BIND 10 trac2066, updated. d1ee05cf0b7f6fe2b6cdc1b7b18ee6ca5aa258e2 [2066] Fix lettuce
BIND 10 source code commits
bind10-changes at lists.isc.org
Mon Aug 13 12:08:20 UTC 2012
The branch, trac2066 has been updated
via d1ee05cf0b7f6fe2b6cdc1b7b18ee6ca5aa258e2 (commit)
via 3483f241339bb3926b9a38b092f44579bd92469b (commit)
via f533afad3cbb047c6a5d4225720ff7b9dccafