
170222Sdougb
170222Sdougb		obj = NULL;
170222Sdougb		result = ns_config_get(maps, "max-acache-size", &obj);
170222Sdougb		INSIST(result == ISC_R_SUCCESS);
170222Sdougb		if (cfg_obj_isstring(obj)) {
170222Sdougb			str = cfg_obj_asstring(obj);
170222Sdougb			INSIST(strcasecmp(str, "unlimited") == 0);
170222Sdougb			max_acache_size = ISC_UINT32_MAX;
170222Sdougb		} else {
170222Sdougb			isc_resourcevalue_t value;
170222Sdougb			value = cfg_obj_asuint64(obj);
254897Serwin			if (value > SIZE_MAX) {
254897Serwin				cfg_obj_log(obj, ns_g_lctx,
254897Serwin					    ISC_LOG_WARNING,
170222Sdougb					    "'max-acache-size "
254897Serwin					    "%" ISC_PRINT_QUADFORMAT "u' "
254897Serwin					    "is too large for this "
254897Serwin					    "system; reducing to %lu",
254897Serwin					    value, (unsigned long)SIZE_MAX);
254897Serwin				value = SIZE_MAX;
170222Sdougb			}
254897Serwin			max_acache_size = (size_t) value;
170222Sdougb		}
170222Sdougb		dns_acache_setcachesize(view->acache, max_acache_size);
170222Sdougb	}
170222Sdougb
224092Sdougb	CHECK(configure_view_acl(vconfig, config, "allow-query", NULL, actx,
216175Sdougb				 ns_g_mctx, &view->queryacl));
216175Sdougb	if (view->queryacl == NULL) {
224092Sdougb		CHECK(configure_view_acl(NULL, ns_g_config, "allow-query",
224092Sdougb					 NULL, actx, ns_g_mctx,
224092Sdougb					 &view->queryacl));
216175Sdougb	}
216175Sdougb
170222Sdougb	/*
254402Serwin	 * Make the list of response policy zone names for a view that
254402Serwin	 * is used for real lookups and so cares about hints.
254402Serwin	 */
254402Serwin	obj = NULL;
254402Serwin	if (view->rdclass == dns_rdataclass_in && need_hints &&
254402Serwin	    ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) {
254402Serwin		const cfg_obj_t *rpz_obj;
254402Serwin		isc_boolean_t recursive_only_def;
254402Serwin		dns_ttl_t ttl_def;
254402Serwin
254402Serwin		rpz_obj = cfg_tuple_get(obj, "recursive-only");
254402Serwin		if (!cfg_obj_isvoid(rpz_obj) &&
254402Serwin		    !cfg_obj_asboolean(rpz_obj))
254402Serwin			recursive_only_def = ISC_FALSE;
254402Serwin		else
254402Serwin			recursive_only_def = ISC_TRUE;
254402Serwin
254402Serwin		rpz_obj = cfg_tuple_get(obj, "break-dnssec");
254402Serwin		if (!cfg_obj_isvoid(rpz_obj) &&
254402Serwin		    cfg_obj_asboolean(rpz_obj))
254402Serwin			view->rpz_break_dnssec = ISC_TRUE;
254402Serwin		else
254402Serwin			view->rpz_break_dnssec = ISC_FALSE;
254402Serwin
254402Serwin		rpz_obj = cfg_tuple_get(obj, "max-policy-ttl");
254402Serwin		if (cfg_obj_isuint32(rpz_obj))
254402Serwin			ttl_def = cfg_obj_asuint32(rpz_obj);
254402Serwin		else
254402Serwin			ttl_def = DNS_RPZ_MAX_TTL_DEFAULT;
254402Serwin
254402Serwin		rpz_obj = cfg_tuple_get(obj, "min-ns-dots");
254402Serwin		if (cfg_obj_isuint32(rpz_obj))
254402Serwin			view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1;
254402Serwin		else
254402Serwin			view->rpz_min_ns_labels = 2;
254402Serwin
254402Serwin		element = cfg_list_first(cfg_tuple_get(obj, "zone list"));
254402Serwin		while (element != NULL) {
254402Serwin			result = configure_rpz(view, element,
254402Serwin					       recursive_only_def, ttl_def);
254402Serwin			if (result != ISC_R_SUCCESS)
254402Serwin				goto cleanup;
254402Serwin			element = cfg_list_next(element);
254402Serwin		}
254402Serwin	}
254402Serwin
254402Serwin	/*
135446Strhodes	 * Configure the zones.
135446Strhodes	 */
135446Strhodes	zonelist = NULL;
135446Strhodes	if (voptions != NULL)
135446Strhodes		(void)cfg_map_get(voptions, "zone", &zonelist);
135446Strhodes	else
135446Strhodes		(void)cfg_map_get(config, "zone", &zonelist);
225361Sdougb
225361Sdougb	/*
225361Sdougb	 * Load zone configuration
225361Sdougb	 */
135446Strhodes	for (element = cfg_list_first(zonelist);
135446Strhodes	     element != NULL;
135446Strhodes	     element = cfg_list_next(element))
135446Strhodes	{
165071Sdougb		const cfg_obj_t *zconfig = cfg_listelt_value(element);
135446Strhodes		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
224092Sdougb				     actx, ISC_FALSE));
135446Strhodes	}
135446Strhodes
254402Serwin	for (rpz = ISC_LIST_HEAD(view->rpz_zones);
254402Serwin	     rpz != NULL;
254402Serwin	     rpz = ISC_LIST_NEXT(rpz, link))
254402Serwin	{
254402Serwin		if (!rpz->defined) {
254402Serwin			char namebuf[DNS_NAME_FORMATSIZE];
254402Serwin
254402Serwin			dns_name_format(&rpz->origin, namebuf, sizeof(namebuf));
254402Serwin			cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL,
254402Serwin				    "'%s' is not a master or slave zone",
254402Serwin				    namebuf);
254402Serwin			result = ISC_R_NOTFOUND;
254402Serwin			goto cleanup;
254402Serwin		}
254402Serwin	}
254402Serwin
224092Sdougb	/*
224092Sdougb	 * If we're allowing added zones, then load zone configuration
224092Sdougb	 * from the newzone file for zones that were added during previous
224092Sdougb	 * runs.
224092Sdougb	 */
225361Sdougb	nzctx = view->new_zone_config;
225361Sdougb	if (nzctx != NULL && nzctx->nzconfig != NULL) {
224092Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
224092Sdougb			      "loading additional zones for view '%s'",
224092Sdougb			      view->name);
224092Sdougb
225361Sdougb		zonelist = NULL;
225361Sdougb		cfg_map_get(nzctx->nzconfig, "zone", &zonelist);
225361Sdougb
225361Sdougb		for (element = cfg_list_first(zonelist);
225361Sdougb		     element != NULL;
225361Sdougb		     element = cfg_list_next(element))
225361Sdougb		{
225361Sdougb			const cfg_obj_t *zconfig = cfg_listelt_value(element);
225361Sdougb			CHECK(configure_zone(config, zconfig, vconfig,
225361Sdougb					     mctx, view, actx,
225361Sdougb					     ISC_TRUE));
224092Sdougb		}
224092Sdougb	}
224092Sdougb
135446Strhodes	/*
170222Sdougb	 * Create Dynamically Loadable Zone driver.
170222Sdougb	 */
170222Sdougb	dlz = NULL;
170222Sdougb	if (voptions != NULL)
170222Sdougb		(void)cfg_map_get(voptions, "dlz", &dlz);
170222Sdougb	else
170222Sdougb		(void)cfg_map_get(config, "dlz", &dlz);
170222Sdougb
170222Sdougb	obj = NULL;
170222Sdougb	if (dlz != NULL) {
170222Sdougb		(void)cfg_map_get(cfg_tuple_get(dlz, "options"),
170222Sdougb				  "database", &obj);
170222Sdougb		if (obj != NULL) {
170222Sdougb			char *s = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
170222Sdougb			if (s == NULL) {
170222Sdougb				result = ISC_R_NOMEMORY;
170222Sdougb				goto cleanup;
170222Sdougb			}
186462Sdougb
170222Sdougb			result = dns_dlzstrtoargv(mctx, s, &dlzargc, &dlzargv);
170222Sdougb			if (result != ISC_R_SUCCESS) {
170222Sdougb				isc_mem_free(mctx, s);
170222Sdougb				goto cleanup;
170222Sdougb			}
170222Sdougb
170222Sdougb			obj = cfg_tuple_get(dlz, "name");
170222Sdougb			result = dns_dlzcreate(mctx, cfg_obj_asstring(obj),
170222Sdougb					       dlzargv[0], dlzargc, dlzargv,
170222Sdougb					       &view->dlzdatabase);
170222Sdougb			isc_mem_free(mctx, s);
170222Sdougb			isc_mem_put(mctx, dlzargv, dlzargc * sizeof(*dlzargv));
170222Sdougb			if (result != ISC_R_SUCCESS)
170222Sdougb				goto cleanup;
224092Sdougb
224092Sdougb			/*
224092Sdougb			 * If the dlz backend supports configuration,
224092Sdougb			 * then call its configure method now.
224092Sdougb			 */
224092Sdougb			result = dns_dlzconfigure(view, dlzconfigure_callback);
224092Sdougb			if (result != ISC_R_SUCCESS)
224092Sdougb				goto cleanup;
170222Sdougb		}
170222Sdougb	}
170222Sdougb
170222Sdougb	/*
193149Sdougb	 * Obtain configuration parameters that affect the decision of whether
193149Sdougb	 * we can reuse/share an existing cache.
193149Sdougb	 */
224092Sdougb	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "cleaning-interval", &obj);
224092Sdougb	INSIST(result == ISC_R_SUCCESS);
224092Sdougb	cleaning_interval = cfg_obj_asuint32(obj) * 60;
224092Sdougb
224092Sdougb	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "max-cache-size", &obj);
224092Sdougb	INSIST(result == ISC_R_SUCCESS);
224092Sdougb	if (cfg_obj_isstring(obj)) {
224092Sdougb		str = cfg_obj_asstring(obj);
224092Sdougb		INSIST(strcasecmp(str, "unlimited") == 0);
224092Sdougb		max_cache_size = ISC_UINT32_MAX;
224092Sdougb	} else {
224092Sdougb		isc_resourcevalue_t value;
224092Sdougb		value = cfg_obj_asuint64(obj);
254897Serwin		if (value > SIZE_MAX) {
254897Serwin			cfg_obj_log(obj, ns_g_lctx,
254897Serwin				    ISC_LOG_WARNING,
224092Sdougb				    "'max-cache-size "
254897Serwin				    "%" ISC_PRINT_QUADFORMAT "u' "
254897Serwin				    "is too large for this "
254897Serwin				    "system; reducing to %lu",
254897Serwin				    value, (unsigned long)SIZE_MAX);
254897Serwin			value = SIZE_MAX;
224092Sdougb		}
254897Serwin		max_cache_size = (size_t) value;
224092Sdougb	}
224092Sdougb
193149Sdougb	/* Check-names. */
193149Sdougb	obj = NULL;
193149Sdougb	result = ns_checknames_get(maps, "response", &obj);
193149Sdougb	INSIST(result == ISC_R_SUCCESS);
193149Sdougb
193149Sdougb	str = cfg_obj_asstring(obj);
193149Sdougb	if (strcasecmp(str, "fail") == 0) {
193149Sdougb		resopts |= DNS_RESOLVER_CHECKNAMES |
193149Sdougb			DNS_RESOLVER_CHECKNAMESFAIL;
193149Sdougb		view->checknames = ISC_TRUE;
193149Sdougb	} else if (strcasecmp(str, "warn") == 0) {
193149Sdougb		resopts |= DNS_RESOLVER_CHECKNAMES;
193149Sdougb		view->checknames = ISC_FALSE;
193149Sdougb	} else if (strcasecmp(str, "ignore") == 0) {
193149Sdougb		view->checknames = ISC_FALSE;
193149Sdougb	} else
193149Sdougb		INSIST(0);
193149Sdougb
193149Sdougb	obj = NULL;
193149Sdougb	result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
193149Sdougb	INSIST(result == ISC_R_SUCCESS);
193149Sdougb	zero_no_soattl = cfg_obj_asboolean(obj);
193149Sdougb
193149Sdougb	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "dns64", &obj);
224092Sdougb	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") &&
224092Sdougb	    strcmp(view->name, "_meta")) {
224092Sdougb		const cfg_listelt_t *element;
224092Sdougb		isc_netaddr_t na, suffix, *sp;
224092Sdougb		unsigned int prefixlen;
224092Sdougb		const char *server, *contact;
224092Sdougb		const cfg_obj_t *myobj;
224092Sdougb
224092Sdougb		myobj = NULL;
224092Sdougb		result = ns_config_get(maps, "dns64-server", &myobj);
224092Sdougb		if (result == ISC_R_SUCCESS)
224092Sdougb			server = cfg_obj_asstring(myobj);
224092Sdougb		else
224092Sdougb			server = NULL;
224092Sdougb
224092Sdougb		myobj = NULL;
224092Sdougb		result = ns_config_get(maps, "dns64-contact", &myobj);
224092Sdougb		if (result == ISC_R_SUCCESS)
224092Sdougb			contact = cfg_obj_asstring(myobj);
224092Sdougb		else
224092Sdougb			contact = NULL;
224092Sdougb
224092Sdougb		for (element = cfg_list_first(obj);
224092Sdougb		     element != NULL;
224092Sdougb		     element = cfg_list_next(element))
224092Sdougb		{
224092Sdougb			const cfg_obj_t *map = cfg_listelt_value(element);
224092Sdougb			dns_dns64_t *dns64 = NULL;
224092Sdougb			unsigned int dns64options = 0;
224092Sdougb
224092Sdougb			cfg_obj_asnetprefix(cfg_map_getname(map), &na,
224092Sdougb					    &prefixlen);
224092Sdougb
224092Sdougb			obj = NULL;
224092Sdougb			(void)cfg_map_get(map, "suffix", &obj);
224092Sdougb			if (obj != NULL) {
224092Sdougb				sp = &suffix;
224092Sdougb				isc_netaddr_fromsockaddr(sp,
224092Sdougb						      cfg_obj_assockaddr(obj));
224092Sdougb			} else
224092Sdougb				sp = NULL;
224092Sdougb
224092Sdougb			clients = mapped = excluded = NULL;
224092Sdougb			obj = NULL;
224092Sdougb			(void)cfg_map_get(map, "clients", &obj);
224092Sdougb			if (obj != NULL) {
224092Sdougb				result = cfg_acl_fromconfig(obj, config,
224092Sdougb							    ns_g_lctx, actx,
224092Sdougb							    mctx, 0, &clients);
224092Sdougb				if (result != ISC_R_SUCCESS)
224092Sdougb					goto cleanup;
224092Sdougb			}
224092Sdougb			obj = NULL;
224092Sdougb			(void)cfg_map_get(map, "mapped", &obj);
224092Sdougb			if (obj != NULL) {
224092Sdougb				result = cfg_acl_fromconfig(obj, config,
224092Sdougb							    ns_g_lctx, actx,
224092Sdougb							    mctx, 0, &mapped);
224092Sdougb				if (result != ISC_R_SUCCESS)
224092Sdougb					goto cleanup;
224092Sdougb			}
224092Sdougb			obj = NULL;
224092Sdougb			(void)cfg_map_get(map, "exclude", &obj);
224092Sdougb			if (obj != NULL) {
224092Sdougb				result = cfg_acl_fromconfig(obj, config,
224092Sdougb							    ns_g_lctx, actx,
224092Sdougb							    mctx, 0, &excluded);
224092Sdougb				if (result != ISC_R_SUCCESS)
224092Sdougb					goto cleanup;
224092Sdougb			}
224092Sdougb
224092Sdougb			obj = NULL;
224092Sdougb			(void)cfg_map_get(map, "recursive-only", &obj);
224092Sdougb			if (obj != NULL && cfg_obj_asboolean(obj))
224092Sdougb				dns64options |= DNS_DNS64_RECURSIVE_ONLY;
224092Sdougb
224092Sdougb			obj = NULL;
224092Sdougb			(void)cfg_map_get(map, "break-dnssec", &obj);
224092Sdougb			if (obj != NULL && cfg_obj_asboolean(obj))
224092Sdougb				dns64options |= DNS_DNS64_BREAK_DNSSEC;
224092Sdougb
224092Sdougb			result = dns_dns64_create(mctx, &na, prefixlen, sp,
224092Sdougb						  clients, mapped, excluded,
224092Sdougb						  dns64options, &dns64);
224092Sdougb			if (result != ISC_R_SUCCESS)
224092Sdougb				goto cleanup;
224092Sdougb			dns_dns64_append(&view->dns64, dns64);
224092Sdougb			view->dns64cnt++;
224092Sdougb			result = dns64_reverse(view, mctx, &na, prefixlen,
224092Sdougb					       server, contact);
224092Sdougb			if (result != ISC_R_SUCCESS)
224092Sdougb				goto cleanup;
224092Sdougb			if (clients != NULL)
224092Sdougb				dns_acl_detach(&clients);
224092Sdougb			if (mapped != NULL)
224092Sdougb				dns_acl_detach(&mapped);
224092Sdougb			if (excluded != NULL)
224092Sdougb				dns_acl_detach(&excluded);
224092Sdougb		}
224092Sdougb	}
224092Sdougb
224092Sdougb	obj = NULL;
193149Sdougb	result = ns_config_get(maps, "dnssec-accept-expired", &obj);
193149Sdougb	INSIST(result == ISC_R_SUCCESS);
193149Sdougb	view->acceptexpired = cfg_obj_asboolean(obj);
193149Sdougb
193149Sdougb	obj = NULL;
193149Sdougb	result = ns_config_get(maps, "dnssec-validation", &obj);
193149Sdougb	INSIST(result == ISC_R_SUCCESS);
224092Sdougb	if (cfg_obj_isboolean(obj)) {
224092Sdougb		view->enablevalidation = cfg_obj_asboolean(obj);
224092Sdougb	} else {
224092Sdougb		/* If dnssec-validation is not boolean, it must be "auto" */
224092Sdougb		view->enablevalidation = ISC_TRUE;
224092Sdougb		auto_root = ISC_TRUE;
224092Sdougb	}
193149Sdougb
193149Sdougb	obj = NULL;
193149Sdougb	result = ns_config_get(maps, "max-cache-ttl", &obj);
193149Sdougb	INSIST(result == ISC_R_SUCCESS);
193149Sdougb	view->maxcachettl = cfg_obj_asuint32(obj);
193149Sdougb
193149Sdougb	obj = NULL;
193149Sdougb	result = ns_config_get(maps, "max-ncache-ttl", &obj);
193149Sdougb	INSIST(result == ISC_R_SUCCESS);
193149Sdougb	view->maxncachettl = cfg_obj_asuint32(obj);
193149Sdougb	if (view->maxncachettl > 7 * 24 * 3600)
193149Sdougb		view->maxncachettl = 7 * 24 * 3600;
193149Sdougb
193149Sdougb	/*
224092Sdougb	 * Configure the view's cache.
135446Strhodes	 *
224092Sdougb	 * First, check to see if there are any attach-cache options.  If yes,
224092Sdougb	 * attempt to lookup an existing cache at attach it to the view.  If
224092Sdougb	 * there is not one, then try to reuse an existing cache if possible;
224092Sdougb	 * otherwise create a new cache.
224092Sdougb	 *
224092Sdougb	 * Note that the ADB is not preserved or shared in either case.
224092Sdougb	 *
224092Sdougb	 * When a matching view is found, the associated statistics are also
224092Sdougb	 * retrieved and reused.
224092Sdougb	 *
224092Sdougb	 * XXX Determining when it is safe to reuse or share a cache is tricky.
193149Sdougb	 * When the view's configuration changes, the cached data may become
193149Sdougb	 * invalid because it reflects our old view of the world.  We check
224092Sdougb	 * some of the configuration parameters that could invalidate the cache
224092Sdougb	 * or otherwise make it unsharable, but there are other configuration
224092Sdougb	 * options that should be checked.  For example, if a view uses a
224092Sdougb	 * forwarder, changes in the forwarder configuration may invalidate
224092Sdougb	 * the cache.  At the moment, it's the administrator's responsibility to
224092Sdougb	 * ensure these configuration options don't invalidate reusing/sharing.
135446Strhodes	 */
224092Sdougb	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "attach-cache", &obj);
224092Sdougb	if (result == ISC_R_SUCCESS)
224092Sdougb		cachename = cfg_obj_asstring(obj);
224092Sdougb	else
224092Sdougb		cachename = view->name;
224092Sdougb	cache = NULL;
224092Sdougb	nsc = cachelist_find(cachelist, cachename);
224092Sdougb	if (nsc != NULL) {
224092Sdougb		if (!cache_sharable(nsc->primaryview, view, zero_no_soattl,
224092Sdougb				    cleaning_interval, max_cache_size)) {
193149Sdougb			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
224092Sdougb				      "views %s and %s can't share the cache "
193149Sdougb				      "due to configuration parameter mismatch",
224092Sdougb				      nsc->primaryview->name, view->name);
224092Sdougb			result = ISC_R_FAILURE;
224092Sdougb			goto cleanup;
193149Sdougb		}
224092Sdougb		dns_cache_attach(nsc->cache, &cache);
224092Sdougb		shared_cache = ISC_TRUE;
224092Sdougb	} else {
224092Sdougb		if (strcmp(cachename, view->name) == 0) {
224092Sdougb			result = dns_viewlist_find(&ns_g_server->viewlist,
224092Sdougb						   cachename, view->rdclass,
224092Sdougb						   &pview);
224092Sdougb			if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
224092Sdougb				goto cleanup;
224092Sdougb			if (pview != NULL) {
224092Sdougb				if (!cache_reusable(pview, view,
224092Sdougb						    zero_no_soattl)) {
224092Sdougb					isc_log_write(ns_g_lctx,
224092Sdougb						      NS_LOGCATEGORY_GENERAL,
224092Sdougb						      NS_LOGMODULE_SERVER,
224092Sdougb						      ISC_LOG_DEBUG(1),
224092Sdougb						      "cache cannot be reused "
224092Sdougb						      "for view %s due to "
224092Sdougb						      "configuration parameter "
224092Sdougb						      "mismatch", view->name);
224092Sdougb				} else {
224092Sdougb					INSIST(pview->cache != NULL);
224092Sdougb					isc_log_write(ns_g_lctx,
224092Sdougb						      NS_LOGCATEGORY_GENERAL,
224092Sdougb						      NS_LOGMODULE_SERVER,
224092Sdougb						      ISC_LOG_DEBUG(3),
224092Sdougb						      "reusing existing cache");
224092Sdougb					reused_cache = ISC_TRUE;
224092Sdougb					dns_cache_attach(pview->cache, &cache);
224092Sdougb				}
224092Sdougb				dns_view_getresstats(pview, &resstats);
224092Sdougb				dns_view_getresquerystats(pview,
224092Sdougb							  &resquerystats);
224092Sdougb				dns_view_detach(&pview);
224092Sdougb			}
224092Sdougb		}
224092Sdougb		if (cache == NULL) {
224092Sdougb			/*
224092Sdougb			 * Create a cache with the desired name.  This normally
224092Sdougb			 * equals the view name, but may also be a forward
224092Sdougb			 * reference to a view that share the cache with this
224092Sdougb			 * view but is not yet configured.  If it is not the
224092Sdougb			 * view name but not a forward reference either, then it
224092Sdougb			 * is simply a named cache that is not shared.
225361Sdougb			 *
225361Sdougb			 * We use two separate memory contexts for the
225361Sdougb			 * cache, for the main cache memory and the heap
225361Sdougb			 * memory.
224092Sdougb			 */
224092Sdougb			CHECK(isc_mem_create(0, 0, &cmctx));
224092Sdougb			isc_mem_setname(cmctx, "cache", NULL);
225361Sdougb			CHECK(isc_mem_create(0, 0, &hmctx));
225361Sdougb			isc_mem_setname(hmctx, "cache_heap", NULL);
225361Sdougb			CHECK(dns_cache_create3(cmctx, hmctx, ns_g_taskmgr,
224092Sdougb						ns_g_timermgr, view->rdclass,
224092Sdougb						cachename, "rbt", 0, NULL,
224092Sdougb						&cache));
225361Sdougb			isc_mem_detach(&cmctx);
225361Sdougb			isc_mem_detach(&hmctx);
224092Sdougb		}
224092Sdougb		nsc = isc_mem_get(mctx, sizeof(*nsc));
224092Sdougb		if (nsc == NULL) {
224092Sdougb			result = ISC_R_NOMEMORY;
224092Sdougb			goto cleanup;
224092Sdougb		}
224092Sdougb		nsc->cache = NULL;
224092Sdougb		dns_cache_attach(cache, &nsc->cache);
224092Sdougb		nsc->primaryview = view;
224092Sdougb		nsc->needflush = ISC_FALSE;
224092Sdougb		nsc->adbsizeadjusted = ISC_FALSE;
224092Sdougb		ISC_LINK_INIT(nsc, link);
224092Sdougb		ISC_LIST_APPEND(*cachelist, nsc, link);
193149Sdougb	}
224092Sdougb	dns_view_setcache2(view, cache, shared_cache);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * cache-file cannot be inherited if views are present, but this
135446Strhodes	 * should be caught by the configuration checking stage.
135446Strhodes	 */
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "cache-file", &obj);
135446Strhodes	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
135446Strhodes		CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
224092Sdougb		if (!reused_cache && !shared_cache)
135446Strhodes			CHECK(dns_cache_load(cache));
135446Strhodes	}
135446Strhodes
224092Sdougb	dns_cache_setcleaninginterval(cache, cleaning_interval);
135446Strhodes	dns_cache_setcachesize(cache, max_cache_size);
135446Strhodes
135446Strhodes	dns_cache_detach(&cache);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Resolver.
135446Strhodes	 *
135446Strhodes	 * XXXRTH  Hardwired number of tasks.
135446Strhodes	 */
186462Sdougb	CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4,
186462Sdougb					    ISC_TF(ISC_LIST_PREV(view, link)
186462Sdougb						   == NULL)));
186462Sdougb	CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6,
186462Sdougb					    ISC_TF(ISC_LIST_PREV(view, link)
186462Sdougb						   == NULL)));
135446Strhodes	if (dispatch4 == NULL && dispatch6 == NULL) {
135446Strhodes		UNEXPECTED_ERROR(__FILE__, __LINE__,
135446Strhodes				 "unable to obtain neither an IPv4 nor"
135446Strhodes				 " an IPv6 dispatch");
135446Strhodes		result = ISC_R_UNEXPECTED;
135446Strhodes		goto cleanup;
135446Strhodes	}
254897Serwin
254897Serwin	ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);
254897Serwin	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ndisp,
135446Strhodes				      ns_g_socketmgr, ns_g_timermgr,
193149Sdougb				      resopts, ns_g_dispatchmgr,
135446Strhodes				      dispatch4, dispatch6));
135446Strhodes
193149Sdougb	if (resstats == NULL) {
193149Sdougb		CHECK(isc_stats_create(mctx, &resstats,
193149Sdougb				       dns_resstatscounter_max));
193149Sdougb	}
193149Sdougb	dns_view_setresstats(view, resstats);
193149Sdougb	if (resquerystats == NULL)
193149Sdougb		CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
193149Sdougb	dns_view_setresquerystats(view, resquerystats);
193149Sdougb
135446Strhodes	/*
224092Sdougb	 * Set the ADB cache size to 1/8th of the max-cache-size or
224092Sdougb	 * MAX_ADB_SIZE_FOR_CACHESHARE when the cache is shared.
135446Strhodes	 */
135446Strhodes	max_adb_size = 0;
254402Serwin	if (max_cache_size != 0U) {
135446Strhodes		max_adb_size = max_cache_size / 8;
254402Serwin		if (max_adb_size == 0U)
135446Strhodes			max_adb_size = 1;	/* Force minimum. */
224092Sdougb		if (view != nsc->primaryview &&
224092Sdougb		    max_adb_size > MAX_ADB_SIZE_FOR_CACHESHARE) {
224092Sdougb			max_adb_size = MAX_ADB_SIZE_FOR_CACHESHARE;
224092Sdougb			if (!nsc->adbsizeadjusted) {
224092Sdougb				dns_adb_setadbsize(nsc->primaryview->adb,
224092Sdougb						   MAX_ADB_SIZE_FOR_CACHESHARE);
224092Sdougb				nsc->adbsizeadjusted = ISC_TRUE;
224092Sdougb			}
224092Sdougb		}
135446Strhodes	}
135446Strhodes	dns_adb_setadbsize(view->adb, max_adb_size);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Set resolver's lame-ttl.
135446Strhodes	 */
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "lame-ttl", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	lame_ttl = cfg_obj_asuint32(obj);
135446Strhodes	if (lame_ttl > 1800)
135446Strhodes		lame_ttl = 1800;
135446Strhodes	dns_resolver_setlamettl(view->resolver, lame_ttl);
170222Sdougb
135446Strhodes	/*
224092Sdougb	 * Set the resolver's query timeout.
224092Sdougb	 */
224092Sdougb	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "resolver-query-timeout", &obj);
224092Sdougb	INSIST(result == ISC_R_SUCCESS);
224092Sdougb	query_timeout = cfg_obj_asuint32(obj);
224092Sdougb	dns_resolver_settimeout(view->resolver, query_timeout);
224092Sdougb
224092Sdougb	/* Specify whether to use 0-TTL for negative response for SOA query */
224092Sdougb	dns_resolver_setzeronosoattl(view->resolver, zero_no_soattl);
224092Sdougb
224092Sdougb	/*
135446Strhodes	 * Set the resolver's EDNS UDP size.
135446Strhodes	 */
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "edns-udp-size", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	udpsize = cfg_obj_asuint32(obj);
135446Strhodes	if (udpsize < 512)
135446Strhodes		udpsize = 512;
135446Strhodes	if (udpsize > 4096)
135446Strhodes		udpsize = 4096;
135446Strhodes	dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize);
186462Sdougb
135446Strhodes	/*
170222Sdougb	 * Set the maximum UDP response size.
170222Sdougb	 */
170222Sdougb	obj = NULL;
170222Sdougb	result = ns_config_get(maps, "max-udp-size", &obj);
170222Sdougb	INSIST(result == ISC_R_SUCCESS);
170222Sdougb	udpsize = cfg_obj_asuint32(obj);
170222Sdougb	if (udpsize < 512)
170222Sdougb		udpsize = 512;
170222Sdougb	if (udpsize > 4096)
170222Sdougb		udpsize = 4096;
170222Sdougb	view->maxudp = udpsize;
170222Sdougb
170222Sdougb	/*
254897Serwin	 * Set the maximum rsa exponent bits.
254897Serwin	 */
254897Serwin	obj = NULL;
254897Serwin	result = ns_config_get(maps, "max-rsa-exponent-size", &obj);
254897Serwin	INSIST(result == ISC_R_SUCCESS);
254897Serwin	maxbits = cfg_obj_asuint32(obj);
254897Serwin	if (maxbits != 0 && maxbits < 35)
254897Serwin		maxbits = 35;
254897Serwin	if (maxbits > 4096)
254897Serwin		maxbits = 4096;
254897Serwin	view->maxbits = maxbits;
254897Serwin
254897Serwin	/*
135446Strhodes	 * Set supported DNSSEC algorithms.
135446Strhodes	 */
135446Strhodes	dns_resolver_reset_algorithms(view->resolver);
135446Strhodes	disabled = NULL;
135446Strhodes	(void)ns_config_get(maps, "disable-algorithms", &disabled);
135446Strhodes	if (disabled != NULL) {
135446Strhodes		for (element = cfg_list_first(disabled);
135446Strhodes		     element != NULL;
135446Strhodes		     element = cfg_list_next(element))
135446Strhodes			CHECK(disable_algorithms(cfg_listelt_value(element),
135446Strhodes						 view->resolver));
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * A global or view "forwarders" option, if present,
135446Strhodes	 * creates an entry for "." in the forwarding table.
135446Strhodes	 */
135446Strhodes	forwardtype = NULL;
135446Strhodes	forwarders = NULL;
135446Strhodes	(void)ns_config_get(maps, "forward", &forwardtype);
135446Strhodes	(void)ns_config_get(maps, "forwarders", &forwarders);
135446Strhodes	if (forwarders != NULL)
186462Sdougb		CHECK(configure_forward(config, view, dns_rootname,
135446Strhodes					forwarders, forwardtype));
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Dual Stack Servers.
135446Strhodes	 */
135446Strhodes	alternates = NULL;
135446Strhodes	(void)ns_config_get(maps, "dual-stack-servers", &alternates);
135446Strhodes	if (alternates != NULL)
135446Strhodes		CHECK(configure_alternates(config, view, alternates));
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * We have default hints for class IN if we need them.
135446Strhodes	 */
135446Strhodes	if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
135446Strhodes		dns_view_sethints(view, ns_g_server->in_roothints);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * If we still have no hints, this is a non-IN view with no
135446Strhodes	 * "hints zone" configured.  Issue a warning, except if this
186462Sdougb	 * is a root server.  Root servers never need to consult
135446Strhodes	 * their hints, so it's no point requiring users to configure
135446Strhodes	 * them.
135446Strhodes	 */
135446Strhodes	if (view->hints == NULL) {
135446Strhodes		dns_zone_t *rootzone = NULL;
135446Strhodes		(void)dns_view_findzone(view, dns_rootname, &rootzone);
135446Strhodes		if (rootzone != NULL) {
135446Strhodes			dns_zone_detach(&rootzone);
135446Strhodes			need_hints = ISC_FALSE;
135446Strhodes		}
135446Strhodes		if (need_hints)
135446Strhodes			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
135446Strhodes				      "no root hints for view '%s'",
135446Strhodes				      view->name);
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Configure the view's TSIG keys.
135446Strhodes	 */
135446Strhodes	CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
224092Sdougb	if (ns_g_server->sessionkey != NULL) {
224092Sdougb		CHECK(dns_tsigkeyring_add(ring, ns_g_server->session_keyname,
224092Sdougb					  ns_g_server->sessionkey));
224092Sdougb	}
135446Strhodes	dns_view_setkeyring(view, ring);
224092Sdougb	dns_tsigkeyring_detach(&ring);
135446Strhodes
135446Strhodes	/*
224092Sdougb	 * See if we can re-use a dynamic key ring.
224092Sdougb	 */
224092Sdougb	result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
224092Sdougb				   view->rdclass, &pview);
224092Sdougb	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
224092Sdougb		goto cleanup;
224092Sdougb	if (pview != NULL) {
224092Sdougb		dns_view_getdynamickeyring(pview, &ring);
224092Sdougb		if (ring != NULL)
224092Sdougb			dns_view_setdynamickeyring(view, ring);
224092Sdougb		dns_tsigkeyring_detach(&ring);
224092Sdougb		dns_view_detach(&pview);
224092Sdougb	} else
224092Sdougb		dns_view_restorekeyring(view);
224092Sdougb
224092Sdougb	/*
135446Strhodes	 * Configure the view's peer list.
135446Strhodes	 */
135446Strhodes	{
165071Sdougb		const cfg_obj_t *peers = NULL;
165071Sdougb		const cfg_listelt_t *element;
135446Strhodes		dns_peerlist_t *newpeers = NULL;
135446Strhodes
135446Strhodes		(void)ns_config_get(cfgmaps, "server", &peers);
135446Strhodes		CHECK(dns_peerlist_new(mctx, &newpeers));
135446Strhodes		for (element = cfg_list_first(peers);
135446Strhodes		     element != NULL;
135446Strhodes		     element = cfg_list_next(element))
135446Strhodes		{
165071Sdougb			const cfg_obj_t *cpeer = cfg_listelt_value(element);
135446Strhodes			dns_peer_t *peer;
135446Strhodes
135446Strhodes			CHECK(configure_peer(cpeer, mctx, &peer));
135446Strhodes			dns_peerlist_addpeer(newpeers, peer);
135446Strhodes			dns_peer_detach(&peer);
135446Strhodes		}
135446Strhodes		dns_peerlist_detach(&view->peers);
135446Strhodes		view->peers = newpeers; /* Transfer ownership. */
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 *	Configure the views rrset-order.
135446Strhodes	 */
135446Strhodes	{
165071Sdougb		const cfg_obj_t *rrsetorder = NULL;
165071Sdougb		const cfg_listelt_t *element;
135446Strhodes
135446Strhodes		(void)ns_config_get(maps, "rrset-order", &rrsetorder);
135446Strhodes		CHECK(dns_order_create(mctx, &order));
135446Strhodes		for (element = cfg_list_first(rrsetorder);
135446Strhodes		     element != NULL;
135446Strhodes		     element = cfg_list_next(element))
135446Strhodes		{
165071Sdougb			const cfg_obj_t *ent = cfg_listelt_value(element);
135446Strhodes
135446Strhodes			CHECK(configure_order(order, ent));
135446Strhodes		}
135446Strhodes		if (view->order != NULL)
135446Strhodes			dns_order_detach(&view->order);
135446Strhodes		dns_order_attach(order, &view->order);
135446Strhodes		dns_order_detach(&order);
135446Strhodes	}
135446Strhodes	/*
135446Strhodes	 * Copy the aclenv object.
135446Strhodes	 */
135446Strhodes	dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Configure the "match-clients" and "match-destinations" ACL.
135446Strhodes	 */
224092Sdougb	CHECK(configure_view_acl(vconfig, config, "match-clients", NULL, actx,
135446Strhodes				 ns_g_mctx, &view->matchclients));
224092Sdougb	CHECK(configure_view_acl(vconfig, config, "match-destinations", NULL,
224092Sdougb				 actx, ns_g_mctx, &view->matchdestinations));
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Configure the "match-recursive-only" option.
135446Strhodes	 */
135446Strhodes	obj = NULL;
165071Sdougb	(void)ns_config_get(maps, "match-recursive-only", &obj);
135446Strhodes	if (obj != NULL && cfg_obj_asboolean(obj))
135446Strhodes		view->matchrecursiveonly = ISC_TRUE;
135446Strhodes	else
135446Strhodes		view->matchrecursiveonly = ISC_FALSE;
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Configure other configurable data.
135446Strhodes	 */
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "recursion", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	view->recursion = cfg_obj_asboolean(obj);
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "auth-nxdomain", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	view->auth_nxdomain = cfg_obj_asboolean(obj);
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "minimal-responses", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	view->minimalresponses = cfg_obj_asboolean(obj);
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "transfer-format", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	str = cfg_obj_asstring(obj);
135446Strhodes	if (strcasecmp(str, "many-answers") == 0)
135446Strhodes		view->transfer_format = dns_many_answers;
135446Strhodes	else if (strcasecmp(str, "one-answer") == 0)
135446Strhodes		view->transfer_format = dns_one_answer;
135446Strhodes	else
135446Strhodes		INSIST(0);
186462Sdougb
135446Strhodes	/*
135446Strhodes	 * Set sources where additional data and CNAME/DNAME
135446Strhodes	 * targets for authoritative answers may be found.
135446Strhodes	 */
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "additional-from-auth", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	view->additionalfromauth = cfg_obj_asboolean(obj);
135446Strhodes	if (view->recursion && ! view->additionalfromauth) {
135446Strhodes		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
135446Strhodes			    "'additional-from-auth no' is only supported "
135446Strhodes			    "with 'recursion no'");
135446Strhodes		view->additionalfromauth = ISC_TRUE;
135446Strhodes	}
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "additional-from-cache", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	view->additionalfromcache = cfg_obj_asboolean(obj);
135446Strhodes	if (view->recursion && ! view->additionalfromcache) {
135446Strhodes		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
135446Strhodes			    "'additional-from-cache no' is only supported "
135446Strhodes			    "with 'recursion no'");
135446Strhodes		view->additionalfromcache = ISC_TRUE;
135446Strhodes	}
135446Strhodes
171577Sdougb	/*
193149Sdougb	 * Set "allow-query-cache", "allow-query-cache-on",
193149Sdougb	 * "allow-recursion", and "allow-recursion-on" acls if
171577Sdougb	 * configured in named.conf.
171577Sdougb	 */
224092Sdougb	CHECK(configure_view_acl(vconfig, config, "allow-query-cache", NULL,
216175Sdougb				 actx, ns_g_mctx, &view->cacheacl));
224092Sdougb	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on", NULL,
216175Sdougb				 actx, ns_g_mctx, &view->cacheonacl));
216175Sdougb	if (view->cacheonacl == NULL)
193149Sdougb		CHECK(configure_view_acl(NULL, ns_g_config,
224092Sdougb					 "allow-query-cache-on", NULL, actx,
216175Sdougb					 ns_g_mctx, &view->cacheonacl));
193149Sdougb	if (strcmp(view->name, "_bind") != 0) {
135446Strhodes		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
224092Sdougb					 NULL, actx, ns_g_mctx,
193149Sdougb					 &view->recursionacl));
193149Sdougb		CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
224092Sdougb					 NULL, actx, ns_g_mctx,
193149Sdougb					 &view->recursiononacl));
193149Sdougb	}
135446Strhodes
135446Strhodes	/*
171577Sdougb	 * "allow-query-cache" inherits from "allow-recursion" if set,
171577Sdougb	 * otherwise from "allow-query" if set.
171577Sdougb	 * "allow-recursion" inherits from "allow-query-cache" if set,
171577Sdougb	 * otherwise from "allow-query" if set.
170222Sdougb	 */
216175Sdougb	if (view->cacheacl == NULL && view->recursionacl != NULL)
216175Sdougb		dns_acl_attach(view->recursionacl, &view->cacheacl);
224092Sdougb	/*
224092Sdougb	 * XXXEACH: This call to configure_view_acl() is redundant.  We
224092Sdougb	 * are leaving it as it is because we are making a minimal change
224092Sdougb	 * for a patch release.  In the future this should be changed to
224092Sdougb	 * dns_acl_attach(view->queryacl, &view->cacheacl).
224092Sdougb	 */
216175Sdougb	if (view->cacheacl == NULL && view->recursion)
224092Sdougb		CHECK(configure_view_acl(vconfig, config, "allow-query", NULL,
216175Sdougb					 actx, ns_g_mctx, &view->cacheacl));
193149Sdougb	if (view->recursion &&
216175Sdougb	    view->recursionacl == NULL && view->cacheacl != NULL)
216175Sdougb		dns_acl_attach(view->cacheacl, &view->recursionacl);
171577Sdougb
171577Sdougb	/*
193149Sdougb	 * Set default "allow-recursion", "allow-recursion-on" and
193149Sdougb	 * "allow-query-cache" acls.
171577Sdougb	 */
170222Sdougb	if (view->recursionacl == NULL && view->recursion)
171577Sdougb		CHECK(configure_view_acl(NULL, ns_g_config,
224092Sdougb					 "allow-recursion", NULL,
193149Sdougb					 actx, ns_g_mctx,
193149Sdougb					 &view->recursionacl));
193149Sdougb	if (view->recursiononacl == NULL && view->recursion)
193149Sdougb		CHECK(configure_view_acl(NULL, ns_g_config,
224092Sdougb					 "allow-recursion-on", NULL,
193149Sdougb					 actx, ns_g_mctx,
193149Sdougb					 &view->recursiononacl));
216175Sdougb	if (view->cacheacl == NULL) {
193149Sdougb		if (view->recursion)
193149Sdougb			CHECK(configure_view_acl(NULL, ns_g_config,
224092Sdougb						 "allow-query-cache", NULL,
224092Sdougb						 actx, ns_g_mctx,
224092Sdougb						 &view->cacheacl));
216175Sdougb		else
224092Sdougb			CHECK(dns_acl_none(mctx, &view->cacheacl));
193149Sdougb	}
170222Sdougb
193149Sdougb	/*
224092Sdougb	 * Filter setting on addresses in the answer section.
224092Sdougb	 */
224092Sdougb	CHECK(configure_view_acl(vconfig, config, "deny-answer-addresses",
224092Sdougb				 "acl", actx, ns_g_mctx, &view->denyansweracl));
224092Sdougb	CHECK(configure_view_nametable(vconfig, config, "deny-answer-addresses",
224092Sdougb				       "except-from", ns_g_mctx,
224092Sdougb				       &view->answeracl_exclude));
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Filter setting on names (CNAME/DNAME targets) in the answer section.
224092Sdougb	 */
224092Sdougb	CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
224092Sdougb				       "name", ns_g_mctx,
224092Sdougb				       &view->denyanswernames));
224092Sdougb	CHECK(configure_view_nametable(vconfig, config, "deny-answer-aliases",
224092Sdougb				       "except-from", ns_g_mctx,
224092Sdougb				       &view->answernames_exclude));
224092Sdougb
224092Sdougb	/*
193149Sdougb	 * Configure sortlist, if set
193149Sdougb	 */
193149Sdougb	CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
193149Sdougb				      &view->sortlist));
135446Strhodes
193149Sdougb	/*
193149Sdougb	 * Configure default allow-transfer, allow-notify, allow-update
193149Sdougb	 * and allow-update-forwarding ACLs, if set, so they can be
193149Sdougb	 * inherited by zones.
193149Sdougb	 */
193149Sdougb	if (view->notifyacl == NULL)
193149Sdougb		CHECK(configure_view_acl(NULL, ns_g_config,
224092Sdougb					 "allow-notify", NULL, actx,
193149Sdougb					 ns_g_mctx, &view->notifyacl));
193149Sdougb	if (view->transferacl == NULL)
193149Sdougb		CHECK(configure_view_acl(NULL, ns_g_config,
224092Sdougb					 "allow-transfer", NULL, actx,
193149Sdougb					 ns_g_mctx, &view->transferacl));
193149Sdougb	if (view->updateacl == NULL)
193149Sdougb		CHECK(configure_view_acl(NULL, ns_g_config,
224092Sdougb					 "allow-update", NULL, actx,
193149Sdougb					 ns_g_mctx, &view->updateacl));
193149Sdougb	if (view->upfwdacl == NULL)
193149Sdougb		CHECK(configure_view_acl(NULL, ns_g_config,
224092Sdougb					 "allow-update-forwarding", NULL, actx,
193149Sdougb					 ns_g_mctx, &view->upfwdacl));
193149Sdougb
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "provide-ixfr", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	view->provideixfr = cfg_obj_asboolean(obj);
170222Sdougb
170222Sdougb	obj = NULL;
193149Sdougb	result = ns_config_get(maps, "request-nsid", &obj);
193149Sdougb	INSIST(result == ISC_R_SUCCESS);
193149Sdougb	view->requestnsid = cfg_obj_asboolean(obj);
193149Sdougb
193149Sdougb	obj = NULL;
170222Sdougb	result = ns_config_get(maps, "max-clients-per-query", &obj);
170222Sdougb	INSIST(result == ISC_R_SUCCESS);
170222Sdougb	max_clients_per_query = cfg_obj_asuint32(obj);
170222Sdougb
170222Sdougb	obj = NULL;
170222Sdougb	result = ns_config_get(maps, "clients-per-query", &obj);
170222Sdougb	INSIST(result == ISC_R_SUCCESS);
170222Sdougb	dns_resolver_setclientsperquery(view->resolver,
170222Sdougb					cfg_obj_asuint32(obj),
170222Sdougb					max_clients_per_query);
186462Sdougb
224092Sdougb#ifdef ALLOW_FILTER_AAAA_ON_V4
135446Strhodes	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
224092Sdougb	INSIST(result == ISC_R_SUCCESS);
224092Sdougb	if (cfg_obj_isboolean(obj)) {
224092Sdougb		if (cfg_obj_asboolean(obj))
224092Sdougb			view->v4_aaaa = dns_v4_aaaa_filter;
224092Sdougb		else
224092Sdougb			view->v4_aaaa = dns_v4_aaaa_ok;
224092Sdougb	} else {
224092Sdougb		const char *v4_aaaastr = cfg_obj_asstring(obj);
224092Sdougb		if (strcasecmp(v4_aaaastr, "break-dnssec") == 0)
224092Sdougb			view->v4_aaaa = dns_v4_aaaa_break_dnssec;
224092Sdougb		else
224092Sdougb			INSIST(0);
224092Sdougb	}
224092Sdougb	CHECK(configure_view_acl(vconfig, config, "filter-aaaa", NULL,
224092Sdougb				 actx, ns_g_mctx, &view->v4_aaaa_acl));
224092Sdougb#endif
224092Sdougb
224092Sdougb	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "dnssec-enable", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	view->enablednssec = cfg_obj_asboolean(obj);
135446Strhodes
135446Strhodes	obj = NULL;
224092Sdougb	result = ns_config_get(optionmaps, "dnssec-lookaside", &obj);
135446Strhodes	if (result == ISC_R_SUCCESS) {
224092Sdougb		/* If set to "auto", use the version from the defaults */
224092Sdougb		const cfg_obj_t *dlvobj;
234010Sdougb		const char *dom;
224092Sdougb		dlvobj = cfg_listelt_value(cfg_list_first(obj));
234010Sdougb		dom = cfg_obj_asstring(cfg_tuple_get(dlvobj, "domain"));
234010Sdougb		if (cfg_obj_isvoid(cfg_tuple_get(dlvobj, "trust-anchor"))) {
234010Sdougb			/* If "no", skip; if "auto", use global default */
234010Sdougb			if (!strcasecmp(dom, "no"))
234010Sdougb				result = ISC_R_NOTFOUND;
234010Sdougb			else if (!strcasecmp(dom, "auto")) {
234010Sdougb				auto_dlv = ISC_TRUE;
234010Sdougb				obj = NULL;
234010Sdougb				result = cfg_map_get(ns_g_defaults,
234010Sdougb						     "dnssec-lookaside", &obj);
234010Sdougb			}
224092Sdougb		}
224092Sdougb	}
224092Sdougb
224092Sdougb	if (result == ISC_R_SUCCESS) {
135446Strhodes		for (element = cfg_list_first(obj);
135446Strhodes		     element != NULL;
135446Strhodes		     element = cfg_list_next(element))
135446Strhodes		{
135446Strhodes			const char *str;
135446Strhodes			isc_buffer_t b;
135446Strhodes			dns_name_t *dlv;
135446Strhodes
135446Strhodes			obj = cfg_listelt_value(element);
135446Strhodes			str = cfg_obj_asstring(cfg_tuple_get(obj,
135446Strhodes							     "trust-anchor"));
254402Serwin			isc_buffer_constinit(&b, str, strlen(str));
135446Strhodes			isc_buffer_add(&b, strlen(str));
135446Strhodes			dlv = dns_fixedname_name(&view->dlv_fixed);
135446Strhodes			CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
224092Sdougb						DNS_NAME_DOWNCASE, NULL));
135446Strhodes			view->dlv = dns_fixedname_name(&view->dlv_fixed);
135446Strhodes		}
135446Strhodes	} else
135446Strhodes		view->dlv = NULL;
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * For now, there is only one kind of trusted keys, the
135446Strhodes	 * "security roots".
135446Strhodes	 */
224092Sdougb	CHECK(configure_view_dnsseckeys(view, vconfig, config, bindkeys,
224092Sdougb					auto_dlv, auto_root, mctx));
170222Sdougb	dns_resolver_resetmustbesecure(view->resolver);
170222Sdougb	obj = NULL;
170222Sdougb	result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
170222Sdougb	if (result == ISC_R_SUCCESS)
170222Sdougb		CHECK(mustbesecure(obj, view->resolver));
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "preferred-glue", &obj);
135446Strhodes	if (result == ISC_R_SUCCESS) {
135446Strhodes		str = cfg_obj_asstring(obj);
135446Strhodes		if (strcasecmp(str, "a") == 0)
135446Strhodes			view->preferred_glue = dns_rdatatype_a;
135446Strhodes		else if (strcasecmp(str, "aaaa") == 0)
135446Strhodes			view->preferred_glue = dns_rdatatype_aaaa;
135446Strhodes		else
135446Strhodes			view->preferred_glue = 0;
135446Strhodes	} else
135446Strhodes		view->preferred_glue = 0;
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "root-delegation-only", &obj);
135446Strhodes	if (result == ISC_R_SUCCESS) {
135446Strhodes		dns_view_setrootdelonly(view, ISC_TRUE);
135446Strhodes		if (!cfg_obj_isvoid(obj)) {
135446Strhodes			dns_fixedname_t fixed;
135446Strhodes			dns_name_t *name;
135446Strhodes			isc_buffer_t b;
165071Sdougb			const char *str;
165071Sdougb			const cfg_obj_t *exclude;
135446Strhodes
135446Strhodes			dns_fixedname_init(&fixed);
135446Strhodes			name = dns_fixedname_name(&fixed);
135446Strhodes			for (element = cfg_list_first(obj);
135446Strhodes			     element != NULL;
135446Strhodes			     element = cfg_list_next(element)) {
135446Strhodes				exclude = cfg_listelt_value(element);
135446Strhodes				str = cfg_obj_asstring(exclude);
254402Serwin				isc_buffer_constinit(&b, str, strlen(str));
135446Strhodes				isc_buffer_add(&b, strlen(str));
135446Strhodes				CHECK(dns_name_fromtext(name, &b, dns_rootname,
224092Sdougb							0, NULL));
135446Strhodes				CHECK(dns_view_excludedelegationonly(view,
135446Strhodes								     name));
135446Strhodes			}
135446Strhodes		}
135446Strhodes	} else
135446Strhodes		dns_view_setrootdelonly(view, ISC_FALSE);
135446Strhodes
170222Sdougb	/*
170222Sdougb	 * Setup automatic empty zones.  If recursion is off then
170222Sdougb	 * they are disabled by default.
170222Sdougb	 */
170222Sdougb	obj = NULL;
170222Sdougb	(void)ns_config_get(maps, "empty-zones-enable", &obj);
170222Sdougb	(void)ns_config_get(maps, "disable-empty-zone", &disablelist);
170222Sdougb	if (obj == NULL && disablelist == NULL &&
170222Sdougb	    view->rdclass == dns_rdataclass_in) {
170222Sdougb		empty_zones_enable = view->recursion;
170222Sdougb	} else if (view->rdclass == dns_rdataclass_in) {
170222Sdougb		if (obj != NULL)
170222Sdougb			empty_zones_enable = cfg_obj_asboolean(obj);
170222Sdougb		else
170222Sdougb			empty_zones_enable = view->recursion;
170222Sdougb	} else {
170222Sdougb		empty_zones_enable = ISC_FALSE;
170222Sdougb	}
234010Sdougb	if (empty_zones_enable && !lwresd_g_useresolvconf) {
170222Sdougb		const char *empty;
170222Sdougb		int empty_zone = 0;
170222Sdougb		dns_fixedname_t fixed;
170222Sdougb		dns_name_t *name;
170222Sdougb		isc_buffer_t buffer;
170222Sdougb		const char *str;
170222Sdougb		char server[DNS_NAME_FORMATSIZE + 1];
170222Sdougb		char contact[DNS_NAME_FORMATSIZE + 1];
170222Sdougb		const char *empty_dbtype[4] =
170222Sdougb				    { "_builtin", "empty", NULL, NULL };
170222Sdougb		int empty_dbtypec = 4;
254897Serwin		dns_zonestat_level_t statlevel;
170222Sdougb
170222Sdougb		dns_fixedname_init(&fixed);
170222Sdougb		name = dns_fixedname_name(&fixed);
170222Sdougb
170222Sdougb		obj = NULL;
170222Sdougb		result = ns_config_get(maps, "empty-server", &obj);
170222Sdougb		if (result == ISC_R_SUCCESS) {
170222Sdougb			str = cfg_obj_asstring(obj);
254402Serwin			isc_buffer_constinit(&buffer, str, strlen(str));
170222Sdougb			isc_buffer_add(&buffer, strlen(str));
224092Sdougb			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
224092Sdougb						NULL));
170222Sdougb			isc_buffer_init(&buffer, server, sizeof(server) - 1);
170222Sdougb			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
170222Sdougb			server[isc_buffer_usedlength(&buffer)] = 0;
170222Sdougb			empty_dbtype[2] = server;
170222Sdougb		} else
170222Sdougb			empty_dbtype[2] = "@";
170222Sdougb
170222Sdougb		obj = NULL;
170222Sdougb		result = ns_config_get(maps, "empty-contact", &obj);
170222Sdougb		if (result == ISC_R_SUCCESS) {
170222Sdougb			str = cfg_obj_asstring(obj);
254402Serwin			isc_buffer_constinit(&buffer, str, strlen(str));
170222Sdougb			isc_buffer_add(&buffer, strlen(str));
224092Sdougb			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
224092Sdougb						NULL));
170222Sdougb			isc_buffer_init(&buffer, contact, sizeof(contact) - 1);
170222Sdougb			CHECK(dns_name_totext(name, ISC_FALSE, &buffer));
170222Sdougb			contact[isc_buffer_usedlength(&buffer)] = 0;
170222Sdougb			empty_dbtype[3] = contact;
170222Sdougb		} else
170222Sdougb			empty_dbtype[3] = ".";
170222Sdougb
193149Sdougb		obj = NULL;
193149Sdougb		result = ns_config_get(maps, "zone-statistics", &obj);
193149Sdougb		INSIST(result == ISC_R_SUCCESS);
254897Serwin		if (cfg_obj_isboolean(obj)) {
254897Serwin			if (cfg_obj_asboolean(obj))
254897Serwin				statlevel = dns_zonestat_full;
254897Serwin			else
254897Serwin				statlevel = dns_zonestat_terse; /* XXX */
254897Serwin		} else {
254897Serwin			const char *levelstr = cfg_obj_asstring(obj);
254897Serwin			if (strcasecmp(levelstr, "full") == 0)
254897Serwin				statlevel = dns_zonestat_full;
254897Serwin			else if (strcasecmp(levelstr, "terse") == 0)
254897Serwin				statlevel = dns_zonestat_terse;
254897Serwin			else if (strcasecmp(levelstr, "none") == 0)
254897Serwin				statlevel = dns_zonestat_none;
254897Serwin			else
254897Serwin				INSIST(0);
254897Serwin		}
193149Sdougb
254897Serwin		for (empty = empty_zones[empty_zone];
170222Sdougb		     empty != NULL;
254897Serwin		     empty = empty_zones[++empty_zone])
170222Sdougb		{
170222Sdougb			dns_forwarders_t *forwarders = NULL;
170222Sdougb			dns_view_t *pview = NULL;
170222Sdougb
254402Serwin			isc_buffer_constinit(&buffer, empty, strlen(empty));
170222Sdougb			isc_buffer_add(&buffer, strlen(empty));
170222Sdougb			/*
170222Sdougb			 * Look for zone on drop list.
170222Sdougb			 */
224092Sdougb			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
224092Sdougb						NULL));
170222Sdougb			if (disablelist != NULL &&
170222Sdougb			    on_disable_list(disablelist, name))
170222Sdougb				continue;
170222Sdougb
170222Sdougb			/*
170222Sdougb			 * This zone already exists.
170222Sdougb			 */
170222Sdougb			(void)dns_view_findzone(view, name, &zone);
170222Sdougb			if (zone != NULL) {
170222Sdougb				dns_zone_detach(&zone);
170222Sdougb				continue;
170222Sdougb			}
170222Sdougb
170222Sdougb			/*
170222Sdougb			 * If we would forward this name don't add a
170222Sdougb			 * empty zone for it.
170222Sdougb			 */
170222Sdougb			result = dns_fwdtable_find(view->fwdtable, name,
170222Sdougb						   &forwarders);
170222Sdougb			if (result == ISC_R_SUCCESS &&
170222Sdougb			    forwarders->fwdpolicy == dns_fwdpolicy_only)
170222Sdougb				continue;
186462Sdougb
170222Sdougb			/*
170222Sdougb			 * See if we can re-use a existing zone.
170222Sdougb			 */
170222Sdougb			result = dns_viewlist_find(&ns_g_server->viewlist,
170222Sdougb						   view->name, view->rdclass,
170222Sdougb						   &pview);
170222Sdougb			if (result != ISC_R_NOTFOUND &&
170222Sdougb			    result != ISC_R_SUCCESS)
170222Sdougb				goto cleanup;
170222Sdougb
170222Sdougb			if (pview != NULL) {
170222Sdougb				(void)dns_view_findzone(pview, name, &zone);
170222Sdougb				dns_view_detach(&pview);
170222Sdougb			}
170222Sdougb
262706Serwin			CHECK(create_empty_zone(zone, name, view, zonelist,
262706Serwin						empty_dbtype, empty_dbtypec,
262706Serwin						statlevel));
262706Serwin			if (zone != NULL)
262706Serwin				dns_zone_detach(&zone);
170222Sdougb		}
170222Sdougb	}
186462Sdougb
262706Serwin#ifdef USE_RRL
262706Serwin	obj = NULL;
262706Serwin	result = ns_config_get(maps, "rate-limit", &obj);
262706Serwin	if (result == ISC_R_SUCCESS) {
262706Serwin		result = configure_rrl(view, config, obj);
262706Serwin		if (result != ISC_R_SUCCESS)
262706Serwin			goto cleanup;
262706Serwin	}
262706Serwin#endif /* USE_RRL */
262706Serwin
135446Strhodes	result = ISC_R_SUCCESS;
135446Strhodes
135446Strhodes cleanup:
224092Sdougb	if (clients != NULL)
224092Sdougb		dns_acl_detach(&clients);
224092Sdougb	if (mapped != NULL)
224092Sdougb		dns_acl_detach(&mapped);
224092Sdougb	if (excluded != NULL)
224092Sdougb		dns_acl_detach(&excluded);
224092Sdougb	if (ring != NULL)
224092Sdougb		dns_tsigkeyring_detach(&ring);
170222Sdougb	if (zone != NULL)
170222Sdougb		dns_zone_detach(&zone);
135446Strhodes	if (dispatch4 != NULL)
135446Strhodes		dns_dispatch_detach(&dispatch4);
135446Strhodes	if (dispatch6 != NULL)
135446Strhodes		dns_dispatch_detach(&dispatch6);
193149Sdougb	if (resstats != NULL)
193149Sdougb		isc_stats_detach(&resstats);
193149Sdougb	if (resquerystats != NULL)
193149Sdougb		dns_stats_detach(&resquerystats);
135446Strhodes	if (order != NULL)
135446Strhodes		dns_order_detach(&order);
135446Strhodes	if (cmctx != NULL)
135446Strhodes		isc_mem_detach(&cmctx);
225361Sdougb	if (hmctx != NULL)
225361Sdougb		isc_mem_detach(&hmctx);
135446Strhodes
135446Strhodes	if (cache != NULL)
135446Strhodes		dns_cache_detach(&cache);
135446Strhodes
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
135446Strhodesconfigure_hints(dns_view_t *view, const char *filename) {
135446Strhodes	isc_result_t result;
135446Strhodes	dns_db_t *db;
135446Strhodes
135446Strhodes	db = NULL;
135446Strhodes	result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
135446Strhodes	if (result == ISC_R_SUCCESS) {
135446Strhodes		dns_view_sethints(view, db);
135446Strhodes		dns_db_detach(&db);
135446Strhodes	}
135446Strhodes
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
165071Sdougbconfigure_alternates(const cfg_obj_t *config, dns_view_t *view,
165071Sdougb		     const cfg_obj_t *alternates)
135446Strhodes{
165071Sdougb	const cfg_obj_t *portobj;
165071Sdougb	const cfg_obj_t *addresses;
165071Sdougb	const cfg_listelt_t *element;
135446Strhodes	isc_result_t result = ISC_R_SUCCESS;
135446Strhodes	in_port_t port;
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Determine which port to send requests to.
135446Strhodes	 */
135446Strhodes	if (ns_g_lwresdonly && ns_g_port != 0)
135446Strhodes		port = ns_g_port;
135446Strhodes	else
135446Strhodes		CHECKM(ns_config_getport(config, &port), "port");
135446Strhodes
135446Strhodes	if (alternates != NULL) {
135446Strhodes		portobj = cfg_tuple_get(alternates, "port");
135446Strhodes		if (cfg_obj_isuint32(portobj)) {
135446Strhodes			isc_uint32_t val = cfg_obj_asuint32(portobj);
135446Strhodes			if (val > ISC_UINT16_MAX) {
135446Strhodes				cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
135446Strhodes					    "port '%u' out of range", val);
135446Strhodes				return (ISC_R_RANGE);
135446Strhodes			}
135446Strhodes			port = (in_port_t) val;
135446Strhodes		}
135446Strhodes	}
135446Strhodes
135446Strhodes	addresses = NULL;
135446Strhodes	if (alternates != NULL)
135446Strhodes		addresses = cfg_tuple_get(alternates, "addresses");
135446Strhodes
135446Strhodes	for (element = cfg_list_first(addresses);
135446Strhodes	     element != NULL;
135446Strhodes	     element = cfg_list_next(element))
135446Strhodes	{
165071Sdougb		const cfg_obj_t *alternate = cfg_listelt_value(element);
135446Strhodes		isc_sockaddr_t sa;
135446Strhodes
135446Strhodes		if (!cfg_obj_issockaddr(alternate)) {
135446Strhodes			dns_fixedname_t fixed;
135446Strhodes			dns_name_t *name;
165071Sdougb			const char *str = cfg_obj_asstring(cfg_tuple_get(
165071Sdougb							   alternate, "name"));
135446Strhodes			isc_buffer_t buffer;
135446Strhodes			in_port_t myport = port;
135446Strhodes
254402Serwin			isc_buffer_constinit(&buffer, str, strlen(str));
135446Strhodes			isc_buffer_add(&buffer, strlen(str));
135446Strhodes			dns_fixedname_init(&fixed);
135446Strhodes			name = dns_fixedname_name(&fixed);
224092Sdougb			CHECK(dns_name_fromtext(name, &buffer, dns_rootname, 0,
224092Sdougb						NULL));
135446Strhodes
135446Strhodes			portobj = cfg_tuple_get(alternate, "port");
135446Strhodes			if (cfg_obj_isuint32(portobj)) {
135446Strhodes				isc_uint32_t val = cfg_obj_asuint32(portobj);
135446Strhodes				if (val > ISC_UINT16_MAX) {
135446Strhodes					cfg_obj_log(portobj, ns_g_lctx,
135446Strhodes						    ISC_LOG_ERROR,
135446Strhodes						    "port '%u' out of range",
135446Strhodes						     val);
135446Strhodes					return (ISC_R_RANGE);
135446Strhodes				}
135446Strhodes				myport = (in_port_t) val;
135446Strhodes			}
135446Strhodes			CHECK(dns_resolver_addalternate(view->resolver, NULL,
135446Strhodes							name, myport));
135446Strhodes			continue;
135446Strhodes		}
135446Strhodes
135446Strhodes		sa = *cfg_obj_assockaddr(alternate);
135446Strhodes		if (isc_sockaddr_getport(&sa) == 0)
135446Strhodes			isc_sockaddr_setport(&sa, port);
135446Strhodes		CHECK(dns_resolver_addalternate(view->resolver, &sa,
135446Strhodes						NULL, 0));
135446Strhodes	}
135446Strhodes
135446Strhodes cleanup:
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
165071Sdougbconfigure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
165071Sdougb		  const cfg_obj_t *forwarders, const cfg_obj_t *forwardtype)
135446Strhodes{
165071Sdougb	const cfg_obj_t *portobj;
165071Sdougb	const cfg_obj_t *faddresses;
165071Sdougb	const cfg_listelt_t *element;
135446Strhodes	dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
135446Strhodes	isc_sockaddrlist_t addresses;
135446Strhodes	isc_sockaddr_t *sa;
135446Strhodes	isc_result_t result;
135446Strhodes	in_port_t port;
135446Strhodes
193149Sdougb	ISC_LIST_INIT(addresses);
193149Sdougb
135446Strhodes	/*
135446Strhodes	 * Determine which port to send forwarded requests to.
135446Strhodes	 */
135446Strhodes	if (ns_g_lwresdonly && ns_g_port != 0)
135446Strhodes		port = ns_g_port;
135446Strhodes	else
135446Strhodes		CHECKM(ns_config_getport(config, &port), "port");
135446Strhodes
135446Strhodes	if (forwarders != NULL) {
135446Strhodes		portobj = cfg_tuple_get(forwarders, "port");
135446Strhodes		if (cfg_obj_isuint32(portobj)) {
135446Strhodes			isc_uint32_t val = cfg_obj_asuint32(portobj);
135446Strhodes			if (val > ISC_UINT16_MAX) {
135446Strhodes				cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
135446Strhodes					    "port '%u' out of range", val);
135446Strhodes				return (ISC_R_RANGE);
135446Strhodes			}
135446Strhodes			port = (in_port_t) val;
135446Strhodes		}
135446Strhodes	}
135446Strhodes
135446Strhodes	faddresses = NULL;
135446Strhodes	if (forwarders != NULL)
135446Strhodes		faddresses = cfg_tuple_get(forwarders, "addresses");
135446Strhodes
135446Strhodes	for (element = cfg_list_first(faddresses);
135446Strhodes	     element != NULL;
135446Strhodes	     element = cfg_list_next(element))
135446Strhodes	{
165071Sdougb		const cfg_obj_t *forwarder = cfg_listelt_value(element);
135446Strhodes		sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
135446Strhodes		if (sa == NULL) {
135446Strhodes			result = ISC_R_NOMEMORY;
135446Strhodes			goto cleanup;
135446Strhodes		}
135446Strhodes		*sa = *cfg_obj_assockaddr(forwarder);
135446Strhodes		if (isc_sockaddr_getport(sa) == 0)
135446Strhodes			isc_sockaddr_setport(sa, port);
135446Strhodes		ISC_LINK_INIT(sa, link);
135446Strhodes		ISC_LIST_APPEND(addresses, sa, link);
135446Strhodes	}
135446Strhodes
135446Strhodes	if (ISC_LIST_EMPTY(addresses)) {
135446Strhodes		if (forwardtype != NULL)
135446Strhodes			cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
135446Strhodes				    "no forwarders seen; disabling "
135446Strhodes				    "forwarding");
135446Strhodes		fwdpolicy = dns_fwdpolicy_none;
135446Strhodes	} else {
135446Strhodes		if (forwardtype == NULL)
135446Strhodes			fwdpolicy = dns_fwdpolicy_first;
135446Strhodes		else {
165071Sdougb			const char *forwardstr = cfg_obj_asstring(forwardtype);
135446Strhodes			if (strcasecmp(forwardstr, "first") == 0)
135446Strhodes				fwdpolicy = dns_fwdpolicy_first;
135446Strhodes			else if (strcasecmp(forwardstr, "only") == 0)
135446Strhodes				fwdpolicy = dns_fwdpolicy_only;
135446Strhodes			else
135446Strhodes				INSIST(0);
135446Strhodes		}
135446Strhodes	}
135446Strhodes
135446Strhodes	result = dns_fwdtable_add(view->fwdtable, origin, &addresses,
135446Strhodes				  fwdpolicy);
135446Strhodes	if (result != ISC_R_SUCCESS) {
135446Strhodes		char namebuf[DNS_NAME_FORMATSIZE];
135446Strhodes		dns_name_format(origin, namebuf, sizeof(namebuf));
135446Strhodes		cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
135446Strhodes			    "could not set up forwarding for domain '%s': %s",
135446Strhodes			    namebuf, isc_result_totext(result));
135446Strhodes		goto cleanup;
135446Strhodes	}
135446Strhodes
135446Strhodes	result = ISC_R_SUCCESS;
135446Strhodes
135446Strhodes cleanup:
135446Strhodes
135446Strhodes	while (!ISC_LIST_EMPTY(addresses)) {
135446Strhodes		sa = ISC_LIST_HEAD(addresses);
135446Strhodes		ISC_LIST_UNLINK(addresses, sa, link);
135446Strhodes		isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t));
135446Strhodes	}
135446Strhodes
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
225361Sdougbget_viewinfo(const cfg_obj_t *vconfig, const char **namep,
225361Sdougb	     dns_rdataclass_t *classp)
165071Sdougb{
225361Sdougb	isc_result_t result = ISC_R_SUCCESS;
135446Strhodes	const char *viewname;
135446Strhodes	dns_rdataclass_t viewclass;
135446Strhodes
225361Sdougb	REQUIRE(namep != NULL && *namep == NULL);
225361Sdougb	REQUIRE(classp != NULL);
225361Sdougb
135446Strhodes	if (vconfig != NULL) {
165071Sdougb		const cfg_obj_t *classobj = NULL;
135446Strhodes
135446Strhodes		viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
135446Strhodes		classobj = cfg_tuple_get(vconfig, "class");
135446Strhodes		result = ns_config_getclass(classobj, dns_rdataclass_in,
135446Strhodes					    &viewclass);
135446Strhodes	} else {
135446Strhodes		viewname = "_default";
135446Strhodes		viewclass = dns_rdataclass_in;
135446Strhodes	}
225361Sdougb
225361Sdougb	*namep = viewname;
225361Sdougb	*classp = viewclass;
225361Sdougb
225361Sdougb	return (result);
225361Sdougb}
225361Sdougb
225361Sdougb/*
225361Sdougb * Find a view based on its configuration info and attach to it.
225361Sdougb *
225361Sdougb * If 'vconfig' is NULL, attach to the default view.
225361Sdougb */
225361Sdougbstatic isc_result_t
225361Sdougbfind_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
225361Sdougb	  dns_view_t **viewp)
225361Sdougb{
225361Sdougb	isc_result_t result;
225361Sdougb	const char *viewname = NULL;
225361Sdougb	dns_rdataclass_t viewclass;
225361Sdougb	dns_view_t *view = NULL;
225361Sdougb
225361Sdougb	result = get_viewinfo(vconfig, &viewname, &viewclass);
225361Sdougb	if (result != ISC_R_SUCCESS)
225361Sdougb		return (result);
225361Sdougb
135446Strhodes	result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
225361Sdougb	if (result != ISC_R_SUCCESS)
225361Sdougb		return (result);
225361Sdougb
225361Sdougb	*viewp = view;
225361Sdougb	return (ISC_R_SUCCESS);
225361Sdougb}
225361Sdougb
225361Sdougb/*
225361Sdougb * Create a new view and add it to the list.
225361Sdougb *
225361Sdougb * If 'vconfig' is NULL, create the default view.
225361Sdougb *
225361Sdougb * The view created is attached to '*viewp'.
225361Sdougb */
225361Sdougbstatic isc_result_t
225361Sdougbcreate_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
225361Sdougb	    dns_view_t **viewp)
225361Sdougb{
225361Sdougb	isc_result_t result;
225361Sdougb	const char *viewname = NULL;
225361Sdougb	dns_rdataclass_t viewclass;
225361Sdougb	dns_view_t *view = NULL;
225361Sdougb
225361Sdougb	result = get_viewinfo(vconfig, &viewname, &viewclass);
225361Sdougb	if (result != ISC_R_SUCCESS)
225361Sdougb		return (result);
225361Sdougb
225361Sdougb	result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
135446Strhodes	if (result == ISC_R_SUCCESS)
135446Strhodes		return (ISC_R_EXISTS);
135446Strhodes	if (result != ISC_R_NOTFOUND)
135446Strhodes		return (result);
135446Strhodes	INSIST(view == NULL);
135446Strhodes
135446Strhodes	result = dns_view_create(ns_g_mctx, viewclass, viewname, &view);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes
135446Strhodes	ISC_LIST_APPEND(*viewlist, view, link);
135446Strhodes	dns_view_attach(view, viewp);
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes}
135446Strhodes
135446Strhodes/*
135446Strhodes * Configure or reconfigure a zone.
135446Strhodes */
135446Strhodesstatic isc_result_t
165071Sdougbconfigure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
165071Sdougb	       const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
224092Sdougb	       cfg_aclconfctx_t *aclconf, isc_boolean_t added)
135446Strhodes{
135446Strhodes	dns_view_t *pview = NULL;	/* Production view */
135446Strhodes	dns_zone_t *zone = NULL;	/* New or reused zone */
254897Serwin	dns_zone_t *raw = NULL;		/* New or reused raw zone */
135446Strhodes	dns_zone_t *dupzone = NULL;
165071Sdougb	const cfg_obj_t *options = NULL;
165071Sdougb	const cfg_obj_t *zoptions = NULL;
165071Sdougb	const cfg_obj_t *typeobj = NULL;
165071Sdougb	const cfg_obj_t *forwarders = NULL;
165071Sdougb	const cfg_obj_t *forwardtype = NULL;
165071Sdougb	const cfg_obj_t *only = NULL;
254897Serwin	const cfg_obj_t *signing = NULL;
135446Strhodes	isc_result_t result;
135446Strhodes	isc_result_t tresult;
135446Strhodes	isc_buffer_t buffer;
135446Strhodes	dns_fixedname_t fixorigin;
135446Strhodes	dns_name_t *origin;
135446Strhodes	const char *zname;
135446Strhodes	dns_rdataclass_t zclass;
135446Strhodes	const char *ztypestr;
254402Serwin	isc_boolean_t is_rpz;
254402Serwin	dns_rpz_zone_t *rpz;
135446Strhodes
135446Strhodes	options = NULL;
135446Strhodes	(void)cfg_map_get(config, "options", &options);
135446Strhodes
135446Strhodes	zoptions = cfg_tuple_get(zconfig, "options");
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Get the zone origin as a dns_name_t.
135446Strhodes	 */
135446Strhodes	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
254402Serwin	isc_buffer_constinit(&buffer, zname, strlen(zname));
135446Strhodes	isc_buffer_add(&buffer, strlen(zname));
135446Strhodes	dns_fixedname_init(&fixorigin);
135446Strhodes	CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
224092Sdougb				&buffer, dns_rootname, 0, NULL));
135446Strhodes	origin = dns_fixedname_name(&fixorigin);
135446Strhodes
135446Strhodes	CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
135446Strhodes				 view->rdclass, &zclass));
135446Strhodes	if (zclass != view->rdclass) {
135446Strhodes		const char *vname = NULL;
135446Strhodes		if (vconfig != NULL)
135446Strhodes			vname = cfg_obj_asstring(cfg_tuple_get(vconfig,
135446Strhodes							       "name"));
135446Strhodes		else
135446Strhodes			vname = "<default view>";
186462Sdougb
135446Strhodes		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
135446Strhodes			      "zone '%s': wrong class for view '%s'",
135446Strhodes			      zname, vname);
135446Strhodes		result = ISC_R_FAILURE;
135446Strhodes		goto cleanup;
135446Strhodes	}
135446Strhodes
135446Strhodes	(void)cfg_map_get(zoptions, "type", &typeobj);
135446Strhodes	if (typeobj == NULL) {
135446Strhodes		cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
135446Strhodes			    "zone '%s' 'type' not specified", zname);
135446Strhodes		return (ISC_R_FAILURE);
135446Strhodes	}
135446Strhodes	ztypestr = cfg_obj_asstring(typeobj);
135446Strhodes
135446Strhodes	/*
224092Sdougb	 * "hints zones" aren't zones.	If we've got one,
135446Strhodes	 * configure it and return.
135446Strhodes	 */
135446Strhodes	if (strcasecmp(ztypestr, "hint") == 0) {
165071Sdougb		const cfg_obj_t *fileobj = NULL;
135446Strhodes		if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
135446Strhodes			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
135446Strhodes				      "zone '%s': 'file' not specified",
135446Strhodes				      zname);
135446Strhodes			result = ISC_R_FAILURE;
135446Strhodes			goto cleanup;
135446Strhodes		}
135446Strhodes		if (dns_name_equal(origin, dns_rootname)) {
165071Sdougb			const char *hintsfile = cfg_obj_asstring(fileobj);
135446Strhodes
135446Strhodes			result = configure_hints(view, hintsfile);
135446Strhodes			if (result != ISC_R_SUCCESS) {
135446Strhodes				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes					      NS_LOGMODULE_SERVER,
135446Strhodes					      ISC_LOG_ERROR,
135446Strhodes					      "could not configure root hints "
135446Strhodes					      "from '%s': %s", hintsfile,
135446Strhodes					      isc_result_totext(result));
135446Strhodes				goto cleanup;
135446Strhodes			}
135446Strhodes			/*
135446Strhodes			 * Hint zones may also refer to delegation only points.
135446Strhodes			 */
135446Strhodes			only = NULL;
135446Strhodes			tresult = cfg_map_get(zoptions, "delegation-only",
135446Strhodes					      &only);
135446Strhodes			if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
135446Strhodes				CHECK(dns_view_adddelegationonly(view, origin));
135446Strhodes		} else {
135446Strhodes			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
135446Strhodes				      "ignoring non-root hint zone '%s'",
135446Strhodes				      zname);
135446Strhodes			result = ISC_R_SUCCESS;
135446Strhodes		}
135446Strhodes		/* Skip ordinary zone processing. */
135446Strhodes		goto cleanup;
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * "forward zones" aren't zones either.  Translate this syntax into
135446Strhodes	 * the appropriate selective forwarding configuration and return.
135446Strhodes	 */
135446Strhodes	if (strcasecmp(ztypestr, "forward") == 0) {
135446Strhodes		forwardtype = NULL;
135446Strhodes		forwarders = NULL;
135446Strhodes
135446Strhodes		(void)cfg_map_get(zoptions, "forward", &forwardtype);
135446Strhodes		(void)cfg_map_get(zoptions, "forwarders", &forwarders);
135446Strhodes		result = configure_forward(config, view, origin, forwarders,
135446Strhodes					   forwardtype);
135446Strhodes		goto cleanup;
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * "delegation-only zones" aren't zones either.
135446Strhodes	 */
135446Strhodes	if (strcasecmp(ztypestr, "delegation-only") == 0) {
135446Strhodes		result = dns_view_adddelegationonly(view, origin);
135446Strhodes		goto cleanup;
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
254897Serwin	 * Redirect zones only require minimal configuration.
254897Serwin	 */
254897Serwin	if (strcasecmp(ztypestr, "redirect") == 0) {
254897Serwin		if (view->redirect != NULL) {
254897Serwin			cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
254897Serwin				    "redirect zone already exists");
254897Serwin			result = ISC_R_EXISTS;
254897Serwin			goto cleanup;
254897Serwin		}
254897Serwin		result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
254897Serwin					   view->rdclass, &pview);
254897Serwin		if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
254897Serwin			goto cleanup;
254897Serwin		if (pview != NULL && pview->redirect != NULL) {
254897Serwin			dns_zone_attach(pview->redirect, &zone);
254897Serwin			dns_zone_setview(zone, view);
254897Serwin		} else {
254897Serwin			CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr,
254897Serwin						     &zone));
254897Serwin			CHECK(dns_zone_setorigin(zone, origin));
254897Serwin			dns_zone_setview(zone, view);
254897Serwin			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr,
254897Serwin						     zone));
254897Serwin			dns_zone_setstats(zone, ns_g_server->zonestats);
254897Serwin		}
254897Serwin		CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf,
254897Serwin					zone, NULL));
254897Serwin		dns_zone_attach(zone, &view->redirect);
254897Serwin		goto cleanup;
254897Serwin	}
254897Serwin
254897Serwin	/*
135446Strhodes	 * Check for duplicates in the new zone table.
135446Strhodes	 */
135446Strhodes	result = dns_view_findzone(view, origin, &dupzone);
135446Strhodes	if (result == ISC_R_SUCCESS) {
135446Strhodes		/*
135446Strhodes		 * We already have this zone!
135446Strhodes		 */
135446Strhodes		cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
135446Strhodes			    "zone '%s' already exists", zname);
135446Strhodes		dns_zone_detach(&dupzone);
135446Strhodes		result = ISC_R_EXISTS;
135446Strhodes		goto cleanup;
135446Strhodes	}
135446Strhodes	INSIST(dupzone == NULL);
135446Strhodes
135446Strhodes	/*
254402Serwin	 * Note whether this is a response policy zone.
254402Serwin	 */
254402Serwin	is_rpz = ISC_FALSE;
254402Serwin	for (rpz = ISC_LIST_HEAD(view->rpz_zones);
254402Serwin	     rpz != NULL;
254402Serwin	     rpz = ISC_LIST_NEXT(rpz, link))
254402Serwin	{
254402Serwin		if (dns_name_equal(&rpz->origin, origin)) {
254402Serwin			is_rpz = ISC_TRUE;
254402Serwin			rpz->defined = ISC_TRUE;
254402Serwin			break;
254402Serwin		}
254402Serwin	}
254402Serwin
254402Serwin	/*
135446Strhodes	 * See if we can reuse an existing zone.  This is
135446Strhodes	 * only possible if all of these are true:
135446Strhodes	 *   - The zone's view exists
135446Strhodes	 *   - A zone with the right name exists in the view
135446Strhodes	 *   - The zone is compatible with the config
135446Strhodes	 *     options (e.g., an existing master zone cannot
135446Strhodes	 *     be reused if the options specify a slave zone)
254402Serwin	 *   - The zone was and is or was not and is not a policy zone
135446Strhodes	 */
254897Serwin	result = dns_viewlist_find(&ns_g_server->viewlist, view->name,
254897Serwin				   view->rdclass, &pview);
135446Strhodes	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
135446Strhodes		goto cleanup;
135446Strhodes	if (pview != NULL)
135446Strhodes		result = dns_view_findzone(pview, origin, &zone);
135446Strhodes	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
135446Strhodes		goto cleanup;
254897Serwin
170222Sdougb	if (zone != NULL && !ns_zone_reusable(zone, zconfig))
170222Sdougb		dns_zone_detach(&zone);
135446Strhodes
254402Serwin	if (zone != NULL && is_rpz != dns_zone_get_rpz(zone))
254402Serwin		dns_zone_detach(&zone);
254402Serwin
135446Strhodes	if (zone != NULL) {
135446Strhodes		/*
135446Strhodes		 * We found a reusable zone.  Make it use the
135446Strhodes		 * new view.
135446Strhodes		 */
135446Strhodes		dns_zone_setview(zone, view);
170222Sdougb		if (view->acache != NULL)
170222Sdougb			dns_zone_setacache(zone, view->acache);
135446Strhodes	} else {
135446Strhodes		/*
135446Strhodes		 * We cannot reuse an existing zone, we have
135446Strhodes		 * to create a new one.
135446Strhodes		 */
254897Serwin		CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
135446Strhodes		CHECK(dns_zone_setorigin(zone, origin));
135446Strhodes		dns_zone_setview(zone, view);
170222Sdougb		if (view->acache != NULL)
170222Sdougb			dns_zone_setacache(zone, view->acache);
135446Strhodes		CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
193149Sdougb		dns_zone_setstats(zone, ns_g_server->zonestats);
135446Strhodes	}
135446Strhodes
254402Serwin	if (is_rpz) {
254402Serwin		result = dns_zone_rpz_enable(zone);
254402Serwin		if (result != ISC_R_SUCCESS) {
254402Serwin			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
254402Serwin				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
254402Serwin				      "zone '%s': incompatible"
254402Serwin				      " masterfile-format or database"
254402Serwin				      " for a response policy zone",
254402Serwin				      zname);
254402Serwin			goto cleanup;
254402Serwin		}
254402Serwin	}
254402Serwin
135446Strhodes	/*
135446Strhodes	 * If the zone contains a 'forwarders' statement, configure
135446Strhodes	 * selective forwarding.
135446Strhodes	 */
135446Strhodes	forwarders = NULL;
135446Strhodes	if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS)
135446Strhodes	{
135446Strhodes		forwardtype = NULL;
135446Strhodes		(void)cfg_map_get(zoptions, "forward", &forwardtype);
135446Strhodes		CHECK(configure_forward(config, view, origin, forwarders,
135446Strhodes					forwardtype));
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Stub and forward zones may also refer to delegation only points.
135446Strhodes	 */
135446Strhodes	only = NULL;
135446Strhodes	if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS)
135446Strhodes	{
135446Strhodes		if (cfg_obj_asboolean(only))
135446Strhodes			CHECK(dns_view_adddelegationonly(view, origin));
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
224092Sdougb	 * Mark whether the zone was originally added at runtime or not
224092Sdougb	 */
224092Sdougb	dns_zone_setadded(zone, added);
224092Sdougb
254897Serwin	signing = NULL;
254897Serwin	if ((strcasecmp(ztypestr, "master") == 0 ||
254897Serwin	     strcasecmp(ztypestr, "slave") == 0) &&
254897Serwin	    cfg_map_get(zoptions, "inline-signing", &signing) == ISC_R_SUCCESS &&
254897Serwin	    cfg_obj_asboolean(signing))
254897Serwin	{
254897Serwin		dns_zone_getraw(zone, &raw);
254897Serwin		if (raw == NULL) {
254897Serwin			CHECK(dns_zone_create(&raw, mctx));
254897Serwin			CHECK(dns_zone_setorigin(raw, origin));
254897Serwin			dns_zone_setview(raw, view);
254897Serwin			if (view->acache != NULL)
254897Serwin				dns_zone_setacache(raw, view->acache);
254897Serwin			dns_zone_setstats(raw, ns_g_server->zonestats);
254897Serwin			CHECK(dns_zone_link(zone, raw));
254897Serwin		}
254897Serwin	}
254897Serwin
224092Sdougb	/*
135446Strhodes	 * Configure the zone.
135446Strhodes	 */
254897Serwin	CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone, raw));
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Add the zone to its view in the new view list.
135446Strhodes	 */
135446Strhodes	CHECK(dns_view_addzone(view, zone));
135446Strhodes
234010Sdougb	/*
234010Sdougb	 * Ensure that zone keys are reloaded on reconfig
234010Sdougb	 */
234010Sdougb	if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0)
234010Sdougb		dns_zone_rekey(zone, ISC_FALSE);
234010Sdougb
135446Strhodes cleanup:
135446Strhodes	if (zone != NULL)
135446Strhodes		dns_zone_detach(&zone);
254897Serwin	if (raw != NULL)
254897Serwin		dns_zone_detach(&raw);
135446Strhodes	if (pview != NULL)
135446Strhodes		dns_view_detach(&pview);
135446Strhodes
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodes/*
224092Sdougb * Configure built-in zone for storing managed-key data.
224092Sdougb */
224092Sdougb
224092Sdougb#define KEYZONE "managed-keys.bind"
224092Sdougb#define MKEYS ".mkeys"
224092Sdougb
224092Sdougbstatic isc_result_t
224092Sdougbadd_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
224092Sdougb	isc_result_t result;
224092Sdougb	dns_view_t *pview = NULL;
224092Sdougb	dns_zone_t *zone = NULL;
224092Sdougb	dns_acl_t *none = NULL;
224092Sdougb	char filename[PATH_MAX];
224092Sdougb	char buffer[ISC_SHA256_DIGESTSTRINGLENGTH + sizeof(MKEYS)];
224092Sdougb	int n;
224092Sdougb
224092Sdougb	REQUIRE(view != NULL);
224092Sdougb
224092Sdougb	/* See if we can re-use an existing keydata zone. */
224092Sdougb	result = dns_viewlist_find(&ns_g_server->viewlist,
224092Sdougb				   view->name, view->rdclass,
224092Sdougb				   &pview);
224092Sdougb	if (result != ISC_R_NOTFOUND &&
224092Sdougb	    result != ISC_R_SUCCESS)
224092Sdougb		return (result);
224092Sdougb
224092Sdougb	if (pview != NULL && pview->managed_keys != NULL) {
224092Sdougb		dns_zone_attach(pview->managed_keys, &view->managed_keys);
224092Sdougb		dns_zone_setview(pview->managed_keys, view);
224092Sdougb		dns_view_detach(&pview);
234010Sdougb		dns_zone_synckeyzone(view->managed_keys);
224092Sdougb		return (ISC_R_SUCCESS);
224092Sdougb	}
224092Sdougb
224092Sdougb	/* No existing keydata zone was found; create one */
254897Serwin	CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
224092Sdougb	CHECK(dns_zone_setorigin(zone, dns_rootname));
224092Sdougb
224092Sdougb	isc_sha256_data((void *)view->name, strlen(view->name), buffer);
224092Sdougb	strcat(buffer, MKEYS);
224092Sdougb	n = snprintf(filename, sizeof(filename), "%s%s%s",
224092Sdougb		     directory ? directory : "", directory ? "/" : "",
224092Sdougb		     strcmp(view->name, "_default") == 0 ? KEYZONE : buffer);
224092Sdougb	if (n < 0 || (size_t)n >= sizeof(filename)) {
224092Sdougb		result = (n < 0) ? ISC_R_FAILURE : ISC_R_NOSPACE;
224092Sdougb		goto cleanup;
224092Sdougb	}
224092Sdougb	CHECK(dns_zone_setfile(zone, filename));
224092Sdougb
224092Sdougb	dns_zone_setview(zone, view);
224092Sdougb	dns_zone_settype(zone, dns_zone_key);
224092Sdougb	dns_zone_setclass(zone, view->rdclass);
224092Sdougb
224092Sdougb	CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
224092Sdougb
224092Sdougb	if (view->acache != NULL)
224092Sdougb		dns_zone_setacache(zone, view->acache);
224092Sdougb
224092Sdougb	CHECK(dns_acl_none(mctx, &none));
224092Sdougb	dns_zone_setqueryacl(zone, none);
224092Sdougb	dns_zone_setqueryonacl(zone, none);
224092Sdougb	dns_acl_detach(&none);
224092Sdougb
224092Sdougb	dns_zone_setdialup(zone, dns_dialuptype_no);
224092Sdougb	dns_zone_setnotifytype(zone, dns_notifytype_no);
224092Sdougb	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
224092Sdougb	dns_zone_setjournalsize(zone, 0);
224092Sdougb
224092Sdougb	dns_zone_setstats(zone, ns_g_server->zonestats);
254897Serwin	CHECK(setquerystats(zone, mctx, dns_zonestat_none));
224092Sdougb
224092Sdougb	if (view->managed_keys != NULL)
224092Sdougb		dns_zone_detach(&view->managed_keys);
224092Sdougb	dns_zone_attach(zone, &view->managed_keys);
224092Sdougb
224092Sdougb	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
224092Sdougb		      "set up managed keys zone for view %s, file '%s'",
224092Sdougb		      view->name, filename);
224092Sdougb
224092Sdougbcleanup:
224092Sdougb	if (zone != NULL)
224092Sdougb		dns_zone_detach(&zone);
224092Sdougb	if (none != NULL)
224092Sdougb		dns_acl_detach(&none);
224092Sdougb
224092Sdougb	return (result);
224092Sdougb}
224092Sdougb
224092Sdougb/*
135446Strhodes * Configure a single server quota.
135446Strhodes */
135446Strhodesstatic void
165071Sdougbconfigure_server_quota(const cfg_obj_t **maps, const char *name,
165071Sdougb		       isc_quota_t *quota)
135446Strhodes{
165071Sdougb	const cfg_obj_t *obj = NULL;
135446Strhodes	isc_result_t result;
135446Strhodes
135446Strhodes	result = ns_config_get(maps, name, &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
153816Sdougb	isc_quota_max(quota, cfg_obj_asuint32(obj));
135446Strhodes}
135446Strhodes
135446Strhodes/*
135446Strhodes * This function is called as soon as the 'directory' statement has been
135446Strhodes * parsed.  This can be extended to support other options if necessary.
135446Strhodes */
135446Strhodesstatic isc_result_t
165071Sdougbdirectory_callback(const char *clausename, const cfg_obj_t *obj, void *arg) {
135446Strhodes	isc_result_t result;
165071Sdougb	const char *directory;
135446Strhodes
135446Strhodes	REQUIRE(strcasecmp("directory", clausename) == 0);
135446Strhodes
135446Strhodes	UNUSED(arg);
135446Strhodes	UNUSED(clausename);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Change directory.
135446Strhodes	 */
135446Strhodes	directory = cfg_obj_asstring(obj);
135446Strhodes
135446Strhodes	if (! isc_file_ischdiridempotent(directory))
135446Strhodes		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
135446Strhodes			    "option 'directory' contains relative path '%s'",
135446Strhodes			    directory);
135446Strhodes
135446Strhodes	result = isc_dir_chdir(directory);
135446Strhodes	if (result != ISC_R_SUCCESS) {
135446Strhodes		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
135446Strhodes			    "change directory to '%s' failed: %s",
135446Strhodes			    directory, isc_result_totext(result));
135446Strhodes		return (result);
135446Strhodes	}
135446Strhodes
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
135446Strhodesscan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
135446Strhodes	isc_boolean_t match_mapped = server->aclenv.match_mapped;
135446Strhodes
135446Strhodes	ns_interfacemgr_scan(server->interfacemgr, verbose);
135446Strhodes	/*
135446Strhodes	 * Update the "localhost" and "localnets" ACLs to match the
135446Strhodes	 * current set of network interfaces.
135446Strhodes	 */
135446Strhodes	dns_aclenv_copy(&server->aclenv,
135446Strhodes			ns_interfacemgr_getaclenv(server->interfacemgr));
135446Strhodes
135446Strhodes	server->aclenv.match_mapped = match_mapped;
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
180477Sdougbadd_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
180477Sdougb	      isc_boolean_t wcardport_ok)
180477Sdougb{
135446Strhodes	ns_listenelt_t *lelt = NULL;
135446Strhodes	dns_acl_t *src_acl = NULL;
135446Strhodes	isc_result_t result;
135446Strhodes	isc_sockaddr_t any_sa6;
193149Sdougb	isc_netaddr_t netaddr;
135446Strhodes
135446Strhodes	REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
135446Strhodes
135446Strhodes	isc_sockaddr_any6(&any_sa6);
180477Sdougb	if (!isc_sockaddr_equal(&any_sa6, addr) &&
180477Sdougb	    (wcardport_ok || isc_sockaddr_getport(addr) != 0)) {
193149Sdougb		isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr);
135446Strhodes
193149Sdougb		result = dns_acl_create(mctx, 0, &src_acl);
135446Strhodes		if (result != ISC_R_SUCCESS)
135446Strhodes			return (result);
193149Sdougb
193149Sdougb		result = dns_iptable_addprefix(src_acl->iptable,
193149Sdougb					       &netaddr, 128, ISC_TRUE);
135446Strhodes		if (result != ISC_R_SUCCESS)
135446Strhodes			goto clean;
135446Strhodes
135446Strhodes		result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
135446Strhodes					     src_acl, &lelt);
135446Strhodes		if (result != ISC_R_SUCCESS)
135446Strhodes			goto clean;
135446Strhodes		ISC_LIST_APPEND(list->elts, lelt, link);
135446Strhodes	}
135446Strhodes
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes
135446Strhodes clean:
135446Strhodes	INSIST(lelt == NULL);
165071Sdougb	dns_acl_detach(&src_acl);
135446Strhodes
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodes/*
135446Strhodes * Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
135446Strhodes * to update the listening interfaces accordingly.
135446Strhodes * We currently only consider IPv6, because this only affects IPv6 wildcard
135446Strhodes * sockets.
135446Strhodes */
135446Strhodesstatic void
135446Strhodesadjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
135446Strhodes	isc_result_t result;
135446Strhodes	ns_listenlist_t *list = NULL;
135446Strhodes	dns_view_t *view;
135446Strhodes	dns_zone_t *zone, *next;
135446Strhodes	isc_sockaddr_t addr, *addrp;
135446Strhodes
135446Strhodes	result = ns_listenlist_create(mctx, &list);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return;
135446Strhodes
135446Strhodes	for (view = ISC_LIST_HEAD(server->viewlist);
135446Strhodes	     view != NULL;
135446Strhodes	     view = ISC_LIST_NEXT(view, link)) {
135446Strhodes		dns_dispatch_t *dispatch6;
135446Strhodes
135446Strhodes		dispatch6 = dns_resolver_dispatchv6(view->resolver);
143731Sdougb		if (dispatch6 == NULL)
143731Sdougb			continue;
135446Strhodes		result = dns_dispatch_getlocaladdress(dispatch6, &addr);
135446Strhodes		if (result != ISC_R_SUCCESS)
135446Strhodes			goto fail;
180477Sdougb
180477Sdougb		/*
180477Sdougb		 * We always add non-wildcard address regardless of whether
180477Sdougb		 * the port is 'any' (the fourth arg is TRUE): if the port is
180477Sdougb		 * specific, we need to add it since it may conflict with a
180477Sdougb		 * listening interface; if it's zero, we'll dynamically open
180477Sdougb		 * query ports, and some of them may override an existing
180477Sdougb		 * wildcard IPv6 port.
180477Sdougb		 */
180477Sdougb		result = add_listenelt(mctx, list, &addr, ISC_TRUE);
135446Strhodes		if (result != ISC_R_SUCCESS)
135446Strhodes			goto fail;
135446Strhodes	}
135446Strhodes
135446Strhodes	zone = NULL;
135446Strhodes	for (result = dns_zone_first(server->zonemgr, &zone);
135446Strhodes	     result == ISC_R_SUCCESS;
135446Strhodes	     next = NULL, result = dns_zone_next(zone, &next), zone = next) {
135446Strhodes		dns_view_t *zoneview;
135446Strhodes
135446Strhodes		/*
135446Strhodes		 * At this point the zone list may contain a stale zone
135446Strhodes		 * just removed from the configuration.  To see the validity,
135446Strhodes		 * check if the corresponding view is in our current view list.
153816Sdougb		 * There may also be old zones that are still in the process
153816Sdougb		 * of shutting down and have detached from their old view
153816Sdougb		 * (zoneview == NULL).
135446Strhodes		 */
135446Strhodes		zoneview = dns_zone_getview(zone);
153816Sdougb		if (zoneview == NULL)
153816Sdougb			continue;
135446Strhodes		for (view = ISC_LIST_HEAD(server->viewlist);
135446Strhodes		     view != NULL && view != zoneview;
135446Strhodes		     view = ISC_LIST_NEXT(view, link))
135446Strhodes			;
135446Strhodes		if (view == NULL)
135446Strhodes			continue;
135446Strhodes
135446Strhodes		addrp = dns_zone_getnotifysrc6(zone);
180477Sdougb		result = add_listenelt(mctx, list, addrp, ISC_FALSE);
135446Strhodes		if (result != ISC_R_SUCCESS)
135446Strhodes			goto fail;
135446Strhodes
135446Strhodes		addrp = dns_zone_getxfrsource6(zone);
180477Sdougb		result = add_listenelt(mctx, list, addrp, ISC_FALSE);
135446Strhodes		if (result != ISC_R_SUCCESS)
135446Strhodes			goto fail;
135446Strhodes	}
135446Strhodes
135446Strhodes	ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE);
186462Sdougb
135446Strhodes clean:
135446Strhodes	ns_listenlist_detach(&list);
135446Strhodes	return;
135446Strhodes
135446Strhodes fail:
135446Strhodes	/*
135446Strhodes	 * Even when we failed the procedure, most of other interfaces
135446Strhodes	 * should work correctly.  We therefore just warn it.
135446Strhodes	 */
135446Strhodes	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
135446Strhodes		      "could not adjust the listen-on list; "
135446Strhodes		      "some interfaces may not work");
135446Strhodes	goto clean;
135446Strhodes}
135446Strhodes
135446Strhodes/*
135446Strhodes * This event callback is invoked to do periodic network
135446Strhodes * interface scanning.
135446Strhodes */
135446Strhodesstatic void
135446Strhodesinterface_timer_tick(isc_task_t *task, isc_event_t *event) {
135446Strhodes	isc_result_t result;
135446Strhodes	ns_server_t *server = (ns_server_t *) event->ev_arg;
135446Strhodes	INSIST(task == server->task);
135446Strhodes	UNUSED(task);
135446Strhodes	isc_event_free(&event);
135446Strhodes	/*
135446Strhodes	 * XXX should scan interfaces unlocked and get exclusive access
135446Strhodes	 * only to replace ACLs.
135446Strhodes	 */
135446Strhodes	result = isc_task_beginexclusive(server->task);
135446Strhodes	RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes	scan_interfaces(server, ISC_FALSE);
135446Strhodes	isc_task_endexclusive(server->task);
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
135446Strhodesheartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
135446Strhodes	ns_server_t *server = (ns_server_t *) event->ev_arg;
135446Strhodes	dns_view_t *view;
135446Strhodes
135446Strhodes	UNUSED(task);
135446Strhodes	isc_event_free(&event);
135446Strhodes	view = ISC_LIST_HEAD(server->viewlist);
135446Strhodes	while (view != NULL) {
135446Strhodes		dns_view_dialup(view);
135446Strhodes		view = ISC_LIST_NEXT(view, link);
135446Strhodes	}
135446Strhodes}
135446Strhodes
170222Sdougbstatic void
170222Sdougbpps_timer_tick(isc_task_t *task, isc_event_t *event) {
170222Sdougb	static unsigned int oldrequests = 0;
170222Sdougb	unsigned int requests = ns_client_requests;
170222Sdougb
170222Sdougb	UNUSED(task);
170222Sdougb	isc_event_free(&event);
170222Sdougb
170222Sdougb	/*
170222Sdougb	 * Don't worry about wrapping as the overflow result will be right.
170222Sdougb	 */
170222Sdougb	dns_pps = (requests - oldrequests) / 1200;
170222Sdougb	oldrequests = requests;
170222Sdougb}
170222Sdougb
135446Strhodes/*
135446Strhodes * Replace the current value of '*field', a dynamically allocated
135446Strhodes * string or NULL, with a dynamically allocated copy of the
135446Strhodes * null-terminated string pointed to by 'value', or NULL.
135446Strhodes */
135446Strhodesstatic isc_result_t
135446Strhodessetstring(ns_server_t *server, char **field, const char *value) {
135446Strhodes	char *copy;
135446Strhodes
135446Strhodes	if (value != NULL) {
135446Strhodes		copy = isc_mem_strdup(server->mctx, value);
135446Strhodes		if (copy == NULL)
135446Strhodes			return (ISC_R_NOMEMORY);
135446Strhodes	} else {
135446Strhodes		copy = NULL;
135446Strhodes	}
135446Strhodes
135446Strhodes	if (*field != NULL)
135446Strhodes		isc_mem_free(server->mctx, *field);
135446Strhodes
135446Strhodes	*field = copy;
135446Strhodes	return (ISC_R_SUCCESS);
186462Sdougb}
135446Strhodes
135446Strhodes/*
135446Strhodes * Replace the current value of '*field', a dynamically allocated
135446Strhodes * string or NULL, with another dynamically allocated string
135446Strhodes * or NULL if whether 'obj' is a string or void value, respectively.
135446Strhodes */
135446Strhodesstatic isc_result_t
165071Sdougbsetoptstring(ns_server_t *server, char **field, const cfg_obj_t *obj) {
135446Strhodes	if (cfg_obj_isvoid(obj))
135446Strhodes		return (setstring(server, field, NULL));
135446Strhodes	else
135446Strhodes		return (setstring(server, field, cfg_obj_asstring(obj)));
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
165071Sdougbset_limit(const cfg_obj_t **maps, const char *configname,
165071Sdougb	  const char *description, isc_resource_t resourceid,
165071Sdougb	  isc_resourcevalue_t defaultvalue)
135446Strhodes{
165071Sdougb	const cfg_obj_t *obj = NULL;
165071Sdougb	const char *resource;
135446Strhodes	isc_resourcevalue_t value;
135446Strhodes	isc_result_t result;
135446Strhodes
135446Strhodes	if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS)
135446Strhodes		return;
135446Strhodes
135446Strhodes	if (cfg_obj_isstring(obj)) {
135446Strhodes		resource = cfg_obj_asstring(obj);
135446Strhodes		if (strcasecmp(resource, "unlimited") == 0)
135446Strhodes			value = ISC_RESOURCE_UNLIMITED;
135446Strhodes		else {
135446Strhodes			INSIST(strcasecmp(resource, "default") == 0);
135446Strhodes			value = defaultvalue;
135446Strhodes		}
135446Strhodes	} else
135446Strhodes		value = cfg_obj_asuint64(obj);
135446Strhodes
135446Strhodes	result = isc_resource_setlimit(resourceid, value);
135446Strhodes	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
135446Strhodes		      result == ISC_R_SUCCESS ?
186462Sdougb			ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
204619Sdougb		      "set maximum %s to %" ISC_PRINT_QUADFORMAT "u: %s",
135446Strhodes		      description, value, isc_result_totext(result));
135446Strhodes}
135446Strhodes
135446Strhodes#define SETLIMIT(cfgvar, resource, description) \
135446Strhodes	set_limit(maps, cfgvar, description, isc_resource_ ## resource, \
135446Strhodes		  ns_g_init ## resource)
135446Strhodes
135446Strhodesstatic void
165071Sdougbset_limits(const cfg_obj_t **maps) {
135446Strhodes	SETLIMIT("stacksize", stacksize, "stack size");
135446Strhodes	SETLIMIT("datasize", datasize, "data size");
135446Strhodes	SETLIMIT("coresize", coresize, "core size");
135446Strhodes	SETLIMIT("files", openfiles, "open files");
135446Strhodes}
135446Strhodes
186462Sdougbstatic void
186462Sdougbportset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
186462Sdougb		 isc_boolean_t positive)
135446Strhodes{
165071Sdougb	const cfg_listelt_t *element;
135446Strhodes
135446Strhodes	for (element = cfg_list_first(ports);
135446Strhodes	     element != NULL;
135446Strhodes	     element = cfg_list_next(element)) {
165071Sdougb		const cfg_obj_t *obj = cfg_listelt_value(element);
186462Sdougb
186462Sdougb		if (cfg_obj_isuint32(obj)) {
186462Sdougb			in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
186462Sdougb
186462Sdougb			if (positive)
186462Sdougb				isc_portset_add(portset, port);
186462Sdougb			else
186462Sdougb				isc_portset_remove(portset, port);
186462Sdougb		} else {
186462Sdougb			const cfg_obj_t *obj_loport, *obj_hiport;
186462Sdougb			in_port_t loport, hiport;
186462Sdougb
186462Sdougb			obj_loport = cfg_tuple_get(obj, "loport");
186462Sdougb			loport = (in_port_t)cfg_obj_asuint32(obj_loport);
186462Sdougb			obj_hiport = cfg_tuple_get(obj, "hiport");
186462Sdougb			hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
186462Sdougb
186462Sdougb			if (positive)
186462Sdougb				isc_portset_addrange(portset, loport, hiport);
186462Sdougb			else {
186462Sdougb				isc_portset_removerange(portset, loport,
186462Sdougb							hiport);
186462Sdougb			}
186462Sdougb		}
135446Strhodes	}
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
170222Sdougbremoved(dns_zone_t *zone, void *uap) {
170222Sdougb	const char *type;
170222Sdougb
186462Sdougb	if (dns_zone_getview(zone) != uap)
170222Sdougb		return (ISC_R_SUCCESS);
170222Sdougb
170222Sdougb	switch (dns_zone_gettype(zone)) {
170222Sdougb	case dns_zone_master:
170222Sdougb		type = "master";
170222Sdougb		break;
170222Sdougb	case dns_zone_slave:
170222Sdougb		type = "slave";
170222Sdougb		break;
170222Sdougb	case dns_zone_stub:
170222Sdougb		type = "stub";
170222Sdougb		break;
254897Serwin	case dns_zone_redirect:
254897Serwin		type = "redirect";
254897Serwin		break;
170222Sdougb	default:
170222Sdougb		type = "other";
170222Sdougb		break;
170222Sdougb	}
170222Sdougb	dns_zone_log(zone, ISC_LOG_INFO, "(%s) removed", type);
170222Sdougb	return (ISC_R_SUCCESS);
170222Sdougb}
170222Sdougb
224092Sdougbstatic void
224092Sdougbcleanup_session_key(ns_server_t *server, isc_mem_t *mctx) {
224092Sdougb	if (server->session_keyfile != NULL) {
224092Sdougb		isc_file_remove(server->session_keyfile);
224092Sdougb		isc_mem_free(mctx, server->session_keyfile);
224092Sdougb		server->session_keyfile = NULL;
224092Sdougb	}
224092Sdougb
224092Sdougb	if (server->session_keyname != NULL) {
224092Sdougb		if (dns_name_dynamic(server->session_keyname))
224092Sdougb			dns_name_free(server->session_keyname, mctx);
224092Sdougb		isc_mem_put(mctx, server->session_keyname, sizeof(dns_name_t));
224092Sdougb		server->session_keyname = NULL;
224092Sdougb	}
224092Sdougb
224092Sdougb	if (server->sessionkey != NULL)
224092Sdougb		dns_tsigkey_detach(&server->sessionkey);
224092Sdougb
224092Sdougb	server->session_keyalg = DST_ALG_UNKNOWN;
224092Sdougb	server->session_keybits = 0;
224092Sdougb}
224092Sdougb
170222Sdougbstatic isc_result_t
224092Sdougbgenerate_session_key(const char *filename, const char *keynamestr,
224092Sdougb		     dns_name_t *keyname, const char *algstr,
224092Sdougb		     dns_name_t *algname, unsigned int algtype,
224092Sdougb		     isc_uint16_t bits, isc_mem_t *mctx,
224092Sdougb		     dns_tsigkey_t **tsigkeyp)
224092Sdougb{
224092Sdougb	isc_result_t result = ISC_R_SUCCESS;
224092Sdougb	dst_key_t *key = NULL;
224092Sdougb	isc_buffer_t key_txtbuffer;
224092Sdougb	isc_buffer_t key_rawbuffer;
224092Sdougb	char key_txtsecret[256];
224092Sdougb	char key_rawsecret[64];
224092Sdougb	isc_region_t key_rawregion;
224092Sdougb	isc_stdtime_t now;
224092Sdougb	dns_tsigkey_t *tsigkey = NULL;
224092Sdougb	FILE *fp = NULL;
224092Sdougb
224092Sdougb	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
224092Sdougb		      "generating session key for dynamic DNS");
224092Sdougb
224092Sdougb	/* generate key */
224092Sdougb	result = dst_key_generate(keyname, algtype, bits, 1, 0,
224092Sdougb				  DNS_KEYPROTO_ANY, dns_rdataclass_in,
224092Sdougb				  mctx, &key);
224092Sdougb	if (result != ISC_R_SUCCESS)
224092Sdougb		return (result);
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Dump the key to the buffer for later use.  Should be done before
224092Sdougb	 * we transfer the ownership of key to tsigkey.
224092Sdougb	 */
224092Sdougb	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
224092Sdougb	CHECK(dst_key_tobuffer(key, &key_rawbuffer));
224092Sdougb
224092Sdougb	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
224092Sdougb	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
224092Sdougb	CHECK(isc_base64_totext(&key_rawregion, -1, "", &key_txtbuffer));
224092Sdougb
224092Sdougb	/* Store the key in tsigkey. */
224092Sdougb	isc_stdtime_get(&now);
224092Sdougb	CHECK(dns_tsigkey_createfromkey(dst_key_name(key), algname, key,
224092Sdougb					ISC_FALSE, NULL, now, now, mctx, NULL,
224092Sdougb					&tsigkey));
224092Sdougb
224092Sdougb	/* Dump the key to the key file. */
224092Sdougb	fp = ns_os_openfile(filename, S_IRUSR|S_IWUSR, ISC_TRUE);
224092Sdougb	if (fp == NULL) {
224092Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
224092Sdougb			      "could not create %s", filename);
224092Sdougb		result = ISC_R_NOPERM;
224092Sdougb		goto cleanup;
224092Sdougb	}
224092Sdougb
224092Sdougb	fprintf(fp, "key \"%s\" {\n"
224092Sdougb		"\talgorithm %s;\n"
224092Sdougb		"\tsecret \"%.*s\";\n};\n", keynamestr, algstr,
224092Sdougb		(int) isc_buffer_usedlength(&key_txtbuffer),
224092Sdougb		(char*) isc_buffer_base(&key_txtbuffer));
224092Sdougb
224092Sdougb	RUNTIME_CHECK(isc_stdio_flush(fp) == ISC_R_SUCCESS);
224092Sdougb	RUNTIME_CHECK(isc_stdio_close(fp) == ISC_R_SUCCESS);
224092Sdougb
224092Sdougb	dst_key_free(&key);
224092Sdougb
224092Sdougb	*tsigkeyp = tsigkey;
224092Sdougb
224092Sdougb	return (ISC_R_SUCCESS);
224092Sdougb
224092Sdougb  cleanup:
224092Sdougb	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb		      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
224092Sdougb		      "failed to generate session key "
224092Sdougb		      "for dynamic DNS: %s", isc_result_totext(result));
224092Sdougb	if (tsigkey != NULL)
224092Sdougb		dns_tsigkey_detach(&tsigkey);
224092Sdougb	if (key != NULL)
224092Sdougb		dst_key_free(&key);
224092Sdougb
224092Sdougb	return (result);
224092Sdougb}
224092Sdougb
224092Sdougbstatic isc_result_t
224092Sdougbconfigure_session_key(const cfg_obj_t **maps, ns_server_t *server,
224092Sdougb		      isc_mem_t *mctx)
224092Sdougb{
224092Sdougb	const char *keyfile, *keynamestr, *algstr;
224092Sdougb	unsigned int algtype;
224092Sdougb	dns_fixedname_t fname;
224092Sdougb	dns_name_t *keyname, *algname;
224092Sdougb	isc_buffer_t buffer;
224092Sdougb	isc_uint16_t bits;
224092Sdougb	const cfg_obj_t *obj;
224092Sdougb	isc_boolean_t need_deleteold = ISC_FALSE;
224092Sdougb	isc_boolean_t need_createnew = ISC_FALSE;
224092Sdougb	isc_result_t result;
224092Sdougb
224092Sdougb	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "session-keyfile", &obj);
224092Sdougb	if (result == ISC_R_SUCCESS) {
224092Sdougb		if (cfg_obj_isvoid(obj))
224092Sdougb			keyfile = NULL; /* disable it */
224092Sdougb		else
224092Sdougb			keyfile = cfg_obj_asstring(obj);
224092Sdougb	} else
224092Sdougb		keyfile = ns_g_defaultsessionkeyfile;
224092Sdougb
224092Sdougb	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "session-keyname", &obj);
224092Sdougb	INSIST(result == ISC_R_SUCCESS);
224092Sdougb	keynamestr = cfg_obj_asstring(obj);
224092Sdougb	dns_fixedname_init(&fname);
254402Serwin	isc_buffer_constinit(&buffer, keynamestr, strlen(keynamestr));
224092Sdougb	isc_buffer_add(&buffer, strlen(keynamestr));
224092Sdougb	keyname = dns_fixedname_name(&fname);
224092Sdougb	result = dns_name_fromtext(keyname, &buffer, dns_rootname, 0, NULL);
224092Sdougb	if (result != ISC_R_SUCCESS)
224092Sdougb		return (result);
224092Sdougb
224092Sdougb	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "session-keyalg", &obj);
224092Sdougb	INSIST(result == ISC_R_SUCCESS);
224092Sdougb	algstr = cfg_obj_asstring(obj);
224092Sdougb	algname = NULL;
224092Sdougb	result = ns_config_getkeyalgorithm2(algstr, &algname, &algtype, &bits);
224092Sdougb	if (result != ISC_R_SUCCESS) {
224092Sdougb		const char *s = " (keeping current key)";
224092Sdougb
224092Sdougb		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, "session-keyalg: "
224092Sdougb			    "unsupported or unknown algorithm '%s'%s",
224092Sdougb			    algstr,
224092Sdougb			    server->session_keyfile != NULL ? s : "");
224092Sdougb		return (result);
224092Sdougb	}
224092Sdougb
224092Sdougb	/* See if we need to (re)generate a new key. */
224092Sdougb	if (keyfile == NULL) {
224092Sdougb		if (server->session_keyfile != NULL)
224092Sdougb			need_deleteold = ISC_TRUE;
224092Sdougb	} else if (server->session_keyfile == NULL)
224092Sdougb		need_createnew = ISC_TRUE;
224092Sdougb	else if (strcmp(keyfile, server->session_keyfile) != 0 ||
224092Sdougb		 !dns_name_equal(server->session_keyname, keyname) ||
224092Sdougb		 server->session_keyalg != algtype ||
224092Sdougb		 server->session_keybits != bits) {
224092Sdougb		need_deleteold = ISC_TRUE;
224092Sdougb		need_createnew = ISC_TRUE;
224092Sdougb	}
224092Sdougb
224092Sdougb	if (need_deleteold) {
224092Sdougb		INSIST(server->session_keyfile != NULL);
224092Sdougb		INSIST(server->session_keyname != NULL);
224092Sdougb		INSIST(server->sessionkey != NULL);
224092Sdougb
224092Sdougb		cleanup_session_key(server, mctx);
224092Sdougb	}
224092Sdougb
224092Sdougb	if (need_createnew) {
224092Sdougb		INSIST(server->sessionkey == NULL);
224092Sdougb		INSIST(server->session_keyfile == NULL);
224092Sdougb		INSIST(server->session_keyname == NULL);
224092Sdougb		INSIST(server->session_keyalg == DST_ALG_UNKNOWN);
224092Sdougb		INSIST(server->session_keybits == 0);
224092Sdougb
224092Sdougb		server->session_keyname = isc_mem_get(mctx, sizeof(dns_name_t));
224092Sdougb		if (server->session_keyname == NULL)
224092Sdougb			goto cleanup;
224092Sdougb		dns_name_init(server->session_keyname, NULL);
224092Sdougb		CHECK(dns_name_dup(keyname, mctx, server->session_keyname));
224092Sdougb
224092Sdougb		server->session_keyfile = isc_mem_strdup(mctx, keyfile);
224092Sdougb		if (server->session_keyfile == NULL)
224092Sdougb			goto cleanup;
224092Sdougb
224092Sdougb		server->session_keyalg = algtype;
224092Sdougb		server->session_keybits = bits;
224092Sdougb
224092Sdougb		CHECK(generate_session_key(keyfile, keynamestr, keyname, algstr,
224092Sdougb					   algname, algtype, bits, mctx,
224092Sdougb					   &server->sessionkey));
224092Sdougb	}
224092Sdougb
224092Sdougb	return (result);
224092Sdougb
224092Sdougb  cleanup:
224092Sdougb	cleanup_session_key(server, mctx);
224092Sdougb	return (result);
224092Sdougb}
224092Sdougb
224092Sdougbstatic isc_result_t
225361Sdougbsetup_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
225361Sdougb	       cfg_parser_t *parser, cfg_aclconfctx_t *actx)
225361Sdougb{
225361Sdougb	isc_result_t result = ISC_R_SUCCESS;
225361Sdougb	isc_boolean_t allow = ISC_FALSE;
225361Sdougb	struct cfg_context *nzcfg = NULL;
225361Sdougb	cfg_parser_t *nzparser = NULL;
225361Sdougb	cfg_obj_t *nzconfig = NULL;
225361Sdougb	const cfg_obj_t *maps[4];
225361Sdougb	const cfg_obj_t *options = NULL, *voptions = NULL;
225361Sdougb	const cfg_obj_t *nz = NULL;
225361Sdougb	int i = 0;
225361Sdougb
225361Sdougb	REQUIRE (config != NULL);
225361Sdougb
225361Sdougb	if (vconfig != NULL)
225361Sdougb		voptions = cfg_tuple_get(vconfig, "options");
225361Sdougb	if (voptions != NULL)
225361Sdougb		maps[i++] = voptions;
225361Sdougb	result = cfg_map_get(config, "options", &options);
225361Sdougb	if (result == ISC_R_SUCCESS)
225361Sdougb		maps[i++] = options;
225361Sdougb	maps[i++] = ns_g_defaults;
225361Sdougb	maps[i] = NULL;
225361Sdougb
225361Sdougb	result = ns_config_get(maps, "allow-new-zones", &nz);
225361Sdougb	if (result == ISC_R_SUCCESS)
225361Sdougb		allow = cfg_obj_asboolean(nz);
225361Sdougb
225361Sdougb	if (!allow) {
225361Sdougb		dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
225361Sdougb		return (ISC_R_SUCCESS);
225361Sdougb	}
225361Sdougb
225361Sdougb	nzcfg = isc_mem_get(view->mctx, sizeof(*nzcfg));
225361Sdougb	if (nzcfg == NULL) {
225361Sdougb		dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
225361Sdougb		return (ISC_R_NOMEMORY);
225361Sdougb	}
225361Sdougb
225361Sdougb	dns_view_setnewzones(view, allow, nzcfg, newzone_cfgctx_destroy);
225361Sdougb
225361Sdougb	memset(nzcfg, 0, sizeof(*nzcfg));
225361Sdougb	isc_mem_attach(view->mctx, &nzcfg->mctx);
225361Sdougb	cfg_obj_attach(config, &nzcfg->config);
225361Sdougb	cfg_parser_attach(parser, &nzcfg->parser);
225361Sdougb	cfg_aclconfctx_attach(actx, &nzcfg->actx);
225361Sdougb
225361Sdougb	/*
225361Sdougb	 * Attempt to create a parser and parse the newzones
225361Sdougb	 * file.  If successful, preserve both; otherwise leave
225361Sdougb	 * them NULL.
225361Sdougb	 */
225361Sdougb	result = cfg_parser_create(view->mctx, ns_g_lctx, &nzparser);
225361Sdougb	if (result == ISC_R_SUCCESS)
225361Sdougb		result = cfg_parse_file(nzparser, view->new_zone_file,
225361Sdougb					&cfg_type_newzones, &nzconfig);
225361Sdougb	if (result == ISC_R_SUCCESS) {
225361Sdougb		cfg_parser_attach(nzparser, &nzcfg->nzparser);
225361Sdougb		cfg_obj_attach(nzconfig, &nzcfg->nzconfig);
225361Sdougb	}
225361Sdougb
225361Sdougb	if (nzparser != NULL) {
225361Sdougb		if (nzconfig != NULL)
225361Sdougb			cfg_obj_destroy(nzparser, &nzconfig);
225361Sdougb		cfg_parser_destroy(&nzparser);
225361Sdougb	}
225361Sdougb
225361Sdougb	return (ISC_R_SUCCESS);
225361Sdougb}
225361Sdougb
225361Sdougbstatic int
225361Sdougbcount_zones(const cfg_obj_t *conf) {
225361Sdougb	const cfg_obj_t *zonelist = NULL;
225361Sdougb	const cfg_listelt_t *element;
225361Sdougb	int n = 0;
225361Sdougb
225361Sdougb	REQUIRE(conf != NULL);
225361Sdougb
225361Sdougb	cfg_map_get(conf, "zone", &zonelist);
225361Sdougb	for (element = cfg_list_first(zonelist);
225361Sdougb	     element != NULL;
225361Sdougb	     element = cfg_list_next(element))
225361Sdougb		n++;
225361Sdougb
225361Sdougb	return (n);
225361Sdougb}
225361Sdougb
225361Sdougbstatic isc_result_t
135446Strhodesload_configuration(const char *filename, ns_server_t *server,
135446Strhodes		   isc_boolean_t first_time)
135446Strhodes{
224092Sdougb	cfg_obj_t *config = NULL, *bindkeys = NULL;
224092Sdougb	cfg_parser_t *conf_parser = NULL, *bindkeys_parser = NULL;
182645Sdougb	const cfg_listelt_t *element;
182645Sdougb	const cfg_obj_t *builtin_views;
182645Sdougb	const cfg_obj_t *maps[3];
182645Sdougb	const cfg_obj_t *obj;
165071Sdougb	const cfg_obj_t *options;
186462Sdougb	const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
165071Sdougb	const cfg_obj_t *views;
135446Strhodes	dns_view_t *view = NULL;
135446Strhodes	dns_view_t *view_next;
182645Sdougb	dns_viewlist_t tmpviewlist;
224092Sdougb	dns_viewlist_t viewlist, builtin_viewlist;
186462Sdougb	in_port_t listen_port, udpport_low, udpport_high;
182645Sdougb	int i;
262706Serwin	int num_zones = 0;
262706Serwin	isc_boolean_t exclusive = ISC_FALSE;
182645Sdougb	isc_interval_t interval;
262706Serwin	isc_logconfig_t *logc = NULL;
186462Sdougb	isc_portset_t *v4portset = NULL;
186462Sdougb	isc_portset_t *v6portset = NULL;
186462Sdougb	isc_resourcevalue_t nfiles;
182645Sdougb	isc_result_t result;
182645Sdougb	isc_uint32_t heartbeat_interval;
135446Strhodes	isc_uint32_t interface_interval;
182645Sdougb	isc_uint32_t reserved;
135446Strhodes	isc_uint32_t udpsize;
262706Serwin	ns_cache_t *nsc;
224092Sdougb	ns_cachelist_t cachelist, tmpcachelist;
262706Serwin	struct cfg_context *nzctx;
186462Sdougb	unsigned int maxsocks;
135446Strhodes
135446Strhodes	ISC_LIST_INIT(viewlist);
224092Sdougb	ISC_LIST_INIT(builtin_viewlist);
224092Sdougb	ISC_LIST_INIT(cachelist);
135446Strhodes
225361Sdougb	/* Create the ACL configuration context */
225361Sdougb	if (ns_g_aclconfctx != NULL)
225361Sdougb		cfg_aclconfctx_detach(&ns_g_aclconfctx);
225361Sdougb	CHECK(cfg_aclconfctx_create(ns_g_mctx, &ns_g_aclconfctx));
225361Sdougb
135446Strhodes	/*
135446Strhodes	 * Parse the global default pseudo-config file.
135446Strhodes	 */
135446Strhodes	if (first_time) {
135446Strhodes		CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
135446Strhodes		RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
224092Sdougb					  &ns_g_defaults) == ISC_R_SUCCESS);
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Parse the configuration file using the new config code.
135446Strhodes	 */
135446Strhodes	result = ISC_R_FAILURE;
135446Strhodes	config = NULL;
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Unless this is lwresd with the -C option, parse the config file.
135446Strhodes	 */
135446Strhodes	if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) {
135446Strhodes		isc_log_write(ns_g_lctx,
135446Strhodes			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
135446Strhodes			      ISC_LOG_INFO, "loading configuration from '%s'",
135446Strhodes			      filename);
224092Sdougb		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
224092Sdougb		cfg_parser_setcallback(conf_parser, directory_callback, NULL);
224092Sdougb		result = cfg_parse_file(conf_parser, filename,
224092Sdougb					&cfg_type_namedconf, &config);
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * If this is lwresd with the -C option, or lwresd with no -C or -c
135446Strhodes	 * option where the above parsing failed, parse resolv.conf.
135446Strhodes	 */
135446Strhodes	if (ns_g_lwresdonly &&
135446Strhodes	    (lwresd_g_useresolvconf ||
135446Strhodes	     (!ns_g_conffileset && result == ISC_R_FILENOTFOUND)))
135446Strhodes	{
135446Strhodes		isc_log_write(ns_g_lctx,
135446Strhodes			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
135446Strhodes			      ISC_LOG_INFO, "loading configuration from '%s'",
135446Strhodes			      lwresd_g_resolvconffile);
224092Sdougb		if (conf_parser != NULL)
224092Sdougb			cfg_parser_destroy(&conf_parser);
224092Sdougb		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &conf_parser));
224092Sdougb		result = ns_lwresd_parseeresolvconf(ns_g_mctx, conf_parser,
135446Strhodes						    &config);
135446Strhodes	}
135446Strhodes	CHECK(result);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Check the validity of the configuration.
135446Strhodes	 */
135446Strhodes	CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx));
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Fill in the maps array, used for resolving defaults.
135446Strhodes	 */
135446Strhodes	i = 0;
135446Strhodes	options = NULL;
135446Strhodes	result = cfg_map_get(config, "options", &options);
135446Strhodes	if (result == ISC_R_SUCCESS)
135446Strhodes		maps[i++] = options;
135446Strhodes	maps[i++] = ns_g_defaults;
225361Sdougb	maps[i] = NULL;
135446Strhodes
135446Strhodes	/*
224092Sdougb	 * If bind.keys exists, load it.  If "dnssec-lookaside auto"
224092Sdougb	 * is turned on, the keys found there will be used as default
224092Sdougb	 * trust anchors.
224092Sdougb	 */
224092Sdougb	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "bindkeys-file", &obj);
224092Sdougb	INSIST(result == ISC_R_SUCCESS);
224092Sdougb	CHECKM(setstring(server, &server->bindkeysfile,
224092Sdougb	       cfg_obj_asstring(obj)), "strdup");
224092Sdougb
224092Sdougb	if (access(server->bindkeysfile, R_OK) == 0) {
224092Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
224092Sdougb			      "reading built-in trusted "
224092Sdougb			      "keys from file '%s'", server->bindkeysfile);
224092Sdougb
224092Sdougb		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx,
224092Sdougb					&bindkeys_parser));
224092Sdougb
224092Sdougb		result = cfg_parse_file(bindkeys_parser, server->bindkeysfile,
224092Sdougb					&cfg_type_bindkeys, &bindkeys);
224092Sdougb		CHECK(result);
224092Sdougb	}
224092Sdougb
234010Sdougb	/* Ensure exclusive access to configuration data. */
234010Sdougb	if (!exclusive) {
234010Sdougb		result = isc_task_beginexclusive(server->task);
234010Sdougb		RUNTIME_CHECK(result == ISC_R_SUCCESS);
234010Sdougb		exclusive = ISC_TRUE;
234010Sdougb	}
234010Sdougb
224092Sdougb	/*
135446Strhodes	 * Set process limits, which (usually) needs to be done as root.
135446Strhodes	 */
135446Strhodes	set_limits(maps);
135446Strhodes
135446Strhodes	/*
186462Sdougb	 * Check if max number of open sockets that the system allows is
224092Sdougb	 * sufficiently large.	Failing this condition is not necessarily fatal,
186462Sdougb	 * but may cause subsequent runtime failures for a busy recursive
186462Sdougb	 * server.
182645Sdougb	 */
186462Sdougb	result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &maxsocks);
186462Sdougb	if (result != ISC_R_SUCCESS)
186462Sdougb		maxsocks = 0;
186462Sdougb	result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles);
186462Sdougb	if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) {
182645Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
182645Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
186462Sdougb			      "max open files (%" ISC_PRINT_QUADFORMAT "u)"
186462Sdougb			      " is smaller than max sockets (%u)",
186462Sdougb			      nfiles, maxsocks);
186462Sdougb	}
182645Sdougb
182645Sdougb	/*
182645Sdougb	 * Set the number of socket reserved for TCP, stdio etc.
182645Sdougb	 */
182645Sdougb	obj = NULL;
182645Sdougb	result = ns_config_get(maps, "reserved-sockets", &obj);
182645Sdougb	INSIST(result == ISC_R_SUCCESS);
182645Sdougb	reserved = cfg_obj_asuint32(obj);
186462Sdougb	if (maxsocks != 0) {
186462Sdougb		if (maxsocks < 128U)			/* Prevent underflow. */
186462Sdougb			reserved = 0;
186462Sdougb		else if (reserved > maxsocks - 128U)	/* Minimum UDP space. */
186462Sdougb			reserved = maxsocks - 128;
186462Sdougb	}
186462Sdougb	/* Minimum TCP/stdio space. */
186462Sdougb	if (reserved < 128U)
182645Sdougb		reserved = 128;
186462Sdougb	if (reserved + 128U > maxsocks && maxsocks != 0) {
182645Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
186462Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
182645Sdougb			      "less than 128 UDP sockets available after "
186462Sdougb			      "applying 'reserved-sockets' and 'maxsockets'");
182645Sdougb	}
182645Sdougb	isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
186462Sdougb
182645Sdougb	/*
135446Strhodes	 * Configure various server options.
135446Strhodes	 */
135446Strhodes	configure_server_quota(maps, "transfers-out", &server->xfroutquota);
135446Strhodes	configure_server_quota(maps, "tcp-clients", &server->tcpquota);
135446Strhodes	configure_server_quota(maps, "recursive-clients",
135446Strhodes			       &server->recursionquota);
153816Sdougb	if (server->recursionquota.max > 1000)
153816Sdougb		isc_quota_soft(&server->recursionquota,
153816Sdougb			       server->recursionquota.max - 100);
153816Sdougb	else
153816Sdougb		isc_quota_soft(&server->recursionquota, 0);
135446Strhodes
225361Sdougb	CHECK(configure_view_acl(NULL, config, "blackhole", NULL,
225361Sdougb				 ns_g_aclconfctx, ns_g_mctx,
225361Sdougb				 &server->blackholeacl));
135446Strhodes	if (server->blackholeacl != NULL)
135446Strhodes		dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
135446Strhodes					     server->blackholeacl);
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "match-mapped-addresses", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	server->aclenv.match_mapped = cfg_obj_asboolean(obj);
135446Strhodes
225361Sdougb	CHECKM(ns_statschannels_configure(ns_g_server, config, ns_g_aclconfctx),
193149Sdougb	       "configuring statistics server(s)");
193149Sdougb
186462Sdougb	/*
186462Sdougb	 * Configure sets of UDP query source ports.
186462Sdougb	 */
186462Sdougb	CHECKM(isc_portset_create(ns_g_mctx, &v4portset),
186462Sdougb	       "creating UDP port set");
186462Sdougb	CHECKM(isc_portset_create(ns_g_mctx, &v6portset),
186462Sdougb	       "creating UDP port set");
135446Strhodes
186462Sdougb	usev4ports = NULL;
186462Sdougb	usev6ports = NULL;
186462Sdougb	avoidv4ports = NULL;
186462Sdougb	avoidv6ports = NULL;
186462Sdougb
186462Sdougb	(void)ns_config_get(maps, "use-v4-udp-ports", &usev4ports);
186462Sdougb	if (usev4ports != NULL)
186462Sdougb		portset_fromconf(v4portset, usev4ports, ISC_TRUE);
186462Sdougb	else {
186462Sdougb		CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low,
186462Sdougb					       &udpport_high),
186462Sdougb		       "get the default UDP/IPv4 port range");
186462Sdougb		if (udpport_low == udpport_high)
186462Sdougb			isc_portset_add(v4portset, udpport_low);
186462Sdougb		else {
186462Sdougb			isc_portset_addrange(v4portset, udpport_low,
186462Sdougb					     udpport_high);
186462Sdougb		}
186462Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
186462Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
186462Sdougb			      "using default UDP/IPv4 port range: [%d, %d]",
186462Sdougb			      udpport_low, udpport_high);
186462Sdougb	}
186462Sdougb	(void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
186462Sdougb	if (avoidv4ports != NULL)
186462Sdougb		portset_fromconf(v4portset, avoidv4ports, ISC_FALSE);
186462Sdougb
186462Sdougb	(void)ns_config_get(maps, "use-v6-udp-ports", &usev6ports);
186462Sdougb	if (usev6ports != NULL)
186462Sdougb		portset_fromconf(v6portset, usev6ports, ISC_TRUE);
186462Sdougb	else {
186462Sdougb		CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low,
186462Sdougb					       &udpport_high),
186462Sdougb		       "get the default UDP/IPv6 port range");
186462Sdougb		if (udpport_low == udpport_high)
186462Sdougb			isc_portset_add(v6portset, udpport_low);
186462Sdougb		else {
186462Sdougb			isc_portset_addrange(v6portset, udpport_low,
186462Sdougb					     udpport_high);
186462Sdougb		}
186462Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
186462Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
186462Sdougb			      "using default UDP/IPv6 port range: [%d, %d]",
186462Sdougb			      udpport_low, udpport_high);
186462Sdougb	}
186462Sdougb	(void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
186462Sdougb	if (avoidv6ports != NULL)
186462Sdougb		portset_fromconf(v6portset, avoidv6ports, ISC_FALSE);
186462Sdougb
186462Sdougb	dns_dispatchmgr_setavailports(ns_g_dispatchmgr, v4portset, v6portset);
186462Sdougb
135446Strhodes	/*
135446Strhodes	 * Set the EDNS UDP size when we don't match a view.
135446Strhodes	 */
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "edns-udp-size", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	udpsize = cfg_obj_asuint32(obj);
135446Strhodes	if (udpsize < 512)
135446Strhodes		udpsize = 512;
135446Strhodes	if (udpsize > 4096)
135446Strhodes		udpsize = 4096;
135446Strhodes	ns_g_udpsize = (isc_uint16_t)udpsize;
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Configure the zone manager.
135446Strhodes	 */
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "transfers-in", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj));
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "transfers-per-ns", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "serial-query-rate", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj));
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Determine which port to use for listening for incoming connections.
135446Strhodes	 */
135446Strhodes	if (ns_g_port != 0)
135446Strhodes		listen_port = ns_g_port;
135446Strhodes	else
135446Strhodes		CHECKM(ns_config_getport(config, &listen_port), "port");
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Find the listen queue depth.
135446Strhodes	 */
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "tcp-listen-queue", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	ns_g_listen = cfg_obj_asuint32(obj);
262706Serwin	if ((ns_g_listen > 0) && (ns_g_listen < 10))
262706Serwin		ns_g_listen = 10;
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Configure the interface manager according to the "listen-on"
135446Strhodes	 * statement.
135446Strhodes	 */
135446Strhodes	{
165071Sdougb		const cfg_obj_t *clistenon = NULL;
135446Strhodes		ns_listenlist_t *listenon = NULL;
135446Strhodes
135446Strhodes		clistenon = NULL;
135446Strhodes		/*
135446Strhodes		 * Even though listen-on is present in the default
135446Strhodes		 * configuration, we can't use it here, since it isn't
135446Strhodes		 * used if we're in lwresd mode.  This way is easier.
135446Strhodes		 */
135446Strhodes		if (options != NULL)
135446Strhodes			(void)cfg_map_get(options, "listen-on", &clistenon);
135446Strhodes		if (clistenon != NULL) {
225361Sdougb			/* check return code? */
225361Sdougb			(void)ns_listenlist_fromconfig(clistenon, config,
225361Sdougb						       ns_g_aclconfctx,
225361Sdougb						       ns_g_mctx, &listenon);
135446Strhodes		} else if (!ns_g_lwresdonly) {
135446Strhodes			/*
135446Strhodes			 * Not specified, use default.
135446Strhodes			 */
135446Strhodes			CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
135446Strhodes						    ISC_TRUE, &listenon));
135446Strhodes		}
135446Strhodes		if (listenon != NULL) {
135446Strhodes			ns_interfacemgr_setlistenon4(server->interfacemgr,
135446Strhodes						     listenon);
135446Strhodes			ns_listenlist_detach(&listenon);
135446Strhodes		}
135446Strhodes	}
135446Strhodes	/*
135446Strhodes	 * Ditto for IPv6.
135446Strhodes	 */
135446Strhodes	{
165071Sdougb		const cfg_obj_t *clistenon = NULL;
135446Strhodes		ns_listenlist_t *listenon = NULL;
135446Strhodes
135446Strhodes		if (options != NULL)
135446Strhodes			(void)cfg_map_get(options, "listen-on-v6", &clistenon);
135446Strhodes		if (clistenon != NULL) {
225361Sdougb			/* check return code? */
225361Sdougb			(void)ns_listenlist_fromconfig(clistenon, config,
225361Sdougb						       ns_g_aclconfctx,
225361Sdougb						       ns_g_mctx, &listenon);
135446Strhodes		} else if (!ns_g_lwresdonly) {
193149Sdougb			isc_boolean_t enable;
135446Strhodes			/*
135446Strhodes			 * Not specified, use default.
135446Strhodes			 */
193149Sdougb			enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS);
135446Strhodes			CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
193149Sdougb						    enable, &listenon));
135446Strhodes		}
135446Strhodes		if (listenon != NULL) {
135446Strhodes			ns_interfacemgr_setlistenon6(server->interfacemgr,
135446Strhodes						     listenon);
135446Strhodes			ns_listenlist_detach(&listenon);
135446Strhodes		}
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Rescan the interface list to pick up changes in the
135446Strhodes	 * listen-on option.  It's important that we do this before we try
135446Strhodes	 * to configure the query source, since the dispatcher we use might
135446Strhodes	 * be shared with an interface.
135446Strhodes	 */
135446Strhodes	scan_interfaces(server, ISC_TRUE);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Arrange for further interface scanning to occur periodically
135446Strhodes	 * as specified by the "interface-interval" option.
135446Strhodes	 */
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "interface-interval", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	interface_interval = cfg_obj_asuint32(obj) * 60;
135446Strhodes	if (interface_interval == 0) {
135446Strhodes		CHECK(isc_timer_reset(server->interface_timer,
135446Strhodes				      isc_timertype_inactive,
135446Strhodes				      NULL, NULL, ISC_TRUE));
135446Strhodes	} else if (server->interface_interval != interface_interval) {
135446Strhodes		isc_interval_set(&interval, interface_interval, 0);
135446Strhodes		CHECK(isc_timer_reset(server->interface_timer,
135446Strhodes				      isc_timertype_ticker,
135446Strhodes				      NULL, &interval, ISC_FALSE));
135446Strhodes	}
135446Strhodes	server->interface_interval = interface_interval;
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Configure the dialup heartbeat timer.
135446Strhodes	 */
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "heartbeat-interval", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	heartbeat_interval = cfg_obj_asuint32(obj) * 60;
135446Strhodes	if (heartbeat_interval == 0) {
135446Strhodes		CHECK(isc_timer_reset(server->heartbeat_timer,
135446Strhodes				      isc_timertype_inactive,
135446Strhodes				      NULL, NULL, ISC_TRUE));
135446Strhodes	} else if (server->heartbeat_interval != heartbeat_interval) {
135446Strhodes		isc_interval_set(&interval, heartbeat_interval, 0);
135446Strhodes		CHECK(isc_timer_reset(server->heartbeat_timer,
135446Strhodes				      isc_timertype_ticker,
135446Strhodes				      NULL, &interval, ISC_FALSE));
135446Strhodes	}
135446Strhodes	server->heartbeat_interval = heartbeat_interval;
186462Sdougb
170222Sdougb	isc_interval_set(&interval, 1200, 0);
170222Sdougb	CHECK(isc_timer_reset(server->pps_timer, isc_timertype_ticker, NULL,
170222Sdougb			      &interval, ISC_FALSE));
135446Strhodes
135446Strhodes	/*
224092Sdougb	 * Write the PID file.
224092Sdougb	 */
224092Sdougb	obj = NULL;
224092Sdougb	if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
224092Sdougb		if (cfg_obj_isvoid(obj))
224092Sdougb			ns_os_writepidfile(NULL, first_time);
224092Sdougb		else
224092Sdougb			ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
224092Sdougb	else if (ns_g_lwresdonly)
224092Sdougb		ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
224092Sdougb	else
224092Sdougb		ns_os_writepidfile(ns_g_defaultpidfile, first_time);
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Configure the server-wide session key.  This must be done before
224092Sdougb	 * configure views because zone configuration may need to know
224092Sdougb	 * session-keyname.
224092Sdougb	 *
224092Sdougb	 * Failure of session key generation isn't fatal at this time; if it
224092Sdougb	 * turns out that a session key is really needed but doesn't exist,
224092Sdougb	 * we'll treat it as a fatal error then.
224092Sdougb	 */
224092Sdougb	(void)configure_session_key(maps, server, ns_g_mctx);
224092Sdougb
225361Sdougb	views = NULL;
225361Sdougb	(void)cfg_map_get(config, "view", &views);
225361Sdougb
224092Sdougb	/*
225361Sdougb	 * Create the views and count all the configured zones in
225361Sdougb	 * order to correctly size the zone manager's task table.
225361Sdougb	 * (We only count zones for configured views; the built-in
225361Sdougb	 * "bind" view can be ignored as it only adds a negligible
225361Sdougb	 * number of zones.)
225361Sdougb	 *
225361Sdougb	 * If we're allowing new zones, we need to be able to find the
225361Sdougb	 * new zone file and count those as well.  So we setup the new
225361Sdougb	 * zone configuration context, but otherwise view configuration
225361Sdougb	 * waits until after the zone manager's task list has been sized.
225361Sdougb	 */
225361Sdougb	for (element = cfg_list_first(views);
225361Sdougb	     element != NULL;
225361Sdougb	     element = cfg_list_next(element))
225361Sdougb	{
225361Sdougb		cfg_obj_t *vconfig = cfg_listelt_value(element);
225361Sdougb		const cfg_obj_t *voptions = cfg_tuple_get(vconfig, "options");
225361Sdougb		view = NULL;
225361Sdougb
225361Sdougb		CHECK(create_view(vconfig, &viewlist, &view));
225361Sdougb		INSIST(view != NULL);
225361Sdougb
225361Sdougb		num_zones += count_zones(voptions);
225361Sdougb		CHECK(setup_newzones(view, config, vconfig, conf_parser,
225361Sdougb				     ns_g_aclconfctx));
225361Sdougb
225361Sdougb		nzctx = view->new_zone_config;
225361Sdougb		if (nzctx != NULL && nzctx->nzconfig != NULL)
225361Sdougb			num_zones += count_zones(nzctx->nzconfig);
225361Sdougb
225361Sdougb		dns_view_detach(&view);
225361Sdougb	}
225361Sdougb
225361Sdougb	/*
225361Sdougb	 * If there were no explicit views then we do the default
225361Sdougb	 * view here.
225361Sdougb	 */
225361Sdougb	if (views == NULL) {
225361Sdougb		CHECK(create_view(NULL, &viewlist, &view));
225361Sdougb		INSIST(view != NULL);
225361Sdougb
225361Sdougb		num_zones = count_zones(config);
225361Sdougb
225361Sdougb		CHECK(setup_newzones(view, config, NULL,  conf_parser,
225361Sdougb				     ns_g_aclconfctx));
225361Sdougb
225361Sdougb		nzctx = view->new_zone_config;
225361Sdougb		if (nzctx != NULL && nzctx->nzconfig != NULL)
225361Sdougb			num_zones += count_zones(nzctx->nzconfig);
225361Sdougb
225361Sdougb		dns_view_detach(&view);
225361Sdougb	}
225361Sdougb
225361Sdougb	/*
225361Sdougb	 * Zones have been counted; set the zone manager task pool size.
225361Sdougb	 */
225361Sdougb	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
225361Sdougb		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
225361Sdougb		      "sizing zone task pool based on %d zones", num_zones);
225361Sdougb	CHECK(dns_zonemgr_setsize(ns_g_server->zonemgr, num_zones));
225361Sdougb
225361Sdougb	/*
135446Strhodes	 * Configure and freeze all explicit views.  Explicit
135446Strhodes	 * views that have zones were already created at parsing
135446Strhodes	 * time, but views with no zones must be created here.
135446Strhodes	 */
135446Strhodes	for (element = cfg_list_first(views);
135446Strhodes	     element != NULL;
135446Strhodes	     element = cfg_list_next(element))
135446Strhodes	{
224092Sdougb		cfg_obj_t *vconfig = cfg_listelt_value(element);
225361Sdougb
135446Strhodes		view = NULL;
225361Sdougb		CHECK(find_view(vconfig, &viewlist, &view));
225361Sdougb		CHECK(configure_view(view, config, vconfig,
225361Sdougb				     &cachelist, bindkeys, ns_g_mctx,
225361Sdougb				     ns_g_aclconfctx, ISC_TRUE));
135446Strhodes		dns_view_freeze(view);
135446Strhodes		dns_view_detach(&view);
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Make sure we have a default view if and only if there
135446Strhodes	 * were no explicit views.
135446Strhodes	 */
135446Strhodes	if (views == NULL) {
225361Sdougb		view = NULL;
225361Sdougb		CHECK(find_view(NULL, &viewlist, &view));
225361Sdougb		CHECK(configure_view(view, config, NULL,
224092Sdougb				     &cachelist, bindkeys,
225361Sdougb				     ns_g_mctx, ns_g_aclconfctx, ISC_TRUE));
135446Strhodes		dns_view_freeze(view);
135446Strhodes		dns_view_detach(&view);
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
224092Sdougb	 * Create (or recreate) the built-in views.
135446Strhodes	 */
135446Strhodes	builtin_views = NULL;
135446Strhodes	RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
135446Strhodes				  &builtin_views) == ISC_R_SUCCESS);
135446Strhodes	for (element = cfg_list_first(builtin_views);
135446Strhodes	     element != NULL;
135446Strhodes	     element = cfg_list_next(element))
135446Strhodes	{
224092Sdougb		cfg_obj_t *vconfig = cfg_listelt_value(element);
224092Sdougb
224092Sdougb		CHECK(create_view(vconfig, &builtin_viewlist, &view));
225361Sdougb		CHECK(configure_view(view, config, vconfig,
224092Sdougb				     &cachelist, bindkeys,
225361Sdougb				     ns_g_mctx, ns_g_aclconfctx, ISC_FALSE));
135446Strhodes		dns_view_freeze(view);
135446Strhodes		dns_view_detach(&view);
135446Strhodes		view = NULL;
135446Strhodes	}
135446Strhodes
224092Sdougb	/* Now combine the two viewlists into one */
224092Sdougb	ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
224092Sdougb
224092Sdougb	/* Swap our new view list with the production one. */
135446Strhodes	tmpviewlist = server->viewlist;
135446Strhodes	server->viewlist = viewlist;
135446Strhodes	viewlist = tmpviewlist;
135446Strhodes
224092Sdougb	/* Make the view list available to each of the views */
224092Sdougb	view = ISC_LIST_HEAD(server->viewlist);
224092Sdougb	while (view != NULL) {
224092Sdougb		view->viewlist = &server->viewlist;
224092Sdougb		view = ISC_LIST_NEXT(view, link);
224092Sdougb	}
224092Sdougb
224092Sdougb	/* Swap our new cache list with the production one. */
224092Sdougb	tmpcachelist = server->cachelist;
224092Sdougb	server->cachelist = cachelist;
224092Sdougb	cachelist = tmpcachelist;
224092Sdougb
224092Sdougb	/* Load the TKEY information from the configuration. */
135446Strhodes	if (options != NULL) {
135446Strhodes		dns_tkeyctx_t *t = NULL;
135446Strhodes		CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy,
135446Strhodes					     &t),
135446Strhodes		       "configuring TKEY");
135446Strhodes		if (server->tkeyctx != NULL)
135446Strhodes			dns_tkeyctx_destroy(&server->tkeyctx);
135446Strhodes		server->tkeyctx = t;
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Bind the control port(s).
135446Strhodes	 */
135446Strhodes	CHECKM(ns_controls_configure(ns_g_server->controls, config,
225361Sdougb				     ns_g_aclconfctx),
135446Strhodes	       "binding control channel(s)");
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Bind the lwresd port(s).
135446Strhodes	 */
135446Strhodes	CHECKM(ns_lwresd_configure(ns_g_mctx, config),
135446Strhodes	       "binding lightweight resolver ports");
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Open the source of entropy.
135446Strhodes	 */
135446Strhodes	if (first_time) {
135446Strhodes		obj = NULL;
135446Strhodes		result = ns_config_get(maps, "random-device", &obj);
135446Strhodes		if (result != ISC_R_SUCCESS) {
135446Strhodes			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
135446Strhodes				      "no source of entropy found");
135446Strhodes		} else {
135446Strhodes			const char *randomdev = cfg_obj_asstring(obj);
135446Strhodes			result = isc_entropy_createfilesource(ns_g_entropy,
135446Strhodes							      randomdev);
135446Strhodes			if (result != ISC_R_SUCCESS)
135446Strhodes				isc_log_write(ns_g_lctx,
135446Strhodes					      NS_LOGCATEGORY_GENERAL,
135446Strhodes					      NS_LOGMODULE_SERVER,
135446Strhodes					      ISC_LOG_INFO,
135446Strhodes					      "could not open entropy source "
135446Strhodes					      "%s: %s",
135446Strhodes					      randomdev,
135446Strhodes					      isc_result_totext(result));
135446Strhodes#ifdef PATH_RANDOMDEV
135446Strhodes			if (ns_g_fallbackentropy != NULL) {
135446Strhodes				if (result != ISC_R_SUCCESS) {
135446Strhodes					isc_log_write(ns_g_lctx,
135446Strhodes						      NS_LOGCATEGORY_GENERAL,
135446Strhodes						      NS_LOGMODULE_SERVER,
135446Strhodes						      ISC_LOG_INFO,
135446Strhodes						      "using pre-chroot entropy source "
135446Strhodes						      "%s",
135446Strhodes						      PATH_RANDOMDEV);
135446Strhodes					isc_entropy_detach(&ns_g_entropy);
135446Strhodes					isc_entropy_attach(ns_g_fallbackentropy,
135446Strhodes							   &ns_g_entropy);
135446Strhodes				}
135446Strhodes				isc_entropy_detach(&ns_g_fallbackentropy);
135446Strhodes			}
135446Strhodes#endif
135446Strhodes		}
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Relinquish root privileges.
135446Strhodes	 */
135446Strhodes	if (first_time)
135446Strhodes		ns_os_changeuser();
135446Strhodes
135446Strhodes	/*
186462Sdougb	 * Check that the working directory is writable.
186462Sdougb	 */
186462Sdougb	if (access(".", W_OK) != 0) {
186462Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
186462Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
186462Sdougb			      "the working directory is not writable");
186462Sdougb	}
186462Sdougb
186462Sdougb	/*
135446Strhodes	 * Configure the logging system.
135446Strhodes	 *
135446Strhodes	 * Do this after changing UID to make sure that any log
135446Strhodes	 * files specified in named.conf get created by the
135446Strhodes	 * unprivileged user, not root.
135446Strhodes	 */
135446Strhodes	if (ns_g_logstderr) {
262706Serwin		const cfg_obj_t *logobj = NULL;
262706Serwin
135446Strhodes		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
262706Serwin			      "not using config file logging "
262706Serwin			      "statement for logging due to "
262706Serwin			      "-g option");
262706Serwin
262706Serwin		(void)cfg_map_get(config, "logging", &logobj);
262706Serwin		if (logobj != NULL) {
262706Serwin			result = ns_log_configure(NULL, logobj);
262706Serwin			if (result != ISC_R_SUCCESS) {
262706Serwin				isc_log_write(ns_g_lctx,
262706Serwin					      NS_LOGCATEGORY_GENERAL,
262706Serwin					      NS_LOGMODULE_SERVER,
262706Serwin					      ISC_LOG_ERROR,
262706Serwin					      "checking logging configuration "
262706Serwin					      "failed: %s",
262706Serwin					      isc_result_totext(result));
262706Serwin				goto cleanup;
262706Serwin			}
262706Serwin		}
135446Strhodes	} else {
165071Sdougb		const cfg_obj_t *logobj = NULL;
135446Strhodes
135446Strhodes		CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
135446Strhodes		       "creating new logging configuration");
135446Strhodes
135446Strhodes		logobj = NULL;
135446Strhodes		(void)cfg_map_get(config, "logging", &logobj);
135446Strhodes		if (logobj != NULL) {
135446Strhodes			CHECKM(ns_log_configure(logc, logobj),
135446Strhodes			       "configuring logging");
135446Strhodes		} else {
135446Strhodes			CHECKM(ns_log_setdefaultchannels(logc),
135446Strhodes			       "setting up default logging channels");
135446Strhodes			CHECKM(ns_log_setunmatchedcategory(logc),
135446Strhodes			       "setting up default 'category unmatched'");
135446Strhodes			CHECKM(ns_log_setdefaultcategory(logc),
135446Strhodes			       "setting up default 'category default'");
135446Strhodes		}
135446Strhodes
262706Serwin		CHECKM(isc_logconfig_use(ns_g_lctx, logc),
262706Serwin		       "installing logging configuration");
262706Serwin		logc = NULL;
135446Strhodes
135446Strhodes		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes			      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
135446Strhodes			      "now using logging configuration from "
135446Strhodes			      "config file");
135446Strhodes	}
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Set the default value of the query logging flag depending
135446Strhodes	 * whether a "queries" category has been defined.  This is
135446Strhodes	 * a disgusting hack, but we need to do this for BIND 8
135446Strhodes	 * compatibility.
135446Strhodes	 */
135446Strhodes	if (first_time) {
165071Sdougb		const cfg_obj_t *logobj = NULL;
165071Sdougb		const cfg_obj_t *categories = NULL;
135446Strhodes
135446Strhodes		obj = NULL;
135446Strhodes		if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
135446Strhodes			server->log_queries = cfg_obj_asboolean(obj);
135446Strhodes		} else {
135446Strhodes
135446Strhodes			(void)cfg_map_get(config, "logging", &logobj);
135446Strhodes			if (logobj != NULL)
135446Strhodes				(void)cfg_map_get(logobj, "category",
135446Strhodes						  &categories);
135446Strhodes			if (categories != NULL) {
165071Sdougb				const cfg_listelt_t *element;
135446Strhodes				for (element = cfg_list_first(categories);
135446Strhodes				     element != NULL;
135446Strhodes				     element = cfg_list_next(element))
135446Strhodes				{
165071Sdougb					const cfg_obj_t *catobj;
165071Sdougb					const char *str;
135446Strhodes
135446Strhodes					obj = cfg_listelt_value(element);
135446Strhodes					catobj = cfg_tuple_get(obj, "name");
135446Strhodes					str = cfg_obj_asstring(catobj);
135446Strhodes					if (strcasecmp(str, "queries") == 0)
135446Strhodes						server->log_queries = ISC_TRUE;
135446Strhodes				}
135446Strhodes			}
135446Strhodes		}
135446Strhodes	}
135446Strhodes
186462Sdougb
135446Strhodes	obj = NULL;
135446Strhodes	if (options != NULL &&
193149Sdougb	    cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS)
193149Sdougb		ns_g_memstatistics = cfg_obj_asboolean(obj);
193149Sdougb	else
193149Sdougb		ns_g_memstatistics =
193149Sdougb			ISC_TF((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0);
193149Sdougb
193149Sdougb	obj = NULL;
193149Sdougb	if (ns_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS)
135446Strhodes		ns_main_setmemstats(cfg_obj_asstring(obj));
193149Sdougb	else if (ns_g_memstatistics)
193149Sdougb		ns_main_setmemstats("named.memstats");
135446Strhodes	else
135446Strhodes		ns_main_setmemstats(NULL);
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "statistics-file", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
135446Strhodes	       "strdup");
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "dump-file", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
135446Strhodes	       "strdup");
135446Strhodes
135446Strhodes	obj = NULL;
224092Sdougb	result = ns_config_get(maps, "secroots-file", &obj);
224092Sdougb	INSIST(result == ISC_R_SUCCESS);
224092Sdougb	CHECKM(setstring(server, &server->secrootsfile, cfg_obj_asstring(obj)),
224092Sdougb	       "strdup");
224092Sdougb
224092Sdougb	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "recursing-file", &obj);
135446Strhodes	INSIST(result == ISC_R_SUCCESS);
135446Strhodes	CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
135446Strhodes	       "strdup");
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "version", &obj);
135446Strhodes	if (result == ISC_R_SUCCESS) {
135446Strhodes		CHECKM(setoptstring(server, &server->version, obj), "strdup");
135446Strhodes		server->version_set = ISC_TRUE;
135446Strhodes	} else {
135446Strhodes		server->version_set = ISC_FALSE;
135446Strhodes	}
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "hostname", &obj);
135446Strhodes	if (result == ISC_R_SUCCESS) {
135446Strhodes		CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
135446Strhodes		server->hostname_set = ISC_TRUE;
135446Strhodes	} else {
135446Strhodes		server->hostname_set = ISC_FALSE;
135446Strhodes	}
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "server-id", &obj);
135446Strhodes	server->server_usehostname = ISC_FALSE;
135446Strhodes	if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
193149Sdougb		/* The parser translates "hostname" to ISC_TRUE */
193149Sdougb		server->server_usehostname = cfg_obj_asboolean(obj);
193149Sdougb		result = setstring(server, &server->server_id, NULL);
193149Sdougb		RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes	} else if (result == ISC_R_SUCCESS) {
193149Sdougb		/* Found a quoted string */
135446Strhodes		CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
135446Strhodes	} else {
170222Sdougb		result = setstring(server, &server->server_id, NULL);
135446Strhodes		RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes	}
135446Strhodes
135446Strhodes	obj = NULL;
135446Strhodes	result = ns_config_get(maps, "flush-zones-on-shutdown", &obj);
135446Strhodes	if (result == ISC_R_SUCCESS) {
135446Strhodes		server->flushonshutdown = cfg_obj_asboolean(obj);
135446Strhodes	} else {
135446Strhodes		server->flushonshutdown = ISC_FALSE;
135446Strhodes	}
135446Strhodes
135446Strhodes	result = ISC_R_SUCCESS;
135446Strhodes
135446Strhodes cleanup:
262706Serwin	if (logc != NULL)
262706Serwin		isc_logconfig_destroy(&logc);
262706Serwin
186462Sdougb	if (v4portset != NULL)
186462Sdougb		isc_portset_destroy(ns_g_mctx, &v4portset);
186462Sdougb
186462Sdougb	if (v6portset != NULL)
186462Sdougb		isc_portset_destroy(ns_g_mctx, &v6portset);
186462Sdougb
224092Sdougb	if (conf_parser != NULL) {
135446Strhodes		if (config != NULL)
224092Sdougb			cfg_obj_destroy(conf_parser, &config);
224092Sdougb		cfg_parser_destroy(&conf_parser);
135446Strhodes	}
135446Strhodes
224092Sdougb	if (bindkeys_parser != NULL) {
224092Sdougb		if (bindkeys  != NULL)
224092Sdougb			cfg_obj_destroy(bindkeys_parser, &bindkeys);
224092Sdougb		cfg_parser_destroy(&bindkeys_parser);
224092Sdougb	}
224092Sdougb
135446Strhodes	if (view != NULL)
135446Strhodes		dns_view_detach(&view);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * This cleans up either the old production view list
135446Strhodes	 * or our temporary list depending on whether they
135446Strhodes	 * were swapped above or not.
135446Strhodes	 */
135446Strhodes	for (view = ISC_LIST_HEAD(viewlist);
135446Strhodes	     view != NULL;
135446Strhodes	     view = view_next) {
135446Strhodes		view_next = ISC_LIST_NEXT(view, link);
135446Strhodes		ISC_LIST_UNLINK(viewlist, view, link);
170222Sdougb		if (result == ISC_R_SUCCESS &&
170222Sdougb		    strcmp(view->name, "_bind") != 0)
170222Sdougb			(void)dns_zt_apply(view->zonetable, ISC_FALSE,
170222Sdougb					   removed, view);
135446Strhodes		dns_view_detach(&view);
135446Strhodes	}
135446Strhodes
224092Sdougb	/* Same cleanup for cache list. */
224092Sdougb	while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
224092Sdougb		ISC_LIST_UNLINK(cachelist, nsc, link);
224092Sdougb		dns_cache_detach(&nsc->cache);
224092Sdougb		isc_mem_put(server->mctx, nsc, sizeof(*nsc));
224092Sdougb	}
224092Sdougb
135446Strhodes	/*
135446Strhodes	 * Adjust the listening interfaces in accordance with the source
135446Strhodes	 * addresses specified in views and zones.
135446Strhodes	 */
135446Strhodes	if (isc_net_probeipv6() == ISC_R_SUCCESS)
135446Strhodes		adjust_interfaces(server, ns_g_mctx);
135446Strhodes
135446Strhodes	/* Relinquish exclusive access to configuration data. */
234010Sdougb	if (exclusive)
234010Sdougb		isc_task_endexclusive(server->task);
135446Strhodes
135446Strhodes	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
135446Strhodes		      ISC_LOG_DEBUG(1), "load_configuration: %s",
135446Strhodes		      isc_result_totext(result));
135446Strhodes
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
254897Serwinview_loaded(void *arg) {
135446Strhodes	isc_result_t result;
254897Serwin	ns_zoneload_t *zl = (ns_zoneload_t *) arg;
254897Serwin	ns_server_t *server = zl->server;
254897Serwin	unsigned int refs;
254897Serwin
254897Serwin
254897Serwin	/*
254897Serwin	 * Force zone maintenance.  Do this after loading
254897Serwin	 * so that we know when we need to force AXFR of
254897Serwin	 * slave zones whose master files are missing.
254897Serwin	 *
254897Serwin	 * We use the zoneload reference counter to let us
254897Serwin	 * know when all views are finished.
254897Serwin	 */
254897Serwin	isc_refcount_decrement(&zl->refs, &refs);
254897Serwin	if (refs != 0)
254897Serwin		return (ISC_R_SUCCESS);
254897Serwin
254897Serwin	isc_refcount_destroy(&zl->refs);
254897Serwin	isc_mem_put(server->mctx, zl, sizeof (*zl));
254897Serwin
254897Serwin	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
254897Serwin		      ISC_LOG_NOTICE, "all zones loaded");
254897Serwin	CHECKFATAL(dns_zonemgr_forcemaint(server->zonemgr),
254897Serwin		   "forcing zone maintenance");
254897Serwin
254897Serwin	ns_os_started();
254897Serwin	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
254897Serwin		      ISC_LOG_NOTICE, "running");
254897Serwin
254897Serwin	return (ISC_R_SUCCESS);
254897Serwin}
254897Serwin
254897Serwinstatic isc_result_t
262706Serwinload_zones(ns_server_t *server, isc_boolean_t init) {
254897Serwin	isc_result_t result;
135446Strhodes	dns_view_t *view;
254897Serwin	ns_zoneload_t *zl;
254897Serwin	unsigned int refs = 0;
135446Strhodes
254897Serwin	zl = isc_mem_get(server->mctx, sizeof (*zl));
254897Serwin	if (zl == NULL)
254897Serwin		return (ISC_R_NOMEMORY);
254897Serwin	zl->server = server;
254897Serwin
135446Strhodes	result = isc_task_beginexclusive(server->task);
135446Strhodes	RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes
254897Serwin	isc_refcount_init(&zl->refs, 1);
254897Serwin
135446Strhodes	/*
254897Serwin	 * Schedule zones to be loaded from disk.
135446Strhodes	 */
135446Strhodes	for (view = ISC_LIST_HEAD(server->viewlist);
135446Strhodes	     view != NULL;
135446Strhodes	     view = ISC_LIST_NEXT(view, link))
135446Strhodes	{
254897Serwin		if (view->managed_keys != NULL) {
254897Serwin			result = dns_zone_load(view->managed_keys);
254897Serwin			if (result != ISC_R_SUCCESS &&
254897Serwin			    result != DNS_R_UPTODATE &&
254897Serwin			    result != DNS_R_CONTINUE)
254897Serwin				goto cleanup;
254897Serwin		}
254897Serwin		if (view->redirect != NULL) {
254897Serwin			result = dns_zone_load(view->redirect);
254897Serwin			if (result != ISC_R_SUCCESS &&
254897Serwin			    result != DNS_R_UPTODATE &&
254897Serwin			    result != DNS_R_CONTINUE)
254897Serwin				goto cleanup;
254897Serwin		}
254897Serwin
254897Serwin		/*
254897Serwin		 * 'dns_view_asyncload' calls view_loaded if there are no
254897Serwin		 * zones.
254897Serwin		 */
254897Serwin		isc_refcount_increment(&zl->refs, NULL);
254897Serwin		CHECK(dns_view_asyncload(view, view_loaded, zl));
135446Strhodes	}
135446Strhodes
135446Strhodes cleanup:
254897Serwin	isc_refcount_decrement(&zl->refs, &refs);
254897Serwin	if (refs == 0) {
254897Serwin		isc_refcount_destroy(&zl->refs);
254897Serwin		isc_mem_put(server->mctx, zl, sizeof (*zl));
262706Serwin	} else if (init) {
254897Serwin		/*
254897Serwin		 * Place the task manager into privileged mode.  This
254897Serwin		 * ensures that after we leave task-exclusive mode, no
254897Serwin		 * other tasks will be able to run except for the ones
262706Serwin		 * that are loading zones. (This should only be done during
262706Serwin		 * the initial server setup; it isn't necessary during
262706Serwin		 * a reload.)
254897Serwin		 */
254897Serwin		isc_taskmgr_setmode(ns_g_taskmgr, isc_taskmgrmode_privileged);
254897Serwin	}
254897Serwin
186462Sdougb	isc_task_endexclusive(server->task);
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
135446Strhodesload_new_zones(ns_server_t *server, isc_boolean_t stop) {
135446Strhodes	isc_result_t result;
135446Strhodes	dns_view_t *view;
135446Strhodes
135446Strhodes	result = isc_task_beginexclusive(server->task);
135446Strhodes	RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Load zone data from disk.
135446Strhodes	 */
135446Strhodes	for (view = ISC_LIST_HEAD(server->viewlist);
135446Strhodes	     view != NULL;
135446Strhodes	     view = ISC_LIST_NEXT(view, link))
135446Strhodes	{
135446Strhodes		CHECK(dns_view_loadnew(view, stop));
224092Sdougb
224092Sdougb		/* Load managed-keys data */
224092Sdougb		if (view->managed_keys != NULL)
224092Sdougb			CHECK(dns_zone_loadnew(view->managed_keys));
254897Serwin		if (view->redirect != NULL)
254897Serwin			CHECK(dns_zone_loadnew(view->redirect));
135446Strhodes	}
224092Sdougb
135446Strhodes	/*
224092Sdougb	 * Resume zone XFRs.
135446Strhodes	 */
135446Strhodes	dns_zonemgr_resumexfrs(server->zonemgr);
135446Strhodes cleanup:
186462Sdougb	isc_task_endexclusive(server->task);
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
135446Strhodesrun_server(isc_task_t *task, isc_event_t *event) {
135446Strhodes	isc_result_t result;
135446Strhodes	ns_server_t *server = (ns_server_t *)event->ev_arg;
135446Strhodes
143731Sdougb	INSIST(task == server->task);
135446Strhodes
135446Strhodes	isc_event_free(&event);
135446Strhodes
135446Strhodes	CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy,
135446Strhodes					  &ns_g_dispatchmgr),
135446Strhodes		   "creating dispatch manager");
135446Strhodes
193149Sdougb	dns_dispatchmgr_setstats(ns_g_dispatchmgr, server->resolverstats);
193149Sdougb
135446Strhodes	CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
135446Strhodes					  ns_g_socketmgr, ns_g_dispatchmgr,
135446Strhodes					  &server->interfacemgr),
135446Strhodes		   "creating interface manager");
135446Strhodes
135446Strhodes	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
135446Strhodes				    NULL, NULL, server->task,
135446Strhodes				    interface_timer_tick,
135446Strhodes				    server, &server->interface_timer),
135446Strhodes		   "creating interface timer");
135446Strhodes
135446Strhodes	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
135446Strhodes				    NULL, NULL, server->task,
135446Strhodes				    heartbeat_timer_tick,
135446Strhodes				    server, &server->heartbeat_timer),
135446Strhodes		   "creating heartbeat timer");
135446Strhodes
170222Sdougb	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
170222Sdougb				    NULL, NULL, server->task, pps_timer_tick,
170222Sdougb				    server, &server->pps_timer),
170222Sdougb		   "creating pps timer");
170222Sdougb
135446Strhodes	CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser),
135446Strhodes		   "creating default configuration parser");
135446Strhodes
135446Strhodes	if (ns_g_lwresdonly)
135446Strhodes		CHECKFATAL(load_configuration(lwresd_g_conffile, server,
135446Strhodes					      ISC_TRUE),
135446Strhodes			   "loading configuration");
135446Strhodes	else
135446Strhodes		CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE),
135446Strhodes			   "loading configuration");
135446Strhodes
135446Strhodes	isc_hash_init();
135446Strhodes
262706Serwin	CHECKFATAL(load_zones(server, ISC_TRUE), "loading zones");
135446Strhodes}
135446Strhodes
186462Sdougbvoid
135446Strhodesns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) {
135446Strhodes
135446Strhodes	REQUIRE(NS_SERVER_VALID(server));
135446Strhodes
135446Strhodes	server->flushonshutdown = flush;
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
135446Strhodesshutdown_server(isc_task_t *task, isc_event_t *event) {
135446Strhodes	isc_result_t result;
135446Strhodes	dns_view_t *view, *view_next;
135446Strhodes	ns_server_t *server = (ns_server_t *)event->ev_arg;
135446Strhodes	isc_boolean_t flush = server->flushonshutdown;
224092Sdougb	ns_cache_t *nsc;
135446Strhodes
135446Strhodes	UNUSED(task);
135446Strhodes	INSIST(task == server->task);
135446Strhodes
135446Strhodes	result = isc_task_beginexclusive(server->task);
135446Strhodes	RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes
135446Strhodes	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
135446Strhodes		      ISC_LOG_INFO, "shutting down%s",
135446Strhodes		      flush ? ": flushing changes" : "");
135446Strhodes
193149Sdougb	ns_statschannels_shutdown(server);
135446Strhodes	ns_controls_shutdown(server->controls);
135446Strhodes	end_reserved_dispatches(server, ISC_TRUE);
224092Sdougb	cleanup_session_key(server, server->mctx);
135446Strhodes
225361Sdougb	if (ns_g_aclconfctx != NULL)
225361Sdougb		cfg_aclconfctx_detach(&ns_g_aclconfctx);
225361Sdougb
135446Strhodes	cfg_obj_destroy(ns_g_parser, &ns_g_config);
135446Strhodes	cfg_parser_destroy(&ns_g_parser);
135446Strhodes
135446Strhodes	for (view = ISC_LIST_HEAD(server->viewlist);
135446Strhodes	     view != NULL;
135446Strhodes	     view = view_next) {
135446Strhodes		view_next = ISC_LIST_NEXT(view, link);
135446Strhodes		ISC_LIST_UNLINK(server->viewlist, view, link);
135446Strhodes		if (flush)
135446Strhodes			dns_view_flushanddetach(&view);
135446Strhodes		else
135446Strhodes			dns_view_detach(&view);
135446Strhodes	}
135446Strhodes
224092Sdougb	while ((nsc = ISC_LIST_HEAD(server->cachelist)) != NULL) {
224092Sdougb		ISC_LIST_UNLINK(server->cachelist, nsc, link);
224092Sdougb		dns_cache_detach(&nsc->cache);
224092Sdougb		isc_mem_put(server->mctx, nsc, sizeof(*nsc));
224092Sdougb	}
224092Sdougb
135446Strhodes	isc_timer_detach(&server->interface_timer);
135446Strhodes	isc_timer_detach(&server->heartbeat_timer);
170222Sdougb	isc_timer_detach(&server->pps_timer);
135446Strhodes
135446Strhodes	ns_interfacemgr_shutdown(server->interfacemgr);
135446Strhodes	ns_interfacemgr_detach(&server->interfacemgr);
135446Strhodes
135446Strhodes	dns_dispatchmgr_destroy(&ns_g_dispatchmgr);
135446Strhodes
135446Strhodes	dns_zonemgr_shutdown(server->zonemgr);
135446Strhodes
224092Sdougb	if (ns_g_sessionkey != NULL) {
224092Sdougb		dns_tsigkey_detach(&ns_g_sessionkey);
224092Sdougb		dns_name_free(&ns_g_sessionkeyname, server->mctx);
224092Sdougb	}
224092Sdougb
135446Strhodes	if (server->blackholeacl != NULL)
135446Strhodes		dns_acl_detach(&server->blackholeacl);
135446Strhodes
135446Strhodes	dns_db_detach(&server->in_roothints);
135446Strhodes
135446Strhodes	isc_task_endexclusive(server->task);
135446Strhodes
135446Strhodes	isc_task_detach(&server->task);
135446Strhodes
135446Strhodes	isc_event_free(&event);
135446Strhodes}
135446Strhodes
135446Strhodesvoid
135446Strhodesns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
135446Strhodes	isc_result_t result;
225361Sdougb	ns_server_t *server = isc_mem_get(mctx, sizeof(*server));
135446Strhodes
135446Strhodes	if (server == NULL)
135446Strhodes		fatal("allocating server object", ISC_R_NOMEMORY);
135446Strhodes
135446Strhodes	server->mctx = mctx;
135446Strhodes	server->task = NULL;
135446Strhodes
135446Strhodes	/* Initialize configuration data with default values. */
135446Strhodes
135446Strhodes	result = isc_quota_init(&server->xfroutquota, 10);
135446Strhodes	RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes	result = isc_quota_init(&server->tcpquota, 10);
135446Strhodes	RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes	result = isc_quota_init(&server->recursionquota, 100);
135446Strhodes	RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes
135446Strhodes	result = dns_aclenv_init(mctx, &server->aclenv);
135446Strhodes	RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes
135446Strhodes	/* Initialize server data structures. */
135446Strhodes	server->zonemgr = NULL;
135446Strhodes	server->interfacemgr = NULL;
135446Strhodes	ISC_LIST_INIT(server->viewlist);
135446Strhodes	server->in_roothints = NULL;
135446Strhodes	server->blackholeacl = NULL;
135446Strhodes
135446Strhodes	CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
135446Strhodes				     &server->in_roothints),
135446Strhodes		   "setting up root hints");
135446Strhodes
135446Strhodes	CHECKFATAL(isc_mutex_init(&server->reload_event_lock),
135446Strhodes		   "initializing reload event lock");
135446Strhodes	server->reload_event =
135446Strhodes		isc_event_allocate(ns_g_mctx, server,
135446Strhodes				   NS_EVENT_RELOAD,
135446Strhodes				   ns_server_reload,
135446Strhodes				   server,
135446Strhodes				   sizeof(isc_event_t));
135446Strhodes	CHECKFATAL(server->reload_event == NULL ?
135446Strhodes		   ISC_R_NOMEMORY : ISC_R_SUCCESS,
135446Strhodes		   "allocating reload event");
135446Strhodes
224092Sdougb	CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
224092Sdougb				 ns_g_engine, ISC_ENTROPY_GOODONLY),
135446Strhodes		   "initializing DST");
135446Strhodes
135446Strhodes	server->tkeyctx = NULL;
135446Strhodes	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
135446Strhodes				      &server->tkeyctx),
135446Strhodes		   "creating TKEY context");
135446Strhodes
135446Strhodes	/*
135446Strhodes	 * Setup the server task, which is responsible for coordinating
245163Serwin	 * startup and shutdown of the server, as well as all exclusive
245163Serwin	 * tasks.
135446Strhodes	 */
135446Strhodes	CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
135446Strhodes		   "creating server task");
135446Strhodes	isc_task_setname(server->task, "server", server);
245163Serwin	isc_taskmgr_setexcltask(ns_g_taskmgr, server->task);
135446Strhodes	CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
135446Strhodes		   "isc_task_onshutdown");
135446Strhodes	CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
135446Strhodes		   "isc_app_onrun");
135446Strhodes
135446Strhodes	server->interface_timer = NULL;
135446Strhodes	server->heartbeat_timer = NULL;
170222Sdougb	server->pps_timer = NULL;
186462Sdougb
135446Strhodes	server->interface_interval = 0;
135446Strhodes	server->heartbeat_interval = 0;
135446Strhodes
135446Strhodes	CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr,
135446Strhodes				      ns_g_socketmgr, &server->zonemgr),
135446Strhodes		   "dns_zonemgr_create");
225361Sdougb	CHECKFATAL(dns_zonemgr_setsize(server->zonemgr, 1000),
225361Sdougb		   "dns_zonemgr_setsize");
135446Strhodes
135446Strhodes	server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
135446Strhodes	CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
135446Strhodes		   "isc_mem_strdup");
193149Sdougb	server->nsstats = NULL;
193149Sdougb	server->rcvquerystats = NULL;
193149Sdougb	server->opcodestats = NULL;
193149Sdougb	server->zonestats = NULL;
193149Sdougb	server->resolverstats = NULL;
193149Sdougb	server->sockstats = NULL;
193149Sdougb	CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
193149Sdougb				    isc_sockstatscounter_max),
193149Sdougb		   "isc_stats_create");
193149Sdougb	isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
135446Strhodes
224092Sdougb	server->bindkeysfile = isc_mem_strdup(server->mctx, "bind.keys");
224092Sdougb	CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY :
224092Sdougb						  ISC_R_SUCCESS,
224092Sdougb		   "isc_mem_strdup");
224092Sdougb
135446Strhodes	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
135446Strhodes	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
135446Strhodes		   "isc_mem_strdup");
135446Strhodes
224092Sdougb	server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
224092Sdougb	CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY :
224092Sdougb						  ISC_R_SUCCESS,
224092Sdougb		   "isc_mem_strdup");
224092Sdougb
135446Strhodes	server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
135446Strhodes	CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
135446Strhodes		   "isc_mem_strdup");
135446Strhodes
135446Strhodes	server->hostname_set = ISC_FALSE;
135446Strhodes	server->hostname = NULL;
186462Sdougb	server->version_set = ISC_FALSE;
135446Strhodes	server->version = NULL;
135446Strhodes	server->server_usehostname = ISC_FALSE;
135446Strhodes	server->server_id = NULL;
135446Strhodes
193149Sdougb	CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats,
193149Sdougb				    dns_nsstatscounter_max),
193149Sdougb		   "dns_stats_create (server)");
135446Strhodes
193149Sdougb	CHECKFATAL(dns_rdatatypestats_create(ns_g_mctx,
193149Sdougb					     &server->rcvquerystats),
193149Sdougb		   "dns_stats_create (rcvquery)");
193149Sdougb
193149Sdougb	CHECKFATAL(dns_opcodestats_create(ns_g_mctx, &server->opcodestats),
193149Sdougb		   "dns_stats_create (opcode)");
193149Sdougb
193149Sdougb	CHECKFATAL(isc_stats_create(ns_g_mctx, &server->zonestats,
193149Sdougb				    dns_zonestatscounter_max),
193149Sdougb		   "dns_stats_create (zone)");
193149Sdougb
193149Sdougb	CHECKFATAL(isc_stats_create(ns_g_mctx, &server->resolverstats,
193149Sdougb				    dns_resstatscounter_max),
193149Sdougb		   "dns_stats_create (resolver)");
193149Sdougb
135446Strhodes	server->flushonshutdown = ISC_FALSE;
135446Strhodes	server->log_queries = ISC_FALSE;
135446Strhodes
135446Strhodes	server->controls = NULL;
135446Strhodes	CHECKFATAL(ns_controls_create(server, &server->controls),
135446Strhodes		   "ns_controls_create");
135446Strhodes	server->dispatchgen = 0;
135446Strhodes	ISC_LIST_INIT(server->dispatches);
135446Strhodes
193149Sdougb	ISC_LIST_INIT(server->statschannels);
193149Sdougb
224092Sdougb	ISC_LIST_INIT(server->cachelist);
224092Sdougb
224092Sdougb	server->sessionkey = NULL;
224092Sdougb	server->session_keyfile = NULL;
224092Sdougb	server->session_keyname = NULL;
224092Sdougb	server->session_keyalg = DST_ALG_UNKNOWN;
224092Sdougb	server->session_keybits = 0;
224092Sdougb
135446Strhodes	server->magic = NS_SERVER_MAGIC;
135446Strhodes	*serverp = server;
135446Strhodes}
135446Strhodes
135446Strhodesvoid
135446Strhodesns_server_destroy(ns_server_t **serverp) {
135446Strhodes	ns_server_t *server = *serverp;
135446Strhodes	REQUIRE(NS_SERVER_VALID(server));
135446Strhodes
135446Strhodes	ns_controls_destroy(&server->controls);
135446Strhodes
193149Sdougb	isc_stats_detach(&server->nsstats);
193149Sdougb	dns_stats_detach(&server->rcvquerystats);
193149Sdougb	dns_stats_detach(&server->opcodestats);
193149Sdougb	isc_stats_detach(&server->zonestats);
193149Sdougb	isc_stats_detach(&server->resolverstats);
193149Sdougb	isc_stats_detach(&server->sockstats);
135446Strhodes
135446Strhodes	isc_mem_free(server->mctx, server->statsfile);
224092Sdougb	isc_mem_free(server->mctx, server->bindkeysfile);
135446Strhodes	isc_mem_free(server->mctx, server->dumpfile);
224092Sdougb	isc_mem_free(server->mctx, server->secrootsfile);
135446Strhodes	isc_mem_free(server->mctx, server->recfile);
135446Strhodes
135446Strhodes	if (server->version != NULL)
135446Strhodes		isc_mem_free(server->mctx, server->version);
135446Strhodes	if (server->hostname != NULL)
135446Strhodes		isc_mem_free(server->mctx, server->hostname);
135446Strhodes	if (server->server_id != NULL)
135446Strhodes		isc_mem_free(server->mctx, server->server_id);
135446Strhodes
225361Sdougb	if (server->zonemgr != NULL)
225361Sdougb		dns_zonemgr_detach(&server->zonemgr);
135446Strhodes
135446Strhodes	if (server->tkeyctx != NULL)
135446Strhodes		dns_tkeyctx_destroy(&server->tkeyctx);
135446Strhodes
135446Strhodes	dst_lib_destroy();
135446Strhodes
135446Strhodes	isc_event_free(&server->reload_event);
135446Strhodes
135446Strhodes	INSIST(ISC_LIST_EMPTY(server->viewlist));
224092Sdougb	INSIST(ISC_LIST_EMPTY(server->cachelist));
135446Strhodes
135446Strhodes	dns_aclenv_destroy(&server->aclenv);
135446Strhodes
135446Strhodes	isc_quota_destroy(&server->recursionquota);
135446Strhodes	isc_quota_destroy(&server->tcpquota);
135446Strhodes	isc_quota_destroy(&server->xfroutquota);
135446Strhodes
135446Strhodes	server->magic = 0;
135446Strhodes	isc_mem_put(server->mctx, server, sizeof(*server));
135446Strhodes	*serverp = NULL;
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
135446Strhodesfatal(const char *msg, isc_result_t result) {
135446Strhodes	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
135446Strhodes		      ISC_LOG_CRITICAL, "%s: %s", msg,
135446Strhodes		      isc_result_totext(result));
135446Strhodes	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
135446Strhodes		      ISC_LOG_CRITICAL, "exiting (due to fatal error)");
135446Strhodes	exit(1);
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
135446Strhodesstart_reserved_dispatches(ns_server_t *server) {
135446Strhodes
135446Strhodes	REQUIRE(NS_SERVER_VALID(server));
135446Strhodes
135446Strhodes	server->dispatchgen++;
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
135446Strhodesend_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
135446Strhodes	ns_dispatch_t *dispatch, *nextdispatch;
135446Strhodes
135446Strhodes	REQUIRE(NS_SERVER_VALID(server));
135446Strhodes
135446Strhodes	for (dispatch = ISC_LIST_HEAD(server->dispatches);
135446Strhodes	     dispatch != NULL;
135446Strhodes	     dispatch = nextdispatch) {
135446Strhodes		nextdispatch = ISC_LIST_NEXT(dispatch, link);
135446Strhodes		if (!all && server->dispatchgen == dispatch-> dispatchgen)
135446Strhodes			continue;
135446Strhodes		ISC_LIST_UNLINK(server->dispatches, dispatch, link);
135446Strhodes		dns_dispatch_detach(&dispatch->dispatch);
135446Strhodes		isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
135446Strhodes	}
135446Strhodes}
135446Strhodes
135446Strhodesvoid
165071Sdougbns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {
135446Strhodes	ns_dispatch_t *dispatch;
135446Strhodes	in_port_t port;
135446Strhodes	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
135446Strhodes	isc_result_t result;
135446Strhodes	unsigned int attrs, attrmask;
135446Strhodes
135446Strhodes	REQUIRE(NS_SERVER_VALID(server));
135446Strhodes
135446Strhodes	port = isc_sockaddr_getport(addr);
135446Strhodes	if (port == 0 || port >= 1024)
135446Strhodes		return;
135446Strhodes
135446Strhodes	for (dispatch = ISC_LIST_HEAD(server->dispatches);
135446Strhodes	     dispatch != NULL;
135446Strhodes	     dispatch = ISC_LIST_NEXT(dispatch, link)) {
135446Strhodes		if (isc_sockaddr_equal(&dispatch->addr, addr))
135446Strhodes			break;
135446Strhodes	}
135446Strhodes	if (dispatch != NULL) {
135446Strhodes		dispatch->dispatchgen = server->dispatchgen;
135446Strhodes		return;
135446Strhodes	}
135446Strhodes
135446Strhodes	dispatch = isc_mem_get(server->mctx, sizeof(*dispatch));
135446Strhodes	if (dispatch == NULL) {
135446Strhodes		result = ISC_R_NOMEMORY;
135446Strhodes		goto cleanup;
135446Strhodes	}
135446Strhodes
135446Strhodes	dispatch->addr = *addr;
135446Strhodes	dispatch->dispatchgen = server->dispatchgen;
135446Strhodes	dispatch->dispatch = NULL;
135446Strhodes
135446Strhodes	attrs = 0;
135446Strhodes	attrs |= DNS_DISPATCHATTR_UDP;
135446Strhodes	switch (isc_sockaddr_pf(addr)) {
135446Strhodes	case AF_INET:
135446Strhodes		attrs |= DNS_DISPATCHATTR_IPV4;
135446Strhodes		break;
135446Strhodes	case AF_INET6:
135446Strhodes		attrs |= DNS_DISPATCHATTR_IPV6;
135446Strhodes		break;
135446Strhodes	default:
135446Strhodes		result = ISC_R_NOTIMPLEMENTED;
135446Strhodes		goto cleanup;
135446Strhodes	}
135446Strhodes	attrmask = 0;
135446Strhodes	attrmask |= DNS_DISPATCHATTR_UDP;
135446Strhodes	attrmask |= DNS_DISPATCHATTR_TCP;
135446Strhodes	attrmask |= DNS_DISPATCHATTR_IPV4;
135446Strhodes	attrmask |= DNS_DISPATCHATTR_IPV6;
135446Strhodes
135446Strhodes	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
135446Strhodes				     ns_g_taskmgr, &dispatch->addr, 4096,
135446Strhodes				     1000, 32768, 16411, 16433,
186462Sdougb				     attrs, attrmask, &dispatch->dispatch);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		goto cleanup;
135446Strhodes
135446Strhodes	ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link);
135446Strhodes
135446Strhodes	return;
135446Strhodes
135446Strhodes cleanup:
135446Strhodes	if (dispatch != NULL)
135446Strhodes		isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
135446Strhodes	isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
135446Strhodes	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
135446Strhodes		      "unable to create dispatch for reserved port %s: %s",
135446Strhodes		      addrbuf, isc_result_totext(result));
135446Strhodes}
135446Strhodes
135446Strhodes
135446Strhodesstatic isc_result_t
135446Strhodesloadconfig(ns_server_t *server) {
135446Strhodes	isc_result_t result;
135446Strhodes	start_reserved_dispatches(server);
135446Strhodes	result = load_configuration(ns_g_lwresdonly ?
135446Strhodes				    lwresd_g_conffile : ns_g_conffile,
143731Sdougb				    server, ISC_FALSE);
193149Sdougb	if (result == ISC_R_SUCCESS) {
135446Strhodes		end_reserved_dispatches(server, ISC_FALSE);
135446Strhodes		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
193149Sdougb			      "reloading configuration succeeded");
193149Sdougb	} else {
193149Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
135446Strhodes			      "reloading configuration failed: %s",
135446Strhodes			      isc_result_totext(result));
193149Sdougb	}
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
135446Strhodesreload(ns_server_t *server) {
135446Strhodes	isc_result_t result;
135446Strhodes	CHECK(loadconfig(server));
135446Strhodes
262706Serwin	result = load_zones(server, ISC_FALSE);
193149Sdougb	if (result == ISC_R_SUCCESS)
135446Strhodes		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
193149Sdougb			      "reloading zones succeeded");
193149Sdougb	else
193149Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
135446Strhodes			      "reloading zones failed: %s",
135446Strhodes			      isc_result_totext(result));
193149Sdougb
135446Strhodes cleanup:
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
135446Strhodesreconfig(ns_server_t *server) {
135446Strhodes	isc_result_t result;
135446Strhodes	CHECK(loadconfig(server));
135446Strhodes
135446Strhodes	result = load_new_zones(server, ISC_FALSE);
193149Sdougb	if (result == ISC_R_SUCCESS)
135446Strhodes		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
193149Sdougb			      "any newly configured zones are now loaded");
193149Sdougb	else
193149Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
135446Strhodes			      "loading new zones failed: %s",
135446Strhodes			      isc_result_totext(result));
193149Sdougb
135446Strhodes cleanup: ;
135446Strhodes}
135446Strhodes
135446Strhodes/*
135446Strhodes * Handle a reload event (from SIGHUP).
135446Strhodes */
135446Strhodesstatic void
135446Strhodesns_server_reload(isc_task_t *task, isc_event_t *event) {
135446Strhodes	ns_server_t *server = (ns_server_t *)event->ev_arg;
135446Strhodes
135446Strhodes	INSIST(task = server->task);
135446Strhodes	UNUSED(task);
135446Strhodes
193149Sdougb	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
193149Sdougb		      "received SIGHUP signal to reload zones");
135446Strhodes	(void)reload(server);
135446Strhodes
135446Strhodes	LOCK(&server->reload_event_lock);
135446Strhodes	INSIST(server->reload_event == NULL);
135446Strhodes	server->reload_event = event;
135446Strhodes	UNLOCK(&server->reload_event_lock);
135446Strhodes}
135446Strhodes
135446Strhodesvoid
135446Strhodesns_server_reloadwanted(ns_server_t *server) {
135446Strhodes	LOCK(&server->reload_event_lock);
135446Strhodes	if (server->reload_event != NULL)
135446Strhodes		isc_task_send(server->task, &server->reload_event);
135446Strhodes	UNLOCK(&server->reload_event_lock);
135446Strhodes}
135446Strhodes
135446Strhodesstatic char *
135446Strhodesnext_token(char **stringp, const char *delim) {
135446Strhodes	char *res;
135446Strhodes
135446Strhodes	do {
135446Strhodes		res = strsep(stringp, delim);
135446Strhodes		if (res == NULL)
135446Strhodes			break;
135446Strhodes	} while (*res == '\0');
135446Strhodes	return (res);
186462Sdougb}
135446Strhodes
135446Strhodes/*
135446Strhodes * Find the zone specified in the control channel command 'args',
135446Strhodes * if any.  If a zone is specified, point '*zonep' at it, otherwise
135446Strhodes * set '*zonep' to NULL.
135446Strhodes */
135446Strhodesstatic isc_result_t
254897Serwinzone_from_args(ns_server_t *server, char *args, const char *zonetxt,
262706Serwin	       dns_zone_t **zonep, const char **zonename,
262706Serwin	       isc_buffer_t *text, isc_boolean_t skip)
224092Sdougb{
135446Strhodes	char *input, *ptr;
135446Strhodes	char *classtxt;
135446Strhodes	const char *viewtxt = NULL;
262706Serwin	dns_fixedname_t fname;
262706Serwin	dns_name_t *name;
135446Strhodes	isc_result_t result;
135446Strhodes	dns_view_t *view = NULL;
135446Strhodes	dns_rdataclass_t rdclass;
262706Serwin	char problem[DNS_NAME_FORMATSIZE + 500] = "";
135446Strhodes
135446Strhodes	REQUIRE(zonep != NULL && *zonep == NULL);
254402Serwin	REQUIRE(zonename == NULL || *zonename == NULL);
135446Strhodes
135446Strhodes	input = args;
135446Strhodes
254897Serwin	if (skip) {
254897Serwin		/* Skip the command name. */
254897Serwin		ptr = next_token(&input, " \t");
254897Serwin		if (ptr == NULL)
254897Serwin			return (ISC_R_UNEXPECTEDEND);
254897Serwin	}
135446Strhodes
135446Strhodes	/* Look for the zone name. */
135446Strhodes	if (zonetxt == NULL)
254897Serwin		zonetxt = next_token(&input, " \t");
254897Serwin	if (zonetxt == NULL)
135446Strhodes		return (ISC_R_SUCCESS);
254402Serwin	if (zonename != NULL)
224092Sdougb		*zonename = zonetxt;
135446Strhodes
135446Strhodes	/* Look for the optional class name. */
135446Strhodes	classtxt = next_token(&input, " \t");
135446Strhodes	if (classtxt != NULL) {
135446Strhodes		/* Look for the optional view name. */
135446Strhodes		viewtxt = next_token(&input, " \t");
135446Strhodes	}
135446Strhodes
262706Serwin	dns_fixedname_init(&fname);
262706Serwin	name = dns_fixedname_name(&fname);
262706Serwin	CHECK(dns_name_fromstring(name, zonetxt, 0, NULL));
135446Strhodes
135446Strhodes	if (classtxt != NULL) {
135446Strhodes		isc_textregion_t r;
135446Strhodes		r.base = classtxt;
135446Strhodes		r.length = strlen(classtxt);
262706Serwin		CHECK(dns_rdataclass_fromtext(&rdclass, &r));
193149Sdougb	} else
193149Sdougb		rdclass = dns_rdataclass_in;
193149Sdougb
193149Sdougb	if (viewtxt == NULL) {
262706Serwin		result = dns_viewlist_findzone(&server->viewlist, name,
193149Sdougb					       ISC_TF(classtxt == NULL),
193149Sdougb					       rdclass, zonep);
262706Serwin		if (result == ISC_R_NOTFOUND)
262706Serwin			snprintf(problem, sizeof(problem),
262706Serwin				 "no matching zone '%s' in any view",
262706Serwin				 zonetxt);
135446Strhodes	} else {
193149Sdougb		result = dns_viewlist_find(&server->viewlist, viewtxt,
193149Sdougb					   rdclass, &view);
262706Serwin		if (result != ISC_R_SUCCESS) {
262706Serwin			snprintf(problem, sizeof(problem),
262706Serwin				 "no matching view '%s'", viewtxt);
262706Serwin			goto report;
262706Serwin		}
262706Serwin
262706Serwin		result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
193149Sdougb		if (result != ISC_R_SUCCESS)
262706Serwin			snprintf(problem, sizeof(problem),
262706Serwin				 "no matching zone '%s' in view '%s'",
262706Serwin				 zonetxt, viewtxt);
135446Strhodes	}
186462Sdougb
135446Strhodes	/* Partial match? */
135446Strhodes	if (result != ISC_R_SUCCESS && *zonep != NULL)
135446Strhodes		dns_zone_detach(zonep);
204619Sdougb	if (result == DNS_R_PARTIALMATCH)
204619Sdougb		result = ISC_R_NOTFOUND;
262706Serwin report:
262706Serwin	if (result != ISC_R_SUCCESS) {
262706Serwin		isc_result_t tresult;
262706Serwin
262706Serwin		tresult = putstr(text, problem);
262706Serwin		if (tresult == ISC_R_SUCCESS &&
262706Serwin		    isc_buffer_availablelength(text) > 0U)
262706Serwin			isc_buffer_putuint8(text, 0);
262706Serwin	}
262706Serwin
262706Serwin cleanup:
262706Serwin	if (view != NULL)
262706Serwin		dns_view_detach(&view);
262706Serwin
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodes/*
135446Strhodes * Act on a "retransfer" command from the command channel.
135446Strhodes */
135446Strhodesisc_result_t
262706Serwinns_server_retransfercommand(ns_server_t *server, char *args,
262706Serwin			    isc_buffer_t *text)
262706Serwin{
135446Strhodes	isc_result_t result;
135446Strhodes	dns_zone_t *zone = NULL;
254897Serwin	dns_zone_t *raw = NULL;
135446Strhodes	dns_zonetype_t type;
186462Sdougb
262706Serwin	result = zone_from_args(server, args, NULL, &zone, NULL,
262706Serwin				text, ISC_TRUE);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes	if (zone == NULL)
135446Strhodes		return (ISC_R_UNEXPECTEDEND);
254897Serwin	dns_zone_getraw(zone, &raw);
254897Serwin	if (raw != NULL) {
254897Serwin		dns_zone_detach(&zone);
254897Serwin		dns_zone_attach(raw, &zone);
254897Serwin		dns_zone_detach(&raw);
254897Serwin	}
135446Strhodes	type = dns_zone_gettype(zone);
135446Strhodes	if (type == dns_zone_slave || type == dns_zone_stub)
135446Strhodes		dns_zone_forcereload(zone);
135446Strhodes	else
135446Strhodes		result = ISC_R_NOTFOUND;
135446Strhodes	dns_zone_detach(&zone);
135446Strhodes	return (result);
186462Sdougb}
135446Strhodes
135446Strhodes/*
135446Strhodes * Act on a "reload" command from the command channel.
135446Strhodes */
135446Strhodesisc_result_t
135446Strhodesns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
135446Strhodes	isc_result_t result;
135446Strhodes	dns_zone_t *zone = NULL;
135446Strhodes	dns_zonetype_t type;
135446Strhodes	const char *msg = NULL;
186462Sdougb
262706Serwin	result = zone_from_args(server, args, NULL, &zone, NULL,
262706Serwin				text, ISC_TRUE);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes	if (zone == NULL) {
135446Strhodes		result = reload(server);
135446Strhodes		if (result == ISC_R_SUCCESS)
135446Strhodes			msg = "server reload successful";
135446Strhodes	} else {
135446Strhodes		type = dns_zone_gettype(zone);
135446Strhodes		if (type == dns_zone_slave || type == dns_zone_stub) {
135446Strhodes			dns_zone_refresh(zone);
174187Sdougb			dns_zone_detach(&zone);
135446Strhodes			msg = "zone refresh queued";
135446Strhodes		} else {
135446Strhodes			result = dns_zone_load(zone);
135446Strhodes			dns_zone_detach(&zone);
186462Sdougb			switch (result) {
135446Strhodes			case ISC_R_SUCCESS:
135446Strhodes				 msg = "zone reload successful";
135446Strhodes				 break;
135446Strhodes			case DNS_R_CONTINUE:
135446Strhodes				msg = "zone reload queued";
135446Strhodes				result = ISC_R_SUCCESS;
135446Strhodes				break;
135446Strhodes			case DNS_R_UPTODATE:
135446Strhodes				msg = "zone reload up-to-date";
135446Strhodes				result = ISC_R_SUCCESS;
135446Strhodes				break;
135446Strhodes			default:
135446Strhodes				/* failure message will be generated by rndc */
135446Strhodes				break;
135446Strhodes			}
135446Strhodes		}
135446Strhodes	}
135446Strhodes	if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
135446Strhodes		isc_buffer_putmem(text, (const unsigned char *)msg,
135446Strhodes				  strlen(msg) + 1);
135446Strhodes	return (result);
186462Sdougb}
135446Strhodes
135446Strhodes/*
135446Strhodes * Act on a "reconfig" command from the command channel.
135446Strhodes */
135446Strhodesisc_result_t
135446Strhodesns_server_reconfigcommand(ns_server_t *server, char *args) {
135446Strhodes	UNUSED(args);
135446Strhodes
135446Strhodes	reconfig(server);
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes}
135446Strhodes
135446Strhodes/*
170222Sdougb * Act on a "notify" command from the command channel.
170222Sdougb */
170222Sdougbisc_result_t
170222Sdougbns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
170222Sdougb	isc_result_t result;
170222Sdougb	dns_zone_t *zone = NULL;
170222Sdougb	const unsigned char msg[] = "zone notify queued";
170222Sdougb
262706Serwin	result = zone_from_args(server, args, NULL, &zone, NULL,
262706Serwin				text, ISC_TRUE);
170222Sdougb	if (result != ISC_R_SUCCESS)
170222Sdougb		return (result);
170222Sdougb	if (zone == NULL)
170222Sdougb		return (ISC_R_UNEXPECTEDEND);
186462Sdougb
170222Sdougb	dns_zone_notify(zone);
170222Sdougb	dns_zone_detach(&zone);
170222Sdougb	if (sizeof(msg) <= isc_buffer_availablelength(text))
170222Sdougb		isc_buffer_putmem(text, msg, sizeof(msg));
170222Sdougb
170222Sdougb	return (ISC_R_SUCCESS);
186462Sdougb}
170222Sdougb
170222Sdougb/*
135446Strhodes * Act on a "refresh" command from the command channel.
135446Strhodes */
135446Strhodesisc_result_t
135446Strhodesns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
135446Strhodes	isc_result_t result;
262706Serwin	dns_zone_t *zone = NULL, *raw = NULL;
165071Sdougb	const unsigned char msg1[] = "zone refresh queued";
165071Sdougb	const unsigned char msg2[] = "not a slave or stub zone";
165071Sdougb	dns_zonetype_t type;
135446Strhodes
262706Serwin	result = zone_from_args(server, args, NULL, &zone, NULL,
262706Serwin				text, ISC_TRUE);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes	if (zone == NULL)
135446Strhodes		return (ISC_R_UNEXPECTEDEND);
165071Sdougb
262706Serwin	dns_zone_getraw(zone, &raw);
262706Serwin	if (raw != NULL) {
262706Serwin		dns_zone_detach(&zone);
262706Serwin		dns_zone_attach(raw, &zone);
262706Serwin		dns_zone_detach(&raw);
262706Serwin	}
262706Serwin
165071Sdougb	type = dns_zone_gettype(zone);
165071Sdougb	if (type == dns_zone_slave || type == dns_zone_stub) {
165071Sdougb		dns_zone_refresh(zone);
165071Sdougb		dns_zone_detach(&zone);
165071Sdougb		if (sizeof(msg1) <= isc_buffer_availablelength(text))
165071Sdougb			isc_buffer_putmem(text, msg1, sizeof(msg1));
165071Sdougb		return (ISC_R_SUCCESS);
165071Sdougb	}
186462Sdougb
135446Strhodes	dns_zone_detach(&zone);
165071Sdougb	if (sizeof(msg2) <= isc_buffer_availablelength(text))
165071Sdougb		isc_buffer_putmem(text, msg2, sizeof(msg2));
165071Sdougb	return (ISC_R_FAILURE);
186462Sdougb}
135446Strhodes
135446Strhodesisc_result_t
254897Serwinns_server_togglequerylog(ns_server_t *server, char *args) {
254897Serwin	isc_boolean_t value;
254897Serwin	char *ptr;
186462Sdougb
254897Serwin	/* Skip the command name. */
254897Serwin	ptr = next_token(&args, " \t");
254897Serwin	if (ptr == NULL)
254897Serwin		return (ISC_R_UNEXPECTEDEND);
254897Serwin
254897Serwin	ptr = next_token(&args, " \t");
254897Serwin	if (ptr == NULL)
254897Serwin		value = server->log_queries ? ISC_FALSE : ISC_TRUE;
254897Serwin	else if (strcasecmp(ptr, "yes") == 0 || strcasecmp(ptr, "on") == 0)
254897Serwin		value = ISC_TRUE;
254897Serwin	else if (strcasecmp(ptr, "no") == 0 || strcasecmp(ptr, "off") == 0)
254897Serwin		value = ISC_FALSE;
254897Serwin	else
254897Serwin		return (ISC_R_NOTFOUND);
254897Serwin
254897Serwin	if (server->log_queries == value)
254897Serwin		return (ISC_R_SUCCESS);
254897Serwin
254897Serwin	server->log_queries = value;
254897Serwin
135446Strhodes	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
135446Strhodes		      "query logging is now %s",
135446Strhodes		      server->log_queries ? "on" : "off");
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
165071Sdougbns_listenlist_fromconfig(const cfg_obj_t *listenlist, const cfg_obj_t *config,
170222Sdougb			 cfg_aclconfctx_t *actx,
135446Strhodes			 isc_mem_t *mctx, ns_listenlist_t **target)
135446Strhodes{
135446Strhodes	isc_result_t result;
165071Sdougb	const cfg_listelt_t *element;
135446Strhodes	ns_listenlist_t *dlist = NULL;
135446Strhodes
135446Strhodes	REQUIRE(target != NULL && *target == NULL);
135446Strhodes
135446Strhodes	result = ns_listenlist_create(mctx, &dlist);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes
135446Strhodes	for (element = cfg_list_first(listenlist);
135446Strhodes	     element != NULL;
135446Strhodes	     element = cfg_list_next(element))
135446Strhodes	{
135446Strhodes		ns_listenelt_t *delt = NULL;
165071Sdougb		const cfg_obj_t *listener = cfg_listelt_value(element);
135446Strhodes		result = ns_listenelt_fromconfig(listener, config, actx,
135446Strhodes						 mctx, &delt);
135446Strhodes		if (result != ISC_R_SUCCESS)
135446Strhodes			goto cleanup;
135446Strhodes		ISC_LIST_APPEND(dlist->elts, delt, link);
135446Strhodes	}
135446Strhodes	*target = dlist;
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes
135446Strhodes cleanup:
135446Strhodes	ns_listenlist_detach(&dlist);
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodes/*
135446Strhodes * Create a listen list from the corresponding configuration
135446Strhodes * data structure.
135446Strhodes */
135446Strhodesstatic isc_result_t
165071Sdougbns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
170222Sdougb			cfg_aclconfctx_t *actx,
135446Strhodes			isc_mem_t *mctx, ns_listenelt_t **target)
135446Strhodes{
135446Strhodes	isc_result_t result;
165071Sdougb	const cfg_obj_t *portobj;
135446Strhodes	in_port_t port;
135446Strhodes	ns_listenelt_t *delt = NULL;
135446Strhodes	REQUIRE(target != NULL && *target == NULL);
135446Strhodes
135446Strhodes	portobj = cfg_tuple_get(listener, "port");
135446Strhodes	if (!cfg_obj_isuint32(portobj)) {
135446Strhodes		if (ns_g_port != 0) {
135446Strhodes			port = ns_g_port;
135446Strhodes		} else {
135446Strhodes			result = ns_config_getport(config, &port);
135446Strhodes			if (result != ISC_R_SUCCESS)
135446Strhodes				return (result);
135446Strhodes		}
135446Strhodes	} else {
135446Strhodes		if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
135446Strhodes			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
135446Strhodes				    "port value '%u' is out of range",
135446Strhodes				    cfg_obj_asuint32(portobj));
135446Strhodes			return (ISC_R_RANGE);
135446Strhodes		}
135446Strhodes		port = (in_port_t)cfg_obj_asuint32(portobj);
135446Strhodes	}
135446Strhodes
135446Strhodes	result = ns_listenelt_create(mctx, port, NULL, &delt);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes
170222Sdougb	result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"),
193149Sdougb				   config, ns_g_lctx, actx, mctx, 0,
193149Sdougb				   &delt->acl);
135446Strhodes	if (result != ISC_R_SUCCESS) {
135446Strhodes		ns_listenelt_destroy(delt);
135446Strhodes		return (result);
135446Strhodes	}
135446Strhodes	*target = delt;
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes}
135446Strhodes
135446Strhodesisc_result_t
135446Strhodesns_server_dumpstats(ns_server_t *server) {
135446Strhodes	isc_result_t result;
135446Strhodes	FILE *fp = NULL;
135446Strhodes
135446Strhodes	CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
135446Strhodes		"could not open statistics dump file", server->statsfile);
186462Sdougb
193149Sdougb	result = ns_stats_dump(server, fp);
186462Sdougb
135446Strhodes cleanup:
135446Strhodes	if (fp != NULL)
135446Strhodes		(void)isc_stdio_close(fp);
193149Sdougb	if (result == ISC_R_SUCCESS)
193149Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
193149Sdougb			      "dumpstats complete");
193149Sdougb	else
193149Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
193149Sdougb			      "dumpstats failed: %s",
193149Sdougb			      dns_result_totext(result));
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
135446Strhodesadd_zone_tolist(dns_zone_t *zone, void *uap) {
135446Strhodes	struct dumpcontext *dctx = uap;
135446Strhodes	struct zonelistentry *zle;
135446Strhodes
135446Strhodes	zle = isc_mem_get(dctx->mctx, sizeof *zle);
135446Strhodes	if (zle ==  NULL)
135446Strhodes		return (ISC_R_NOMEMORY);
135446Strhodes	zle->zone = NULL;
135446Strhodes	dns_zone_attach(zone, &zle->zone);
135446Strhodes	ISC_LINK_INIT(zle, link);
135446Strhodes	ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes}
135446Strhodes
135446Strhodesstatic isc_result_t
135446Strhodesadd_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
135446Strhodes	struct viewlistentry *vle;
135446Strhodes	isc_result_t result = ISC_R_SUCCESS;
186462Sdougb
153816Sdougb	/*
153816Sdougb	 * Prevent duplicate views.
153816Sdougb	 */
153816Sdougb	for (vle = ISC_LIST_HEAD(dctx->viewlist);
153816Sdougb	     vle != NULL;
153816Sdougb	     vle = ISC_LIST_NEXT(vle, link))
153816Sdougb		if (vle->view == view)
153816Sdougb			return (ISC_R_SUCCESS);
153816Sdougb
135446Strhodes	vle = isc_mem_get(dctx->mctx, sizeof *vle);
135446Strhodes	if (vle == NULL)
135446Strhodes		return (ISC_R_NOMEMORY);
135446Strhodes	vle->view = NULL;
135446Strhodes	dns_view_attach(view, &vle->view);
135446Strhodes	ISC_LINK_INIT(vle, link);
135446Strhodes	ISC_LIST_INIT(vle->zonelist);
135446Strhodes	ISC_LIST_APPEND(dctx->viewlist, vle, link);
135446Strhodes	if (dctx->dumpzones)
135446Strhodes		result = dns_zt_apply(view->zonetable, ISC_TRUE,
135446Strhodes				      add_zone_tolist, dctx);
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
135446Strhodesdumpcontext_destroy(struct dumpcontext *dctx) {
135446Strhodes	struct viewlistentry *vle;
135446Strhodes	struct zonelistentry *zle;
135446Strhodes
135446Strhodes	vle = ISC_LIST_HEAD(dctx->viewlist);
135446Strhodes	while (vle != NULL) {
135446Strhodes		ISC_LIST_UNLINK(dctx->viewlist, vle, link);
135446Strhodes		zle = ISC_LIST_HEAD(vle->zonelist);
135446Strhodes		while (zle != NULL) {
135446Strhodes			ISC_LIST_UNLINK(vle->zonelist, zle, link);
135446Strhodes			dns_zone_detach(&zle->zone);
135446Strhodes			isc_mem_put(dctx->mctx, zle, sizeof *zle);
135446Strhodes			zle = ISC_LIST_HEAD(vle->zonelist);
135446Strhodes		}
135446Strhodes		dns_view_detach(&vle->view);
135446Strhodes		isc_mem_put(dctx->mctx, vle, sizeof *vle);
135446Strhodes		vle = ISC_LIST_HEAD(dctx->viewlist);
135446Strhodes	}
135446Strhodes	if (dctx->version != NULL)
135446Strhodes		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
135446Strhodes	if (dctx->db != NULL)
135446Strhodes		dns_db_detach(&dctx->db);
135446Strhodes	if (dctx->cache != NULL)
135446Strhodes		dns_db_detach(&dctx->cache);
135446Strhodes	if (dctx->task != NULL)
135446Strhodes		isc_task_detach(&dctx->task);
135446Strhodes	if (dctx->fp != NULL)
135446Strhodes		(void)isc_stdio_close(dctx->fp);
135446Strhodes	if (dctx->mdctx != NULL)
135446Strhodes		dns_dumpctx_detach(&dctx->mdctx);
135446Strhodes	isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
135446Strhodes}
135446Strhodes
135446Strhodesstatic void
135446Strhodesdumpdone(void *arg, isc_result_t result) {
135446Strhodes	struct dumpcontext *dctx = arg;
135446Strhodes	char buf[1024+32];
135446Strhodes	const dns_master_style_t *style;
186462Sdougb
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		goto cleanup;
135446Strhodes	if (dctx->mdctx != NULL)
135446Strhodes		dns_dumpctx_detach(&dctx->mdctx);
135446Strhodes	if (dctx->view == NULL) {
135446Strhodes		dctx->view = ISC_LIST_HEAD(dctx->viewlist);
135446Strhodes		if (dctx->view == NULL)
135446Strhodes			goto done;
135446Strhodes		INSIST(dctx->zone == NULL);
153816Sdougb	} else
153816Sdougb		goto resume;
135446Strhodes nextview:
135446Strhodes	fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
153816Sdougb resume:
224092Sdougb	if (dctx->dumpcache && dns_view_iscacheshared(dctx->view->view)) {
224092Sdougb		fprintf(dctx->fp,
224092Sdougb			";\n; Cache of view '%s' is shared as '%s'\n",
224092Sdougb			dctx->view->view->name,
224092Sdougb			dns_cache_getname(dctx->view->view->cache));
224092Sdougb	} else if (dctx->zone == NULL && dctx->cache == NULL &&
224092Sdougb		   dctx->dumpcache)
224092Sdougb	{
135446Strhodes		style = &dns_master_style_cache;
135446Strhodes		/* start cache dump */
135446Strhodes		if (dctx->view->view->cachedb != NULL)
135446Strhodes			dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
135446Strhodes		if (dctx->cache != NULL) {
224092Sdougb			fprintf(dctx->fp,
224092Sdougb				";\n; Cache dump of view '%s' (cache %s)\n;\n",
224092Sdougb				dctx->view->view->name,
224092Sdougb				dns_cache_getname(dctx->view->view->cache));
135446Strhodes			result = dns_master_dumptostreaminc(dctx->mctx,
135446Strhodes							    dctx->cache, NULL,
135446Strhodes							    style, dctx->fp,
135446Strhodes							    dctx->task,
135446Strhodes							    dumpdone, dctx,
135446Strhodes							    &dctx->mdctx);
135446Strhodes			if (result == DNS_R_CONTINUE)
135446Strhodes				return;
135446Strhodes			if (result == ISC_R_NOTIMPLEMENTED)
135446Strhodes				fprintf(dctx->fp, "; %s\n",
135446Strhodes					dns_result_totext(result));
135446Strhodes			else if (result != ISC_R_SUCCESS)
135446Strhodes				goto cleanup;
135446Strhodes		}
135446Strhodes	}
135446Strhodes	if (dctx->cache != NULL) {
135446Strhodes		dns_adb_dump(dctx->view->view->adb, dctx->fp);
205292Sdougb		dns_resolver_printbadcache(dctx->view->view->resolver,
205292Sdougb					   dctx->fp);
135446Strhodes		dns_db_detach(&dctx->cache);
135446Strhodes	}
135446Strhodes	if (dctx->dumpzones) {
135446Strhodes		style = &dns_master_style_full;
135446Strhodes nextzone:
135446Strhodes		if (dctx->version != NULL)
135446Strhodes			dns_db_closeversion(dctx->db, &dctx->version,
135446Strhodes					    ISC_FALSE);
135446Strhodes		if (dctx->db != NULL)
135446Strhodes			dns_db_detach(&dctx->db);
135446Strhodes		if (dctx->zone == NULL)
135446Strhodes			dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
135446Strhodes		else
135446Strhodes			dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
135446Strhodes		if (dctx->zone != NULL) {
135446Strhodes			/* start zone dump */
135446Strhodes			dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
135446Strhodes			fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
135446Strhodes			result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
135446Strhodes			if (result != ISC_R_SUCCESS) {
135446Strhodes				fprintf(dctx->fp, "; %s\n",
135446Strhodes					dns_result_totext(result));
135446Strhodes				goto nextzone;
135446Strhodes			}
135446Strhodes			dns_db_currentversion(dctx->db, &dctx->version);
135446Strhodes			result = dns_master_dumptostreaminc(dctx->mctx,
135446Strhodes							    dctx->db,
135446Strhodes							    dctx->version,
135446Strhodes							    style, dctx->fp,
135446Strhodes							    dctx->task,
135446Strhodes							    dumpdone, dctx,
135446Strhodes							    &dctx->mdctx);
135446Strhodes			if (result == DNS_R_CONTINUE)
135446Strhodes				return;
153816Sdougb			if (result == ISC_R_NOTIMPLEMENTED) {
135446Strhodes				fprintf(dctx->fp, "; %s\n",
135446Strhodes					dns_result_totext(result));
153816Sdougb				result = ISC_R_SUCCESS;
225361Sdougb				POST(result);
153816Sdougb				goto nextzone;
153816Sdougb			}
135446Strhodes			if (result != ISC_R_SUCCESS)
135446Strhodes				goto cleanup;
135446Strhodes		}
135446Strhodes	}
135446Strhodes	if (dctx->view != NULL)
135446Strhodes		dctx->view = ISC_LIST_NEXT(dctx->view, link);
135446Strhodes	if (dctx->view != NULL)
135446Strhodes		goto nextview;
135446Strhodes done:
135446Strhodes	fprintf(dctx->fp, "; Dump complete\n");
135446Strhodes	result = isc_stdio_flush(dctx->fp);
135446Strhodes	if (result == ISC_R_SUCCESS)
135446Strhodes		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
135446Strhodes			      "dumpdb complete");
135446Strhodes cleanup:
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
135446Strhodes			      "dumpdb failed: %s", dns_result_totext(result));
135446Strhodes	dumpcontext_destroy(dctx);
135446Strhodes}
135446Strhodes
135446Strhodesisc_result_t
135446Strhodesns_server_dumpdb(ns_server_t *server, char *args) {
135446Strhodes	struct dumpcontext *dctx = NULL;
135446Strhodes	dns_view_t *view;
135446Strhodes	isc_result_t result;
135446Strhodes	char *ptr;
135446Strhodes	const char *sep;
135446Strhodes
165071Sdougb	/* Skip the command name. */
165071Sdougb	ptr = next_token(&args, " \t");
165071Sdougb	if (ptr == NULL)
165071Sdougb		return (ISC_R_UNEXPECTEDEND);
165071Sdougb
135446Strhodes	dctx = isc_mem_get(server->mctx, sizeof(*dctx));
135446Strhodes	if (dctx == NULL)
135446Strhodes		return (ISC_R_NOMEMORY);
135446Strhodes
135446Strhodes	dctx->mctx = server->mctx;
135446Strhodes	dctx->dumpcache = ISC_TRUE;
135446Strhodes	dctx->dumpzones = ISC_FALSE;
135446Strhodes	dctx->fp = NULL;
135446Strhodes	ISC_LIST_INIT(dctx->viewlist);
135446Strhodes	dctx->view = NULL;
135446Strhodes	dctx->zone = NULL;
135446Strhodes	dctx->cache = NULL;
135446Strhodes	dctx->mdctx = NULL;
135446Strhodes	dctx->db = NULL;
135446Strhodes	dctx->cache = NULL;
135446Strhodes	dctx->task = NULL;
135446Strhodes	dctx->version = NULL;
135446Strhodes	isc_task_attach(server->task, &dctx->task);
135446Strhodes
135446Strhodes	CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
135446Strhodes		"could not open dump file", server->dumpfile);
135446Strhodes
135446Strhodes	sep = (args == NULL) ? "" : ": ";
135446Strhodes	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
135446Strhodes		      "dumpdb started%s%s", sep, (args != NULL) ? args : "");
135446Strhodes
135446Strhodes	ptr = next_token(&args, " \t");
135446Strhodes	if (ptr != NULL && strcmp(ptr, "-all") == 0) {
135446Strhodes		dctx->dumpzones = ISC_TRUE;
135446Strhodes		dctx->dumpcache = ISC_TRUE;
135446Strhodes		ptr = next_token(&args, " \t");
135446Strhodes	} else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
135446Strhodes		dctx->dumpzones = ISC_FALSE;
135446Strhodes		dctx->dumpcache = ISC_TRUE;
135446Strhodes		ptr = next_token(&args, " \t");
135446Strhodes	} else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
135446Strhodes		dctx->dumpzones = ISC_TRUE;
135446Strhodes		dctx->dumpcache = ISC_FALSE;
135446Strhodes		ptr = next_token(&args, " \t");
186462Sdougb	}
135446Strhodes
153816Sdougb nextview:
135446Strhodes	for (view = ISC_LIST_HEAD(server->viewlist);
135446Strhodes	     view != NULL;
135446Strhodes	     view = ISC_LIST_NEXT(view, link))
135446Strhodes	{
135446Strhodes		if (ptr != NULL && strcmp(view->name, ptr) != 0)
135446Strhodes			continue;
135446Strhodes		CHECK(add_view_tolist(dctx, view));
135446Strhodes	}
153816Sdougb	if (ptr != NULL) {
153816Sdougb		ptr = next_token(&args, " \t");
153816Sdougb		if (ptr != NULL)
153816Sdougb			goto nextview;
153816Sdougb	}
135446Strhodes	dumpdone(dctx, ISC_R_SUCCESS);
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes
135446Strhodes cleanup:
135446Strhodes	if (dctx != NULL)
135446Strhodes		dumpcontext_destroy(dctx);
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesisc_result_t
224092Sdougbns_server_dumpsecroots(ns_server_t *server, char *args) {
224092Sdougb	dns_view_t *view;
224092Sdougb	dns_keytable_t *secroots = NULL;
224092Sdougb	isc_result_t result;
224092Sdougb	char *ptr;
224092Sdougb	FILE *fp = NULL;
224092Sdougb	isc_time_t now;
224092Sdougb	char tbuf[64];
224092Sdougb
224092Sdougb	/* Skip the command name. */
224092Sdougb	ptr = next_token(&args, " \t");
224092Sdougb	if (ptr == NULL)
224092Sdougb		return (ISC_R_UNEXPECTEDEND);
254897Serwin
224092Sdougb	ptr = next_token(&args, " \t");
224092Sdougb
224092Sdougb	CHECKMF(isc_stdio_open(server->secrootsfile, "w", &fp),
224092Sdougb		"could not open secroots dump file", server->secrootsfile);
224092Sdougb	TIME_NOW(&now);
224092Sdougb	isc_time_formattimestamp(&now, tbuf, sizeof(tbuf));
224092Sdougb	fprintf(fp, "%s\n", tbuf);
224092Sdougb
225361Sdougb	do {
225361Sdougb		for (view = ISC_LIST_HEAD(server->viewlist);
225361Sdougb		     view != NULL;
225361Sdougb		     view = ISC_LIST_NEXT(view, link))
225361Sdougb		{
225361Sdougb			if (ptr != NULL && strcmp(view->name, ptr) != 0)
225361Sdougb				continue;
225361Sdougb			if (secroots != NULL)
225361Sdougb				dns_keytable_detach(&secroots);
225361Sdougb			result = dns_view_getsecroots(view, &secroots);
225361Sdougb			if (result == ISC_R_NOTFOUND) {
225361Sdougb				result = ISC_R_SUCCESS;
225361Sdougb				continue;
225361Sdougb			}
225361Sdougb			fprintf(fp, "\n Start view %s\n\n", view->name);
225361Sdougb			result = dns_keytable_dump(secroots, fp);
225361Sdougb			if (result != ISC_R_SUCCESS)
225361Sdougb				fprintf(fp, " dumpsecroots failed: %s\n",
225361Sdougb					isc_result_totext(result));
224092Sdougb		}
224092Sdougb		if (ptr != NULL)
225361Sdougb			ptr = next_token(&args, " \t");
225361Sdougb	} while (ptr != NULL);
224092Sdougb
224092Sdougb cleanup:
224092Sdougb	if (secroots != NULL)
224092Sdougb		dns_keytable_detach(&secroots);
224092Sdougb	if (fp != NULL)
224092Sdougb		(void)isc_stdio_close(fp);
224092Sdougb	if (result == ISC_R_SUCCESS)
224092Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
224092Sdougb			      "dumpsecroots complete");
224092Sdougb	else
224092Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
224092Sdougb			      "dumpsecroots failed: %s",
224092Sdougb			      dns_result_totext(result));
224092Sdougb	return (result);
224092Sdougb}
224092Sdougb
224092Sdougbisc_result_t
135446Strhodesns_server_dumprecursing(ns_server_t *server) {
135446Strhodes	FILE *fp = NULL;
135446Strhodes	isc_result_t result;
135446Strhodes
135446Strhodes	CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
135446Strhodes		"could not open dump file", server->recfile);
135446Strhodes	fprintf(fp,";\n; Recursing Queries\n;\n");
135446Strhodes	ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
135446Strhodes	fprintf(fp, "; Dump complete\n");
135446Strhodes
135446Strhodes cleanup:
135446Strhodes	if (fp != NULL)
135446Strhodes		result = isc_stdio_close(fp);
193149Sdougb	if (result == ISC_R_SUCCESS)
193149Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
193149Sdougb			      "dumprecursing complete");
193149Sdougb	else
193149Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
193149Sdougb			      "dumprecursing failed: %s",
193149Sdougb			      dns_result_totext(result));
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesisc_result_t
135446Strhodesns_server_setdebuglevel(ns_server_t *server, char *args) {
135446Strhodes	char *ptr;
135446Strhodes	char *levelstr;
135446Strhodes	char *endp;
135446Strhodes	long newlevel;
135446Strhodes
135446Strhodes	UNUSED(server);
135446Strhodes
135446Strhodes	/* Skip the command name. */
135446Strhodes	ptr = next_token(&args, " \t");
135446Strhodes	if (ptr == NULL)
135446Strhodes		return (ISC_R_UNEXPECTEDEND);
135446Strhodes
135446Strhodes	/* Look for the new level name. */
135446Strhodes	levelstr = next_token(&args, " \t");
135446Strhodes	if (levelstr == NULL) {
135446Strhodes		if (ns_g_debuglevel < 99)
135446Strhodes			ns_g_debuglevel++;
135446Strhodes	} else {
135446Strhodes		newlevel = strtol(levelstr, &endp, 10);
135446Strhodes		if (*endp != '\0' || newlevel < 0 || newlevel > 99)
135446Strhodes			return (ISC_R_RANGE);
135446Strhodes		ns_g_debuglevel = (unsigned int)newlevel;
135446Strhodes	}
135446Strhodes	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
193149Sdougb	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
193149Sdougb		      "debug level is now %d", ns_g_debuglevel);
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes}
135446Strhodes
135446Strhodesisc_result_t
170222Sdougbns_server_validation(ns_server_t *server, char *args) {
170222Sdougb	char *ptr, *viewname;
170222Sdougb	dns_view_t *view;
170222Sdougb	isc_boolean_t changed = ISC_FALSE;
170222Sdougb	isc_result_t result;
170222Sdougb	isc_boolean_t enable;
170222Sdougb
170222Sdougb	/* Skip the command name. */
170222Sdougb	ptr = next_token(&args, " \t");
170222Sdougb	if (ptr == NULL)
170222Sdougb		return (ISC_R_UNEXPECTEDEND);
170222Sdougb
170222Sdougb	/* Find out what we are to do. */
170222Sdougb	ptr = next_token(&args, " \t");
170222Sdougb	if (ptr == NULL)
170222Sdougb		return (ISC_R_UNEXPECTEDEND);
170222Sdougb
170222Sdougb	if (!strcasecmp(ptr, "on") || !strcasecmp(ptr, "yes") ||
170222Sdougb	    !strcasecmp(ptr, "enable") || !strcasecmp(ptr, "true"))
170222Sdougb		enable = ISC_TRUE;
170222Sdougb	else if (!strcasecmp(ptr, "off") || !strcasecmp(ptr, "no") ||
170222Sdougb		 !strcasecmp(ptr, "disable") || !strcasecmp(ptr, "false"))
170222Sdougb		enable = ISC_FALSE;
170222Sdougb	else
170222Sdougb		return (DNS_R_SYNTAX);
170222Sdougb
170222Sdougb	/* Look for the view name. */
170222Sdougb	viewname = next_token(&args, " \t");
170222Sdougb
170222Sdougb	result = isc_task_beginexclusive(server->task);
170222Sdougb	RUNTIME_CHECK(result == ISC_R_SUCCESS);
170222Sdougb	for (view = ISC_LIST_HEAD(server->viewlist);
170222Sdougb	     view != NULL;
170222Sdougb	     view = ISC_LIST_NEXT(view, link))
170222Sdougb	{
170222Sdougb		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
170222Sdougb			continue;
170222Sdougb		result = dns_view_flushcache(view);
170222Sdougb		if (result != ISC_R_SUCCESS)
170222Sdougb			goto out;
170222Sdougb		view->enablevalidation = enable;
170222Sdougb		changed = ISC_TRUE;
170222Sdougb	}
170222Sdougb	if (changed)
170222Sdougb		result = ISC_R_SUCCESS;
170222Sdougb	else
170222Sdougb		result = ISC_R_FAILURE;
170222Sdougb out:
186462Sdougb	isc_task_endexclusive(server->task);
170222Sdougb	return (result);
170222Sdougb}
170222Sdougb
170222Sdougbisc_result_t
135446Strhodesns_server_flushcache(ns_server_t *server, char *args) {
135446Strhodes	char *ptr, *viewname;
135446Strhodes	dns_view_t *view;
174187Sdougb	isc_boolean_t flushed;
174187Sdougb	isc_boolean_t found;
135446Strhodes	isc_result_t result;
224092Sdougb	ns_cache_t *nsc;
135446Strhodes
135446Strhodes	/* Skip the command name. */
135446Strhodes	ptr = next_token(&args, " \t");
135446Strhodes	if (ptr == NULL)
135446Strhodes		return (ISC_R_UNEXPECTEDEND);
135446Strhodes
135446Strhodes	/* Look for the view name. */
135446Strhodes	viewname = next_token(&args, " \t");
135446Strhodes
135446Strhodes	result = isc_task_beginexclusive(server->task);
135446Strhodes	RUNTIME_CHECK(result == ISC_R_SUCCESS);
174187Sdougb	flushed = ISC_TRUE;
174187Sdougb	found = ISC_FALSE;
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Flushing a cache is tricky when caches are shared by multiple views.
224092Sdougb	 * We first identify which caches should be flushed in the local cache
224092Sdougb	 * list, flush these caches, and then update other views that refer to
224092Sdougb	 * the flushed cache DB.
224092Sdougb	 */
224092Sdougb	if (viewname != NULL) {
224092Sdougb		/*
224092Sdougb		 * Mark caches that need to be flushed.  This is an O(#view^2)
224092Sdougb		 * operation in the very worst case, but should be normally
224092Sdougb		 * much more lightweight because only a few (most typically just
224092Sdougb		 * one) views will match.
224092Sdougb		 */
224092Sdougb		for (view = ISC_LIST_HEAD(server->viewlist);
224092Sdougb		     view != NULL;
224092Sdougb		     view = ISC_LIST_NEXT(view, link))
224092Sdougb		{
224092Sdougb			if (strcasecmp(viewname, view->name) != 0)
224092Sdougb				continue;
224092Sdougb			found = ISC_TRUE;
224092Sdougb			for (nsc = ISC_LIST_HEAD(server->cachelist);
224092Sdougb			     nsc != NULL;
224092Sdougb			     nsc = ISC_LIST_NEXT(nsc, link)) {
224092Sdougb				if (nsc->cache == view->cache)
224092Sdougb					break;
224092Sdougb			}
224092Sdougb			INSIST(nsc != NULL);
224092Sdougb			nsc->needflush = ISC_TRUE;
224092Sdougb		}
224092Sdougb	} else
224092Sdougb		found = ISC_TRUE;
224092Sdougb
224092Sdougb	/* Perform flush */
224092Sdougb	for (nsc = ISC_LIST_HEAD(server->cachelist);
224092Sdougb	     nsc != NULL;
224092Sdougb	     nsc = ISC_LIST_NEXT(nsc, link)) {
224092Sdougb		if (viewname != NULL && !nsc->needflush)
135446Strhodes			continue;
224092Sdougb		nsc->needflush = ISC_TRUE;
224092Sdougb		result = dns_view_flushcache2(nsc->primaryview, ISC_FALSE);
193149Sdougb		if (result != ISC_R_SUCCESS) {
174187Sdougb			flushed = ISC_FALSE;
193149Sdougb			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
193149Sdougb				      "flushing cache in view '%s' failed: %s",
224092Sdougb				      nsc->primaryview->name,
224092Sdougb				      isc_result_totext(result));
193149Sdougb		}
135446Strhodes	}
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Fix up views that share a flushed cache: let the views update the
224092Sdougb	 * cache DB they're referring to.  This could also be an expensive
224092Sdougb	 * operation, but should typically be marginal: the inner loop is only
224092Sdougb	 * necessary for views that share a cache, and if there are many such
224092Sdougb	 * views the number of shared cache should normally be small.
224092Sdougb	 * A worst case is that we have n views and n/2 caches, each shared by
224092Sdougb	 * two views.  Then this will be a O(n^2/4) operation.
224092Sdougb	 */
224092Sdougb	for (view = ISC_LIST_HEAD(server->viewlist);
224092Sdougb	     view != NULL;
224092Sdougb	     view = ISC_LIST_NEXT(view, link))
224092Sdougb	{
224092Sdougb		if (!dns_view_iscacheshared(view))
224092Sdougb			continue;
224092Sdougb		for (nsc = ISC_LIST_HEAD(server->cachelist);
224092Sdougb		     nsc != NULL;
224092Sdougb		     nsc = ISC_LIST_NEXT(nsc, link)) {
224092Sdougb			if (!nsc->needflush || nsc->cache != view->cache)
224092Sdougb				continue;
224092Sdougb			result = dns_view_flushcache2(view, ISC_TRUE);
224092Sdougb			if (result != ISC_R_SUCCESS) {
224092Sdougb				flushed = ISC_FALSE;
224092Sdougb				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb					      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
224092Sdougb					      "fixing cache in view '%s' "
224092Sdougb					      "failed: %s", view->name,
224092Sdougb					      isc_result_totext(result));
224092Sdougb			}
224092Sdougb		}
224092Sdougb	}
224092Sdougb
224092Sdougb	/* Cleanup the cache list. */
224092Sdougb	for (nsc = ISC_LIST_HEAD(server->cachelist);
224092Sdougb	     nsc != NULL;
224092Sdougb	     nsc = ISC_LIST_NEXT(nsc, link)) {
224092Sdougb		nsc->needflush = ISC_FALSE;
224092Sdougb	}
224092Sdougb
174187Sdougb	if (flushed && found) {
193149Sdougb		if (viewname != NULL)
193149Sdougb			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
193149Sdougb				      "flushing cache in view '%s' succeeded",
193149Sdougb				      viewname);
193149Sdougb		else
193149Sdougb			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
193149Sdougb				      "flushing caches in all views succeeded");
135446Strhodes		result = ISC_R_SUCCESS;
174187Sdougb	} else {
193149Sdougb		if (!found) {
193149Sdougb			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
193149Sdougb				      "flushing cache in view '%s' failed: "
193149Sdougb				      "view not found", viewname);
174187Sdougb			result = ISC_R_NOTFOUND;
193149Sdougb		} else
174187Sdougb			result = ISC_R_FAILURE;
174187Sdougb	}
186462Sdougb	isc_task_endexclusive(server->task);
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesisc_result_t
254897Serwinns_server_flushnode(ns_server_t *server, char *args, isc_boolean_t tree) {
135446Strhodes	char *ptr, *target, *viewname;
135446Strhodes	dns_view_t *view;
174187Sdougb	isc_boolean_t flushed;
174187Sdougb	isc_boolean_t found;
135446Strhodes	isc_result_t result;
135446Strhodes	isc_buffer_t b;
135446Strhodes	dns_fixedname_t fixed;
135446Strhodes	dns_name_t *name;
135446Strhodes
135446Strhodes	/* Skip the command name. */
135446Strhodes	ptr = next_token(&args, " \t");
135446Strhodes	if (ptr == NULL)
135446Strhodes		return (ISC_R_UNEXPECTEDEND);
135446Strhodes
135446Strhodes	/* Find the domain name to flush. */
135446Strhodes	target = next_token(&args, " \t");
135446Strhodes	if (target == NULL)
135446Strhodes		return (ISC_R_UNEXPECTEDEND);
135446Strhodes
254402Serwin	isc_buffer_constinit(&b, target, strlen(target));
135446Strhodes	isc_buffer_add(&b, strlen(target));
135446Strhodes	dns_fixedname_init(&fixed);
135446Strhodes	name = dns_fixedname_name(&fixed);
224092Sdougb	result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
135446Strhodes
135446Strhodes	/* Look for the view name. */
135446Strhodes	viewname = next_token(&args, " \t");
135446Strhodes
135446Strhodes	result = isc_task_beginexclusive(server->task);
135446Strhodes	RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes	flushed = ISC_TRUE;
174187Sdougb	found = ISC_FALSE;
135446Strhodes	for (view = ISC_LIST_HEAD(server->viewlist);
135446Strhodes	     view != NULL;
135446Strhodes	     view = ISC_LIST_NEXT(view, link))
135446Strhodes	{
135446Strhodes		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
135446Strhodes			continue;
174187Sdougb		found = ISC_TRUE;
224092Sdougb		/*
224092Sdougb		 * It's a little inefficient to try flushing name for all views
224092Sdougb		 * if some of the views share a single cache.  But since the
224092Sdougb		 * operation is lightweight we prefer simplicity here.
224092Sdougb		 */
254897Serwin		result = dns_view_flushnode(view, name, tree);
193149Sdougb		if (result != ISC_R_SUCCESS) {
135446Strhodes			flushed = ISC_FALSE;
193149Sdougb			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
254897Serwin				      "flushing %s '%s' in cache view '%s' "
254897Serwin				      "failed: %s",
254897Serwin				      tree ? "tree" : "name",
254897Serwin				      target, view->name,
193149Sdougb				      isc_result_totext(result));
193149Sdougb		}
135446Strhodes	}
193149Sdougb	if (flushed && found) {
193149Sdougb		if (viewname != NULL)
193149Sdougb			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
254897Serwin				      "flushing %s '%s' in cache view '%s' "
254897Serwin				      "succeeded",
254897Serwin				      tree ? "tree" : "name",
254897Serwin				      target, viewname);
193149Sdougb		else
193149Sdougb			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
254897Serwin				      "flushing %s '%s' in all cache views "
254897Serwin				      "succeeded",
254897Serwin				      tree ? "tree" : "name",
254897Serwin				      target);
135446Strhodes		result = ISC_R_SUCCESS;
193149Sdougb	} else {
193149Sdougb		if (!found)
193149Sdougb			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
193149Sdougb				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
254897Serwin				      "flushing %s '%s' in cache view '%s' "
254897Serwin				      "failed: view not found",
254897Serwin				      tree ? "tree" : "name",
254897Serwin				      target, viewname);
135446Strhodes		result = ISC_R_FAILURE;
193149Sdougb	}
186462Sdougb	isc_task_endexclusive(server->task);
135446Strhodes	return (result);
135446Strhodes}
135446Strhodes
135446Strhodesisc_result_t
135446Strhodesns_server_status(ns_server_t *server, isc_buffer_t *text) {
135446Strhodes	int zonecount, xferrunning, xferdeferred, soaqueries;
135446Strhodes	unsigned int n;
193149Sdougb	const char *ob = "", *cb = "", *alt = "";
135446Strhodes
193149Sdougb	if (ns_g_server->version_set) {
193149Sdougb		ob = " (";
193149Sdougb		cb = ")";
193149Sdougb		if (ns_g_server->version == NULL)
193149Sdougb			alt = "version.bind/txt/ch disabled";
193149Sdougb		else
193149Sdougb			alt = ns_g_server->version;
193149Sdougb	}
135446Strhodes	zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
135446Strhodes	xferrunning = dns_zonemgr_getcount(server->zonemgr,
135446Strhodes					   DNS_ZONESTATE_XFERRUNNING);
135446Strhodes	xferdeferred = dns_zonemgr_getcount(server->zonemgr,
135446Strhodes					    DNS_ZONESTATE_XFERDEFERRED);
135446Strhodes	soaqueries = dns_zonemgr_getcount(server->zonemgr,
135446Strhodes					  DNS_ZONESTATE_SOAQUERY);
193149Sdougb
135446Strhodes	n = snprintf((char *)isc_buffer_used(text),
135446Strhodes		     isc_buffer_availablelength(text),
262706Serwin		     "version: %s%s%s%s <id:%s>\n"
193149Sdougb#ifdef ISC_PLATFORM_USETHREADS
193149Sdougb		     "CPUs found: %u\n"
193149Sdougb		     "worker threads: %u\n"
254897Serwin		     "UDP listeners per interface: %u\n"
193149Sdougb#endif
135446Strhodes		     "number of zones: %u\n"
135446Strhodes		     "debug level: %d\n"
135446Strhodes		     "xfers running: %u\n"
135446Strhodes		     "xfers deferred: %u\n"
135446Strhodes		     "soa queries in progress: %u\n"
135446Strhodes		     "query logging is %s\n"
170222Sdougb		     "recursive clients: %d/%d/%d\n"
135446Strhodes		     "tcp clients: %d/%d\n"
135446Strhodes		     "server is up and running",
262706Serwin		     ns_g_version, ob, alt, cb, ns_g_srcid,
193149Sdougb#ifdef ISC_PLATFORM_USETHREADS
254897Serwin		     ns_g_cpus_detected, ns_g_cpus, ns_g_udpdisp,
193149Sdougb#endif
135446Strhodes		     zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
135446Strhodes		     soaqueries, server->log_queries ? "ON" : "OFF",
170222Sdougb		     server->recursionquota.used, server->recursionquota.soft,
170222Sdougb		     server->recursionquota.max,
135446Strhodes		     server->tcpquota.used, server->tcpquota.max);
135446Strhodes	if (n >= isc_buffer_availablelength(text))
135446Strhodes		return (ISC_R_NOSPACE);
135446Strhodes	isc_buffer_add(text, n);
135446Strhodes	return (ISC_R_SUCCESS);
135446Strhodes}
135446Strhodes
193149Sdougbstatic isc_result_t
193149Sdougbdelete_keynames(dns_tsig_keyring_t *ring, char *target,
193149Sdougb		unsigned int *foundkeys)
193149Sdougb{
193149Sdougb	char namestr[DNS_NAME_FORMATSIZE];
193149Sdougb	isc_result_t result;
193149Sdougb	dns_rbtnodechain_t chain;
193149Sdougb	dns_name_t foundname;
193149Sdougb	dns_fixedname_t fixedorigin;
193149Sdougb	dns_name_t *origin;
193149Sdougb	dns_rbtnode_t *node;
193149Sdougb	dns_tsigkey_t *tkey;
193149Sdougb
193149Sdougb	dns_name_init(&foundname, NULL);
193149Sdougb	dns_fixedname_init(&fixedorigin);
193149Sdougb	origin = dns_fixedname_name(&fixedorigin);
193149Sdougb
193149Sdougb again:
193149Sdougb	dns_rbtnodechain_init(&chain, ring->mctx);
193149Sdougb	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
193149Sdougb					origin);
193149Sdougb	if (result == ISC_R_NOTFOUND) {
193149Sdougb		dns_rbtnodechain_invalidate(&chain);
193149Sdougb		return (ISC_R_SUCCESS);
193149Sdougb	}
193149Sdougb	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
193149Sdougb		dns_rbtnodechain_invalidate(&chain);
193149Sdougb		return (result);
193149Sdougb	}
193149Sdougb
193149Sdougb	for (;;) {
193149Sdougb		node = NULL;
193149Sdougb		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
193149Sdougb		tkey = node->data;
193149Sdougb
193149Sdougb		if (tkey != NULL) {
193149Sdougb			if (!tkey->generated)
193149Sdougb				goto nextkey;
193149Sdougb
193149Sdougb			dns_name_format(&tkey->name, namestr, sizeof(namestr));
193149Sdougb			if (strcmp(namestr, target) == 0) {
193149Sdougb				(*foundkeys)++;
193149Sdougb				dns_rbtnodechain_invalidate(&chain);
193149Sdougb				(void)dns_rbt_deletename(ring->keys,
193149Sdougb							 &tkey->name,
193149Sdougb							 ISC_FALSE);
193149Sdougb				goto again;
193149Sdougb			}
193149Sdougb		}
193149Sdougb
193149Sdougb	nextkey:
193149Sdougb		result = dns_rbtnodechain_next(&chain, &foundname, origin);
193149Sdougb		if (result == ISC_R_NOMORE)
193149Sdougb			break;
193149Sdougb		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
193149Sdougb			dns_rbtnodechain_invalidate(&chain);
193149Sdougb			return (result);
193149Sdougb		}
193149Sdougb	}
193149Sdougb
193149Sdougb	return (ISC_R_SUCCESS);
193149Sdougb}
193149Sdougb
193149Sdougbisc_result_t
193149Sdougbns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) {
193149Sdougb	isc_result_t result;
193149Sdougb	unsigned int n;
193149Sdougb	dns_view_t *view;
193149Sdougb	unsigned int foundkeys = 0;
193149Sdougb	char *target;
193149Sdougb	char *viewname;
193149Sdougb
193149Sdougb	(void)next_token(&command, " \t");  /* skip command name */
193149Sdougb	target = next_token(&command, " \t");
193149Sdougb	if (target == NULL)
193149Sdougb		return (ISC_R_UNEXPECTEDEND);
193149Sdougb	viewname = next_token(&command, " \t");
193149Sdougb
193149Sdougb	result = isc_task_beginexclusive(server->task);
193149Sdougb	RUNTIME_CHECK(result == ISC_R_SUCCESS);
193149Sdougb	for (view = ISC_LIST_HEAD(server->viewlist);
193149Sdougb	     view != NULL;
193149Sdougb	     view = ISC_LIST_NEXT(view, link)) {
193149Sdougb		if (viewname == NULL || strcmp(view->name, viewname) == 0) {
193149Sdougb			RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
193149Sdougb			result = delete_keynames(view->dynamickeys, target,
193149Sdougb						 &foundkeys);
193149Sdougb			RWUNLOCK(&view->dynamickeys->lock,
193149Sdougb				 isc_rwlocktype_write);
193149Sdougb			if (result != ISC_R_SUCCESS) {
193149Sdougb				isc_task_endexclusive(server->task);
193149Sdougb				return (result);
193149Sdougb			}
193149Sdougb		}
193149Sdougb	}
193149Sdougb	isc_task_endexclusive(server->task);
193149Sdougb
193149Sdougb	n = snprintf((char *)isc_buffer_used(text),
193149Sdougb		     isc_buffer_availablelength(text),
193149Sdougb		     "%d tsig keys deleted.\n", foundkeys);
218384Sdougb	if (n >= isc_buffer_availablelength(text))
193149Sdougb		return (ISC_R_NOSPACE);
193149Sdougb	isc_buffer_add(text, n);
193149Sdougb
193149Sdougb	return (ISC_R_SUCCESS);
193149Sdougb}
193149Sdougb
193149Sdougbstatic isc_result_t
193149Sdougblist_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,
193149Sdougb	     unsigned int *foundkeys)
193149Sdougb{
193149Sdougb	char namestr[DNS_NAME_FORMATSIZE];
193149Sdougb	char creatorstr[DNS_NAME_FORMATSIZE];
193149Sdougb	isc_result_t result;
193149Sdougb	dns_rbtnodechain_t chain;
193149Sdougb	dns_name_t foundname;
193149Sdougb	dns_fixedname_t fixedorigin;
193149Sdougb	dns_name_t *origin;
193149Sdougb	dns_rbtnode_t *node;
193149Sdougb	dns_tsigkey_t *tkey;
193149Sdougb	unsigned int n;
193149Sdougb	const char *viewname;
193149Sdougb
193149Sdougb	if (view != NULL)
193149Sdougb		viewname = view->name;
193149Sdougb	else
193149Sdougb		viewname = "(global)";
193149Sdougb
193149Sdougb	dns_name_init(&foundname, NULL);
193149Sdougb	dns_fixedname_init(&fixedorigin);
193149Sdougb	origin = dns_fixedname_name(&fixedorigin);
193149Sdougb	dns_rbtnodechain_init(&chain, ring->mctx);
193149Sdougb	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
193149Sdougb					origin);
193149Sdougb	if (result == ISC_R_NOTFOUND) {
193149Sdougb		dns_rbtnodechain_invalidate(&chain);
193149Sdougb		return (ISC_R_SUCCESS);
193149Sdougb	}
193149Sdougb	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
193149Sdougb		dns_rbtnodechain_invalidate(&chain);
193149Sdougb		return (result);
193149Sdougb	}
193149Sdougb
193149Sdougb	for (;;) {
193149Sdougb		node = NULL;
193149Sdougb		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
193149Sdougb		tkey = node->data;
193149Sdougb
193149Sdougb		if (tkey != NULL) {
193149Sdougb			(*foundkeys)++;
193149Sdougb			dns_name_format(&tkey->name, namestr, sizeof(namestr));
193149Sdougb			if (tkey->generated) {
193149Sdougb				dns_name_format(tkey->creator, creatorstr,
193149Sdougb						sizeof(creatorstr));
193149Sdougb				n = snprintf((char *)isc_buffer_used(text),
193149Sdougb					     isc_buffer_availablelength(text),
193149Sdougb					     "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n",
193149Sdougb					     viewname, namestr, creatorstr);
193149Sdougb			} else {
193149Sdougb				n = snprintf((char *)isc_buffer_used(text),
193149Sdougb					     isc_buffer_availablelength(text),
193149Sdougb					     "view \"%s\"; type \"static\"; key \"%s\";\n",
193149Sdougb					     viewname, namestr);
193149Sdougb			}
193149Sdougb			if (n >= isc_buffer_availablelength(text)) {
193149Sdougb				dns_rbtnodechain_invalidate(&chain);
193149Sdougb				return (ISC_R_NOSPACE);
193149Sdougb			}
193149Sdougb			isc_buffer_add(text, n);
193149Sdougb		}
193149Sdougb		result = dns_rbtnodechain_next(&chain, &foundname, origin);
193149Sdougb		if (result == ISC_R_NOMORE)
193149Sdougb			break;
193149Sdougb		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
193149Sdougb			dns_rbtnodechain_invalidate(&chain);
193149Sdougb			return (result);
193149Sdougb		}
193149Sdougb	}
193149Sdougb
193149Sdougb	return (ISC_R_SUCCESS);
193149Sdougb}
193149Sdougb
193149Sdougbisc_result_t
193149Sdougbns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
193149Sdougb	isc_result_t result;
193149Sdougb	unsigned int n;
193149Sdougb	dns_view_t *view;
193149Sdougb	unsigned int foundkeys = 0;
193149Sdougb
193149Sdougb	result = isc_task_beginexclusive(server->task);
193149Sdougb	RUNTIME_CHECK(result == ISC_R_SUCCESS);
193149Sdougb	for (view = ISC_LIST_HEAD(server->viewlist);
193149Sdougb	     view != NULL;
193149Sdougb	     view = ISC_LIST_NEXT(view, link)) {
193149Sdougb		RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
193149Sdougb		result = list_keynames(view, view->statickeys, text,
193149Sdougb				       &foundkeys);
193149Sdougb		RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
193149Sdougb		if (result != ISC_R_SUCCESS) {
193149Sdougb			isc_task_endexclusive(server->task);
193149Sdougb			return (result);
193149Sdougb		}
193149Sdougb		RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
193149Sdougb		result = list_keynames(view, view->dynamickeys, text,
193149Sdougb				       &foundkeys);
193149Sdougb		RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
193149Sdougb		if (result != ISC_R_SUCCESS) {
193149Sdougb			isc_task_endexclusive(server->task);
193149Sdougb			return (result);
193149Sdougb		}
193149Sdougb	}
193149Sdougb	isc_task_endexclusive(server->task);
193149Sdougb
193149Sdougb	if (foundkeys == 0) {
193149Sdougb		n = snprintf((char *)isc_buffer_used(text),
193149Sdougb			     isc_buffer_availablelength(text),
193149Sdougb			     "no tsig keys found.\n");
218384Sdougb		if (n >= isc_buffer_availablelength(text))
193149Sdougb			return (ISC_R_NOSPACE);
193149Sdougb		isc_buffer_add(text, n);
193149Sdougb	}
193149Sdougb
193149Sdougb	return (ISC_R_SUCCESS);
193149Sdougb}
193149Sdougb
135446Strhodes/*
224092Sdougb * Act on a "sign" or "loadkeys" command from the command channel.
224092Sdougb */
224092Sdougbisc_result_t
262706Serwinns_server_rekey(ns_server_t *server, char *args, isc_buffer_t *text) {
224092Sdougb	isc_result_t result;
224092Sdougb	dns_zone_t *zone = NULL;
224092Sdougb	dns_zonetype_t type;
224092Sdougb	isc_uint16_t keyopts;
224092Sdougb	isc_boolean_t fullsign = ISC_FALSE;
224092Sdougb
224092Sdougb	if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0)
224092Sdougb	    fullsign = ISC_TRUE;
224092Sdougb
262706Serwin	result = zone_from_args(server, args, NULL, &zone, NULL,
262706Serwin				text, ISC_TRUE);
224092Sdougb	if (result != ISC_R_SUCCESS)
224092Sdougb		return (result);
224092Sdougb	if (zone == NULL)
224092Sdougb		return (ISC_R_UNEXPECTEDEND);   /* XXX: or do all zones? */
224092Sdougb
224092Sdougb	type = dns_zone_gettype(zone);
224092Sdougb	if (type != dns_zone_master) {
224092Sdougb		dns_zone_detach(&zone);
224092Sdougb		return (DNS_R_NOTMASTER);
224092Sdougb	}
224092Sdougb
224092Sdougb	keyopts = dns_zone_getkeyopts(zone);
224092Sdougb
224092Sdougb	/* "rndc loadkeys" requires "auto-dnssec maintain". */
224092Sdougb	if ((keyopts & DNS_ZONEKEY_ALLOW) == 0)
224092Sdougb		result = ISC_R_NOPERM;
224092Sdougb	else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign)
224092Sdougb		result = ISC_R_NOPERM;
224092Sdougb	else
224092Sdougb		dns_zone_rekey(zone, fullsign);
224092Sdougb
224092Sdougb	dns_zone_detach(&zone);
224092Sdougb	return (result);
224092Sdougb}
224092Sdougb
224092Sdougb/*
254897Serwin * Act on a "sync" command from the command channel.
254897Serwin*/
254897Serwinstatic isc_result_t
254897Serwinsynczone(dns_zone_t *zone, void *uap) {
254897Serwin	isc_boolean_t cleanup = *(isc_boolean_t *)uap;
254897Serwin	isc_result_t result;
254897Serwin	dns_zone_t *raw = NULL;
254897Serwin	char *journal;
254897Serwin
254897Serwin	dns_zone_getraw(zone, &raw);
254897Serwin	if (raw != NULL) {
254897Serwin		synczone(raw, uap);
254897Serwin		dns_zone_detach(&raw);
254897Serwin	}
254897Serwin
254897Serwin	result = dns_zone_flush(zone);
254897Serwin	if (result != ISC_R_SUCCESS)
254897Serwin		cleanup = ISC_FALSE;
254897Serwin	if (cleanup) {
254897Serwin		journal = dns_zone_getjournal(zone);
254897Serwin		if (journal != NULL)
254897Serwin			(void)isc_file_remove(journal);
254897Serwin	}
254897Serwin
254897Serwin	return (result);
254897Serwin}
254897Serwin
254897Serwinisc_result_t
254897Serwinns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text) {
254897Serwin	isc_result_t result, tresult;
254897Serwin	dns_view_t *view;
254897Serwin	dns_zone_t *zone = NULL;
254897Serwin	char classstr[DNS_RDATACLASS_FORMATSIZE];
254897Serwin	char zonename[DNS_NAME_FORMATSIZE];
254897Serwin	const char *vname, *sep, *msg = NULL, *arg;
254897Serwin	isc_boolean_t cleanup = ISC_FALSE;
254897Serwin
254897Serwin	(void) next_token(&args, " \t");
254897Serwin
254897Serwin	arg = next_token(&args, " \t");
254897Serwin	if (arg != NULL &&
254897Serwin	    (strcmp(arg, "-clean") == 0 || strcmp(arg, "-clear") == 0)) {
254897Serwin		cleanup = ISC_TRUE;
254897Serwin		arg = next_token(&args, " \t");
254897Serwin	}
254897Serwin
262706Serwin	result = zone_from_args(server, args, arg, &zone, NULL,
262706Serwin				text, ISC_FALSE);
254897Serwin	if (result != ISC_R_SUCCESS)
254897Serwin		return (result);
254897Serwin
254897Serwin	if (zone == NULL) {
254897Serwin		result = isc_task_beginexclusive(server->task);
254897Serwin		RUNTIME_CHECK(result == ISC_R_SUCCESS);
254897Serwin		tresult = ISC_R_SUCCESS;
254897Serwin		for (view = ISC_LIST_HEAD(server->viewlist);
254897Serwin		     view != NULL;
254897Serwin		     view = ISC_LIST_NEXT(view, link)) {
254897Serwin			result = dns_zt_apply(view->zonetable, ISC_FALSE,
254897Serwin					      synczone, &cleanup);
254897Serwin			if (result != ISC_R_SUCCESS &&
254897Serwin			    tresult == ISC_R_SUCCESS)
254897Serwin				tresult = result;
254897Serwin		}
254897Serwin		isc_task_endexclusive(server->task);
254897Serwin		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
254897Serwin			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
254897Serwin			      "dumping all zones%s: %s",
254897Serwin			      cleanup ? ", removing journal files" : "",
254897Serwin			      isc_result_totext(result));
254897Serwin		return (tresult);
254897Serwin	}
254897Serwin
254897Serwin	result = isc_task_beginexclusive(server->task);
254897Serwin	RUNTIME_CHECK(result == ISC_R_SUCCESS);
254897Serwin	result = synczone(zone, &cleanup);
254897Serwin	isc_task_endexclusive(server->task);
254897Serwin
254897Serwin	if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
254897Serwin		isc_buffer_putmem(text, (const unsigned char *)msg,
254897Serwin				  strlen(msg) + 1);
254897Serwin
254897Serwin	view = dns_zone_getview(zone);
254897Serwin	if (strcmp(view->name, "_default") == 0 ||
254897Serwin	    strcmp(view->name, "_bind") == 0)
254897Serwin	{
254897Serwin		vname = "";
254897Serwin		sep = "";
254897Serwin	} else {
254897Serwin		vname = view->name;
254897Serwin		sep = " ";
254897Serwin	}
254897Serwin	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
254897Serwin			      sizeof(classstr));
254897Serwin	dns_name_format(dns_zone_getorigin(zone),
254897Serwin			zonename, sizeof(zonename));
254897Serwin	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
254897Serwin		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
254897Serwin		      "sync: dumping zone '%s/%s'%s%s%s: %s",
254897Serwin		      zonename, classstr, sep, vname,
254897Serwin		      cleanup ? ", removing journal file" : "",
254897Serwin		      isc_result_totext(result));
254897Serwin	dns_zone_detach(&zone);
254897Serwin	return (result);
254897Serwin}
254897Serwin
254897Serwin/*
170222Sdougb * Act on a "freeze" or "thaw" command from the command channel.
135446Strhodes */
135446Strhodesisc_result_t
204619Sdougbns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
204619Sdougb		 isc_buffer_t *text)
204619Sdougb{
170222Sdougb	isc_result_t result, tresult;
254897Serwin	dns_zone_t *zone = NULL, *raw = NULL;
135446Strhodes	dns_zonetype_t type;
135446Strhodes	char classstr[DNS_RDATACLASS_FORMATSIZE];
135446Strhodes	char zonename[DNS_NAME_FORMATSIZE];
135446Strhodes	dns_view_t *view;
135446Strhodes	const char *vname, *sep;
135446Strhodes	isc_boolean_t frozen;
204619Sdougb	const char *msg = NULL;
186462Sdougb
262706Serwin	result = zone_from_args(server, args, NULL, &zone, NULL,
262706Serwin				text, ISC_TRUE);
135446Strhodes	if (result != ISC_R_SUCCESS)
135446Strhodes		return (result);
170222Sdougb	if (zone == NULL) {
170222Sdougb		result = isc_task_beginexclusive(server->task);
170222Sdougb		RUNTIME_CHECK(result == ISC_R_SUCCESS);
170222Sdougb		tresult = ISC_R_SUCCESS;
186462Sdougb		for (view = ISC_LIST_HEAD(server->viewlist);
170222Sdougb		     view != NULL;
170222Sdougb		     view = ISC_LIST_NEXT(view, link)) {
170222Sdougb			result = dns_view_freezezones(view, freeze);
170222Sdougb			if (result != ISC_R_SUCCESS &&
170222Sdougb			    tresult == ISC_R_SUCCESS)
170222Sdougb				tresult = result;
170222Sdougb		}
170222Sdougb		isc_task_endexclusive(server->task);
170222Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
170222Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
170222Sdougb			      "%s all zones: %s",
170222Sdougb			      freeze ? "freezing" : "thawing",
170222Sdougb			      isc_result_totext(tresult));
170222Sdougb		return (tresult);
170222Sdougb	}
254897Serwin	dns_zone_getraw(zone, &raw);
254897Serwin	if (raw != NULL) {
254897Serwin		dns_zone_detach(&zone);
254897Serwin		dns_zone_attach(raw, &zone);
254897Serwin		dns_zone_detach(&raw);
254897Serwin	}
135446Strhodes	type = dns_zone_gettype(zone);
135446Strhodes	if (type != dns_zone_master) {
135446Strhodes		dns_zone_detach(&zone);
224092Sdougb		return (DNS_R_NOTMASTER);
135446Strhodes	}
135446Strhodes
254897Serwin	if (freeze && !dns_zone_isdynamic(zone, ISC_TRUE)) {
254897Serwin		dns_zone_detach(&zone);
254897Serwin		return (DNS_R_NOTDYNAMIC);
254897Serwin	}
254897Serwin
204619Sdougb	result = isc_task_beginexclusive(server->task);
204619Sdougb	RUNTIME_CHECK(result == ISC_R_SUCCESS);
135446Strhodes	frozen = dns_zone_getupdatedisabled(zone);
135446Strhodes	if (freeze) {
204619Sdougb		if (frozen) {
204619Sdougb			msg = "WARNING: The zone was already frozen.\n"
204619Sdougb			      "Someone else may be editing it or "
204619Sdougb			      "it may still be re-loading.";
135446Strhodes			result = DNS_R_FROZEN;
204619Sdougb		}
204619Sdougb		if (result == ISC_R_SUCCESS) {
135446Strhodes			result = dns_zone_flush(zone);
204619Sdougb			if (result != ISC_R_SUCCESS)
204619Sdougb				msg = "Flushing the zone updates to "
204619Sdougb				      "disk failed.";
204619Sdougb		}
204619Sdougb		if (result == ISC_R_SUCCESS)
204619Sdougb			dns_zone_setupdatedisabled(zone, freeze);
135446Strhodes	} else {
135446Strhodes		if (frozen) {
204619Sdougb			result = dns_zone_loadandthaw(zone);
204619Sdougb			switch (result) {
204619Sdougb			case ISC_R_SUCCESS:
204619Sdougb			case DNS_R_UPTODATE:
204619Sdougb				msg = "The zone reload and thaw was "
204619Sdougb				      "successful.";
135446Strhodes				result = ISC_R_SUCCESS;
204619Sdougb				break;
204619Sdougb			case DNS_R_CONTINUE:
204619Sdougb				msg = "A zone reload and thaw was started.\n"
204619Sdougb				      "Check the logs to see the result.";
204619Sdougb				result = ISC_R_SUCCESS;
204619Sdougb				break;
204619Sdougb			}
135446Strhodes		}
135446Strhodes	}
204619Sdougb	isc_task_endexclusive(server->task);
135446Strhodes
204619Sdougb	if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
204619Sdougb		isc_buffer_putmem(text, (const unsigned char *)msg,
204619Sdougb				  strlen(msg) + 1);
204619Sdougb
135446Strhodes	view = dns_zone_getview(zone);
224092Sdougb	if (strcmp(view->name, "_default") == 0 ||
224092Sdougb	    strcmp(view->name, "_bind") == 0)
135446Strhodes	{
135446Strhodes		vname = "";
135446Strhodes		sep = "";
135446Strhodes	} else {
135446Strhodes		vname = view->name;
135446Strhodes		sep = " ";
135446Strhodes	}
135446Strhodes	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
135446Strhodes			      sizeof(classstr));
135446Strhodes	dns_name_format(dns_zone_getorigin(zone),
135446Strhodes			zonename, sizeof(zonename));
135446Strhodes	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
135446Strhodes		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
135446Strhodes		      "%s zone '%s/%s'%s%s: %s",
170222Sdougb		      freeze ? "freezing" : "thawing",
135446Strhodes		      zonename, classstr, sep, vname,
135446Strhodes		      isc_result_totext(result));
135446Strhodes	dns_zone_detach(&zone);
135446Strhodes	return (result);
135446Strhodes}
153816Sdougb
153816Sdougb#ifdef HAVE_LIBSCF
153816Sdougb/*
153816Sdougb * This function adds a message for rndc to echo if named
153816Sdougb * is managed by smf and is also running chroot.
153816Sdougb */
153816Sdougbisc_result_t
153816Sdougbns_smf_add_message(isc_buffer_t *text) {
153816Sdougb	unsigned int n;
153816Sdougb
153816Sdougb	n = snprintf((char *)isc_buffer_used(text),
153816Sdougb		isc_buffer_availablelength(text),
153816Sdougb		"use svcadm(1M) to manage named");
153816Sdougb	if (n >= isc_buffer_availablelength(text))
153816Sdougb		return (ISC_R_NOSPACE);
153816Sdougb	isc_buffer_add(text, n);
153816Sdougb	return (ISC_R_SUCCESS);
153816Sdougb}
153816Sdougb#endif /* HAVE_LIBSCF */
224092Sdougb
224092Sdougb/*
262706Serwin * Emit a comment at the top of the nzf file containing the viewname
262706Serwin * Expects the fp to already be open for writing
262706Serwin */
262706Serwin#define HEADER1 "# New zone file for view: "
262706Serwin#define HEADER2 "\n# This file contains configuration for zones added by\n" \
262706Serwin		"# the 'rndc addzone' command. DO NOT EDIT BY HAND.\n"
262706Serwinisc_result_t
262706Serwinadd_comment(FILE *fp, const char *viewname) {
262706Serwin	isc_result_t result;
262706Serwin	CHECK(isc_stdio_write(HEADER1, sizeof(HEADER1) - 1, 1, fp, NULL));
262706Serwin	CHECK(isc_stdio_write(viewname, strlen(viewname), 1, fp, NULL));
262706Serwin	CHECK(isc_stdio_write(HEADER2, sizeof(HEADER2) - 1, 1, fp, NULL));
262706Serwin cleanup:
262706Serwin	return (result);
262706Serwin}
262706Serwin
262706Serwin/*
224092Sdougb * Act on an "addzone" command from the command channel.
224092Sdougb */
224092Sdougbisc_result_t
224092Sdougbns_server_add_zone(ns_server_t *server, char *args) {
224092Sdougb	isc_result_t	     result;
224092Sdougb	isc_buffer_t	     argbuf;
224092Sdougb	size_t		     arglen;
224092Sdougb	cfg_parser_t	    *parser = NULL;
224092Sdougb	cfg_obj_t	    *config = NULL;
224092Sdougb	const cfg_obj_t	    *vconfig = NULL;
224092Sdougb	const cfg_obj_t	    *views = NULL;
224092Sdougb	const cfg_obj_t     *parms = NULL;
224092Sdougb	const cfg_obj_t     *obj = NULL;
224092Sdougb	const cfg_listelt_t *element;
224092Sdougb	const char	    *zonename;
224092Sdougb	const char	    *classname = NULL;
224092Sdougb	const char	    *argp;
224092Sdougb	const char	    *viewname = NULL;
224092Sdougb	dns_rdataclass_t     rdclass;
224092Sdougb	dns_view_t	    *view = 0;
262706Serwin	isc_buffer_t	     buf;
262706Serwin	dns_fixedname_t	     fname;
262706Serwin	dns_name_t	    *dnsname;
224092Sdougb	dns_zone_t	    *zone = NULL;
224092Sdougb	FILE		    *fp = NULL;
224092Sdougb	struct cfg_context  *cfg = NULL;
262706Serwin	char 		    namebuf[DNS_NAME_FORMATSIZE];
262706Serwin	off_t		    offset;
224092Sdougb
224092Sdougb	/* Try to parse the argument string */
224092Sdougb	arglen = strlen(args);
262706Serwin	isc_buffer_init(&argbuf, args, (unsigned int)arglen);
224092Sdougb	isc_buffer_add(&argbuf, strlen(args));
224092Sdougb	CHECK(cfg_parser_create(server->mctx, ns_g_lctx, &parser));
224092Sdougb	CHECK(cfg_parse_buffer(parser, &argbuf, &cfg_type_addzoneconf,
224092Sdougb			       &config));
224092Sdougb	CHECK(cfg_map_get(config, "addzone", &parms));
224092Sdougb
224092Sdougb	zonename = cfg_obj_asstring(cfg_tuple_get(parms, "name"));
254402Serwin	isc_buffer_constinit(&buf, zonename, strlen(zonename));
224092Sdougb	isc_buffer_add(&buf, strlen(zonename));
224092Sdougb
262706Serwin	dns_fixedname_init(&fname);
262706Serwin	dnsname = dns_fixedname_name(&fname);
262706Serwin	CHECK(dns_name_fromtext(dnsname, &buf, dns_rootname, ISC_FALSE, NULL));
262706Serwin
224092Sdougb	/* Make sense of optional class argument */
224092Sdougb	obj = cfg_tuple_get(parms, "class");
224092Sdougb	CHECK(ns_config_getclass(obj, dns_rdataclass_in, &rdclass));
224092Sdougb	if (rdclass != dns_rdataclass_in && obj)
224092Sdougb		classname = cfg_obj_asstring(obj);
224092Sdougb
224092Sdougb	/* Make sense of optional view argument */
224092Sdougb	obj = cfg_tuple_get(parms, "view");
224092Sdougb	if (obj && cfg_obj_isstring(obj))
224092Sdougb		viewname = cfg_obj_asstring(obj);
224092Sdougb	if (viewname == NULL || *viewname == '\0')
224092Sdougb		viewname = "_default";
224092Sdougb	CHECK(dns_viewlist_find(&server->viewlist, viewname, rdclass, &view));
224092Sdougb
224092Sdougb	/* Are we accepting new zones? */
224092Sdougb	if (view->new_zone_file == NULL) {
224092Sdougb		result = ISC_R_NOPERM;
224092Sdougb		goto cleanup;
224092Sdougb	}
224092Sdougb
224092Sdougb	cfg = (struct cfg_context *) view->new_zone_config;
224092Sdougb	if (cfg == NULL) {
224092Sdougb		result = ISC_R_FAILURE;
224092Sdougb		goto cleanup;
224092Sdougb	}
224092Sdougb
224092Sdougb	/* Zone shouldn't already exist */
262706Serwin	result = dns_zt_find(view->zonetable, dnsname, 0, NULL, &zone);
224092Sdougb	if (result == ISC_R_SUCCESS) {
224092Sdougb		result = ISC_R_EXISTS;
224092Sdougb		goto cleanup;
224092Sdougb	} else if (result == DNS_R_PARTIALMATCH) {
224092Sdougb		/* Create our sub-zone anyway */
224092Sdougb		dns_zone_detach(&zone);
224092Sdougb		zone = NULL;
224092Sdougb	}
224092Sdougb	else if (result != ISC_R_NOTFOUND)
224092Sdougb		goto cleanup;
224092Sdougb
224092Sdougb	/* Find the view statement */
224092Sdougb	cfg_map_get(cfg->config, "view", &views);
224092Sdougb	for (element = cfg_list_first(views);
224092Sdougb	     element != NULL;
224092Sdougb	     element = cfg_list_next(element))
224092Sdougb	{
224092Sdougb		const char *vname;
224092Sdougb		vconfig = cfg_listelt_value(element);
224092Sdougb		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
224092Sdougb		if (vname && !strcasecmp(vname, viewname))
224092Sdougb			break;
224092Sdougb		vconfig = NULL;
224092Sdougb	}
224092Sdougb
224092Sdougb	/* Open save file for write configuration */
224092Sdougb	CHECK(isc_stdio_open(view->new_zone_file, "a", &fp));
262706Serwin	CHECK(isc_stdio_tell(fp, &offset));
262706Serwin	if (offset == 0)
262706Serwin		CHECK(add_comment(fp, view->name));
224092Sdougb
224092Sdougb	/* Mark view unfrozen so that zone can be added */
254402Serwin	result = isc_task_beginexclusive(server->task);
254402Serwin	RUNTIME_CHECK(result == ISC_R_SUCCESS);
224092Sdougb	dns_view_thaw(view);
224092Sdougb	result = configure_zone(cfg->config, parms, vconfig,
225361Sdougb				server->mctx, view, cfg->actx, ISC_FALSE);
224092Sdougb	dns_view_freeze(view);
234010Sdougb	isc_task_endexclusive(server->task);
234010Sdougb	if (result != ISC_R_SUCCESS)
224092Sdougb		goto cleanup;
224092Sdougb
224092Sdougb	/* Is it there yet? */
262706Serwin	CHECK(dns_zt_find(view->zonetable, dnsname, 0, NULL, &zone));
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Load the zone from the master file.  If this fails, we'll
224092Sdougb	 * need to undo the configuration we've done already.
224092Sdougb	 */
224092Sdougb	result = dns_zone_loadnew(zone);
224092Sdougb	if (result != ISC_R_SUCCESS) {
224092Sdougb		dns_db_t *dbp = NULL;
224092Sdougb
224092Sdougb		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
224092Sdougb			      "addzone failed; reverting.");
224092Sdougb
224092Sdougb		/* If the zone loaded partially, unload it */
224092Sdougb		if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
224092Sdougb			dns_db_detach(&dbp);
224092Sdougb			dns_zone_unload(zone);
224092Sdougb		}
224092Sdougb
224092Sdougb		/* Remove the zone from the zone table */
224092Sdougb		dns_zt_unmount(view->zonetable, zone);
224092Sdougb		goto cleanup;
224092Sdougb	}
224092Sdougb
224092Sdougb	/* Flag the zone as having been added at runtime */
224092Sdougb	dns_zone_setadded(zone, ISC_TRUE);
224092Sdougb
262706Serwin	/* Emit the zone name, quoted and escaped */
262706Serwin	isc_buffer_init(&buf, namebuf, sizeof(namebuf));
262706Serwin	CHECK(dns_name_totext(dnsname, ISC_TRUE, &buf));
262706Serwin	isc_buffer_putuint8(&buf, 0);
262706Serwin	CHECK(isc_stdio_write("zone \"", 6, 1, fp, NULL));
262706Serwin	CHECK(isc_stdio_write(namebuf, strlen(namebuf), 1, fp, NULL));
262706Serwin	CHECK(isc_stdio_write("\" ", 2, 1, fp, NULL));
224092Sdougb
224092Sdougb	/* Classname, if not default */
224092Sdougb	if (classname != NULL && *classname != '\0') {
224092Sdougb		CHECK(isc_stdio_write(classname, strlen(classname), 1, fp,
224092Sdougb				      NULL));
224092Sdougb		CHECK(isc_stdio_write(" ", 1, 1, fp, NULL));
224092Sdougb	}
224092Sdougb
224092Sdougb	/* Find beginning of option block from args */
224092Sdougb	for (argp = args; *argp; argp++, arglen--) {
224092Sdougb		if (*argp == '{') {	/* Assume matching '}' */
224092Sdougb			/* Add that to our file */
224092Sdougb			CHECK(isc_stdio_write(argp, arglen, 1, fp, NULL));
224092Sdougb
224092Sdougb			/* Make sure we end with a LF */
224092Sdougb			if (argp[arglen-1] != '\n') {
224092Sdougb				CHECK(isc_stdio_write("\n", 1, 1, fp, NULL));
224092Sdougb			}
224092Sdougb			break;
224092Sdougb		}
224092Sdougb	}
224092Sdougb
224092Sdougb	CHECK(isc_stdio_close(fp));
224092Sdougb	fp = NULL;
224092Sdougb	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb				  NS_LOGMODULE_SERVER, ISC_LOG_INFO,
224092Sdougb				  "zone %s added to view %s via addzone",
224092Sdougb				  zonename, viewname);
224092Sdougb
224092Sdougb	result = ISC_R_SUCCESS;
224092Sdougb
224092Sdougb cleanup:
224092Sdougb	if (fp != NULL)
224092Sdougb		isc_stdio_close(fp);
224092Sdougb	if (parser != NULL) {
224092Sdougb		if (config != NULL)
224092Sdougb			cfg_obj_destroy(parser, &config);
224092Sdougb		cfg_parser_destroy(&parser);
224092Sdougb	}
224092Sdougb	if (zone != NULL)
224092Sdougb		dns_zone_detach(&zone);
224092Sdougb	if (view != NULL)
224092Sdougb		dns_view_detach(&view);
224092Sdougb
224092Sdougb	return (result);
224092Sdougb}
224092Sdougb
224092Sdougb/*
224092Sdougb * Act on a "delzone" command from the command channel.
224092Sdougb */
224092Sdougbisc_result_t
262706Serwinns_server_del_zone(ns_server_t *server, char *args, isc_buffer_t *text) {
262706Serwin	isc_result_t result;
262706Serwin	dns_zone_t *zone = NULL;
262706Serwin	dns_view_t *view = NULL;
262706Serwin	dns_db_t *dbp = NULL;
262706Serwin	const char *filename = NULL;
262706Serwin	char *tmpname = NULL;
262706Serwin	char buf[1024];
262706Serwin	const char *zonename = NULL;
262706Serwin	size_t znamelen = 0;
262706Serwin	FILE *ifp = NULL, *ofp = NULL;
262706Serwin	isc_boolean_t inheader = ISC_TRUE;
224092Sdougb
224092Sdougb	/* Parse parameters */
262706Serwin	CHECK(zone_from_args(server, args, NULL, &zone, &zonename,
262706Serwin			     text, ISC_TRUE));
254402Serwin
224092Sdougb	if (zone == NULL) {
224092Sdougb		result = ISC_R_UNEXPECTEDEND;
224092Sdougb		goto cleanup;
224092Sdougb	}
224092Sdougb
224092Sdougb	/*
224092Sdougb	 * Was this zone originally added at runtime?
224092Sdougb	 * If not, we can't delete it now.
224092Sdougb	 */
224092Sdougb	if (!dns_zone_getadded(zone)) {
224092Sdougb		result = ISC_R_NOPERM;
224092Sdougb		goto cleanup;
224092Sdougb	}
224092Sdougb
254402Serwin	INSIST(zonename != NULL);
254402Serwin	znamelen = strlen(zonename);
224092Sdougb
224092Sdougb	/* Dig out configuration for this zone */
224092Sdougb	view = dns_zone_getview(zone);
224092Sdougb	filename = view->new_zone_file;
224092Sdougb	if (filename == NULL) {
224092Sdougb		/* No adding zones in this view */
224092Sdougb		result = ISC_R_FAILURE;
224092Sdougb		goto cleanup;
224092Sdougb	}
224092Sdougb
224092Sdougb	/* Rewrite zone list */
224092Sdougb	result = isc_stdio_open(filename, "r", &ifp);
224092Sdougb	if (ifp != NULL && result == ISC_R_SUCCESS) {
224092Sdougb		char *found = NULL, *p = NULL;
224092Sdougb		size_t n;
224092Sdougb
224092Sdougb		/* Create a temporary file */
224092Sdougb		CHECK(isc_string_printf(buf, 1023, "%s.%ld", filename,
224092Sdougb					(long)getpid()));
224092Sdougb		if (!(tmpname = isc_mem_strdup(server->mctx, buf))) {
224092Sdougb			result = ISC_R_NOMEMORY;
224092Sdougb			goto cleanup;
224092Sdougb		}
224092Sdougb		CHECK(isc_stdio_open(tmpname, "w", &ofp));
262706Serwin		CHECK(add_comment(ofp, view->name));
224092Sdougb
224092Sdougb		/* Look for the entry for that zone */
224092Sdougb		while (fgets(buf, 1024, ifp)) {
262706Serwin			/* Skip initial comment, if any */
262706Serwin			if (inheader && *buf == '#')
262706Serwin				continue;
262706Serwin			if (*buf != '#')
262706Serwin				inheader = ISC_FALSE;
262706Serwin
262706Serwin			/*
262706Serwin			 * Any other lines not starting with zone, copy
262706Serwin			 * them out and continue.
262706Serwin			 */
262706Serwin			if (strncasecmp(buf, "zone", 4) != 0) {
224092Sdougb				fputs(buf, ofp);
224092Sdougb				continue;
224092Sdougb			}
224092Sdougb			p = buf+4;
224092Sdougb
262706Serwin			/* This is a zone; find its name. */
224092Sdougb			while (*p &&
224092Sdougb			       ((*p == '"') || isspace((unsigned char)*p)))
224092Sdougb				p++;
224092Sdougb
262706Serwin			/*
262706Serwin			 * If it's not the zone we're looking for, copy
262706Serwin			 * it out and continue
262706Serwin			 */
262706Serwin			if (strncasecmp(p, zonename, znamelen) != 0) {
224092Sdougb				fputs(buf, ofp);
224092Sdougb				continue;
224092Sdougb			}
224092Sdougb
262706Serwin			/*
262706Serwin			 * But if it is the zone we want, skip over it
262706Serwin			 * so it will be omitted from the new file
262706Serwin			 */
224092Sdougb			p += znamelen;
224092Sdougb			if (isspace((unsigned char)*p) ||
224092Sdougb			    *p == '"' || *p == '{') {
224092Sdougb				/* This must be the entry */
224092Sdougb				found = p;
224092Sdougb				break;
224092Sdougb			}
224092Sdougb
262706Serwin			/* Copy the rest of the buffer out and continue */
224092Sdougb			fputs(buf, ofp);
224092Sdougb		}
224092Sdougb
224092Sdougb		/* Skip over an option block (matching # of braces) */
224092Sdougb		if (found) {
224092Sdougb			int obrace = 0, cbrace = 0;
224092Sdougb			for (;;) {
224092Sdougb				while (*p) {
224092Sdougb					if (*p == '{') obrace++;
224092Sdougb					if (*p == '}') cbrace++;
224092Sdougb					p++;
224092Sdougb				}
224092Sdougb				if (obrace && (obrace == cbrace))
224092Sdougb					break;
224092Sdougb				if (!fgets(buf, 1024, ifp))
224092Sdougb					break;
224092Sdougb				p = buf;
224092Sdougb			}
224092Sdougb
224092Sdougb			/* Just spool the remainder of the file out */
224092Sdougb			result = isc_stdio_read(buf, 1, 1024, ifp, &n);
224092Sdougb			while (n > 0U) {
224092Sdougb				if (result == ISC_R_EOF)
224092Sdougb					result = ISC_R_SUCCESS;
224092Sdougb				CHECK(result);
224092Sdougb				isc_stdio_write(buf, 1, n, ofp, NULL);
224092Sdougb				result = isc_stdio_read(buf, 1, 1024, ifp, &n);
224092Sdougb			}
224092Sdougb
224092Sdougb			/* Move temporary into place */
224092Sdougb			CHECK(isc_file_rename(tmpname, view->new_zone_file));
224092Sdougb		} else {
224092Sdougb			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
224092Sdougb				      "deleted zone %s was missing from "
224092Sdougb				      "new zone file", zonename);
224092Sdougb			goto cleanup;
224092Sdougb		}
224092Sdougb	}
224092Sdougb
224092Sdougb	/* Stop answering for this zone */
224092Sdougb	if (dns_zone_getdb(zone, &dbp) == ISC_R_SUCCESS) {
224092Sdougb		dns_db_detach(&dbp);
224092Sdougb		dns_zone_unload(zone);
224092Sdougb	}
224092Sdougb
224092Sdougb	CHECK(dns_zt_unmount(view->zonetable, zone));
224092Sdougb
224092Sdougb	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
224092Sdougb				  NS_LOGMODULE_SERVER, ISC_LOG_INFO,
224092Sdougb				  "zone %s removed via delzone", zonename);
224092Sdougb
224092Sdougb	result = ISC_R_SUCCESS;
224092Sdougb
224092Sdougb cleanup:
224092Sdougb	if (ifp != NULL)
224092Sdougb		isc_stdio_close(ifp);
224092Sdougb	if (ofp != NULL) {
224092Sdougb		isc_stdio_close(ofp);
224092Sdougb		isc_file_remove(tmpname);
224092Sdougb	}
224092Sdougb	if (tmpname != NULL)
224092Sdougb		isc_mem_free(server->mctx, tmpname);
224092Sdougb	if (zone != NULL)
224092Sdougb		dns_zone_detach(&zone);
224092Sdougb
224092Sdougb	return (result);
224092Sdougb}
224092Sdougb
224092Sdougbstatic void
225361Sdougbnewzone_cfgctx_destroy(void **cfgp) {
224092Sdougb	struct cfg_context *cfg;
224092Sdougb
224092Sdougb	REQUIRE(cfgp != NULL && *cfgp != NULL);
225361Sdougb
224092Sdougb	cfg = *cfgp;
224092Sdougb
225361Sdougb	if (cfg->actx != NULL)
225361Sdougb		cfg_aclconfctx_detach(&cfg->actx);
225361Sdougb
224092Sdougb	if (cfg->parser != NULL) {
224092Sdougb		if (cfg->config != NULL)
224092Sdougb			cfg_obj_destroy(cfg->parser, &cfg->config);
224092Sdougb		cfg_parser_destroy(&cfg->parser);
224092Sdougb	}
225361Sdougb	if (cfg->nzparser != NULL) {
225361Sdougb		if (cfg->nzconfig != NULL)
225361Sdougb			cfg_obj_destroy(cfg->nzparser, &cfg->nzconfig);
225361Sdougb		cfg_parser_destroy(&cfg->nzparser);
225361Sdougb	}
224092Sdougb
225361Sdougb	isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg));
224092Sdougb	*cfgp = NULL;
224092Sdougb}
254897Serwin
254897Serwinisc_result_t
254897Serwinns_server_signing(ns_server_t *server, char *args, isc_buffer_t *text) {
254897Serwin	isc_result_t result = ISC_R_SUCCESS;
254897Serwin	dns_zone_t *zone = NULL;
254897Serwin	dns_name_t *origin;
254897Serwin	dns_db_t *db = NULL;
254897Serwin	dns_dbnode_t *node = NULL;
254897Serwin	dns_dbversion_t *version = NULL;
254897Serwin	dns_rdatatype_t privatetype;
254897Serwin	dns_rdataset_t privset;
254897Serwin	isc_boolean_t first = ISC_TRUE;
254897Serwin	isc_boolean_t list = ISC_FALSE, clear = ISC_FALSE;
254897Serwin	isc_boolean_t chain = ISC_FALSE;
254897Serwin	char keystr[DNS_SECALG_FORMATSIZE + 7];
254897Serwin	unsigned short hash = 0, flags = 0, iter = 0, saltlen = 0;
254897Serwin	unsigned char salt[255];
254897Serwin	const char *ptr;
254897Serwin	size_t n;
254897Serwin
254897Serwin	dns_rdataset_init(&privset);
254897Serwin
254897Serwin	/* Skip the command name. */
254897Serwin	ptr = next_token(&args, " \t");
254897Serwin	if (ptr == NULL)
254897Serwin		return (ISC_R_UNEXPECTEDEND);
254897Serwin
254897Serwin	/* Find out what we are to do. */
254897Serwin	ptr = next_token(&args, " \t");
254897Serwin	if (ptr == NULL)
254897Serwin		return (ISC_R_UNEXPECTEDEND);
254897Serwin
254897Serwin	if (strcasecmp(ptr, "-list") == 0)
254897Serwin		list = ISC_TRUE;
254897Serwin	else if ((strcasecmp(ptr, "-clear") == 0)  ||
254897Serwin		 (strcasecmp(ptr, "-clean") == 0)) {
254897Serwin		clear = ISC_TRUE;
254897Serwin		ptr = next_token(&args, " \t");
254897Serwin		if (ptr == NULL)
254897Serwin			return (ISC_R_UNEXPECTEDEND);
262706Serwin		memmove(keystr, ptr, sizeof(keystr));
262706Serwin	} else if (strcasecmp(ptr, "-nsec3param") == 0) {
254897Serwin		const char *hashstr, *flagstr, *iterstr;
254897Serwin		char nbuf[512];
254897Serwin
254897Serwin		chain = ISC_TRUE;
254897Serwin		hashstr = next_token(&args, " \t");
254897Serwin		if (hashstr == NULL)
254897Serwin			return (ISC_R_UNEXPECTEDEND);
254897Serwin
254897Serwin		if (strcasecmp(hashstr, "none") == 0)
254897Serwin			hash = 0;
254897Serwin		else {
254897Serwin			flagstr = next_token(&args, " \t");
254897Serwin			iterstr = next_token(&args, " \t");
254897Serwin			if (flagstr == NULL || iterstr == NULL)
254897Serwin				return (ISC_R_UNEXPECTEDEND);
254897Serwin
254897Serwin			n = snprintf(nbuf, sizeof(nbuf), "%s %s %s",
254897Serwin				     hashstr, flagstr, iterstr);
254897Serwin			if (n == sizeof(nbuf))
254897Serwin				return (ISC_R_NOSPACE);
254897Serwin			n = sscanf(nbuf, "%hu %hu %hu", &hash, &flags, &iter);
254897Serwin			if (n != 3U)
254897Serwin				return (ISC_R_BADNUMBER);
254897Serwin
254897Serwin			if (hash > 0xffU || flags > 0xffU)
254897Serwin				return (ISC_R_RANGE);
254897Serwin
254897Serwin			ptr = next_token(&args, " \t");
254897Serwin			if (ptr == NULL)
254897Serwin				return (ISC_R_UNEXPECTEDEND);
254897Serwin			if (strcmp(ptr, "-") != 0) {
254897Serwin				isc_buffer_t buf;
254897Serwin
254897Serwin				isc_buffer_init(&buf, salt, sizeof(salt));
254897Serwin				CHECK(isc_hex_decodestring(ptr, &buf));
254897Serwin				saltlen = isc_buffer_usedlength(&buf);
254897Serwin			}
254897Serwin		}
254897Serwin	} else
254897Serwin		CHECK(DNS_R_SYNTAX);
254897Serwin
262706Serwin	CHECK(zone_from_args(server, args, NULL, &zone, NULL,
262706Serwin			     text, ISC_FALSE));
254897Serwin	if (zone == NULL)
254897Serwin		CHECK(ISC_R_UNEXPECTEDEND);
254897Serwin
254897Serwin	if (clear) {
254897Serwin		CHECK(dns_zone_keydone(zone, keystr));
254897Serwin		isc_buffer_putstr(text, "request queued");
254897Serwin		isc_buffer_putuint8(text, 0);
254897Serwin	} else if (chain) {
254897Serwin		CHECK(dns_zone_setnsec3param(zone, (isc_uint8_t)hash,
254897Serwin					     (isc_uint8_t)flags, iter,
254897Serwin					     (isc_uint8_t)saltlen, salt,
254897Serwin					     ISC_TRUE));
254897Serwin		isc_buffer_putstr(text, "request queued");
254897Serwin		isc_buffer_putuint8(text, 0);
254897Serwin	} else if (list) {
254897Serwin		privatetype = dns_zone_getprivatetype(zone);
254897Serwin		origin = dns_zone_getorigin(zone);
254897Serwin		CHECK(dns_zone_getdb(zone, &db));
254897Serwin		CHECK(dns_db_findnode(db, origin, ISC_FALSE, &node));
254897Serwin		dns_db_currentversion(db, &version);
254897Serwin
254897Serwin		result = dns_db_findrdataset(db, node, version, privatetype,
254897Serwin					     dns_rdatatype_none, 0,
254897Serwin					     &privset, NULL);
254897Serwin		if (result == ISC_R_NOTFOUND) {
254897Serwin			isc_buffer_putstr(text, "No signing records found");
254897Serwin			isc_buffer_putuint8(text, 0);
254897Serwin			result = ISC_R_SUCCESS;
254897Serwin			goto cleanup;
254897Serwin		}
254897Serwin
254897Serwin		for (result = dns_rdataset_first(&privset);
254897Serwin		     result == ISC_R_SUCCESS;
254897Serwin		     result = dns_rdataset_next(&privset))
254897Serwin		{
254897Serwin			dns_rdata_t priv = DNS_RDATA_INIT;
254897Serwin			char output[BUFSIZ];
254897Serwin			isc_buffer_t buf;
254897Serwin
254897Serwin			dns_rdataset_current(&privset, &priv);
254897Serwin
254897Serwin			isc_buffer_init(&buf, output, sizeof(output));
254897Serwin			CHECK(dns_private_totext(&priv, &buf));
254897Serwin
254897Serwin			if (!first)
254897Serwin				isc_buffer_putstr(text, "\n");
254897Serwin			first = ISC_FALSE;
254897Serwin
254897Serwin			n = snprintf((char *)isc_buffer_used(text),
254897Serwin				     isc_buffer_availablelength(text),
254897Serwin				     "%s", output);
254897Serwin			if (n >= isc_buffer_availablelength(text))
254897Serwin				CHECK(ISC_R_NOSPACE);
254897Serwin
262706Serwin			isc_buffer_add(text, (unsigned int)n);
254897Serwin		}
262706Serwin		if (!first && isc_buffer_availablelength(text) > 0)
262706Serwin			isc_buffer_putuint8(text, 0);
254897Serwin
254897Serwin		if (result == ISC_R_NOMORE)
254897Serwin			result = ISC_R_SUCCESS;
254897Serwin	}
254897Serwin
254897Serwin cleanup:
254897Serwin	if (dns_rdataset_isassociated(&privset))
254897Serwin		dns_rdataset_disassociate(&privset);
254897Serwin	if (node != NULL)
254897Serwin		dns_db_detachnode(db, &node);
254897Serwin	if (version != NULL)
254897Serwin		dns_db_closeversion(db, &version, ISC_FALSE);
254897Serwin	if (db != NULL)
254897Serwin		dns_db_detach(&db);
254897Serwin	if (zone != NULL)
254897Serwin		dns_zone_detach(&zone);
254897Serwin
254897Serwin	return (result);
254897Serwin}
262706Serwin
262706Serwinstatic isc_result_t
262706Serwinputstr(isc_buffer_t *b, const char *str) {
262706Serwin	size_t l = strlen(str);
262706Serwin
262706Serwin	/*
262706Serwin	 * Use >= to leave space for NUL termination.
262706Serwin	 */
262706Serwin	if (l >= isc_buffer_availablelength(b))
262706Serwin		return (ISC_R_NOSPACE);
262706Serwin
262706Serwin	isc_buffer_putmem(b, (const unsigned char *)str, l);
262706Serwin	return (ISC_R_SUCCESS);
262706Serwin}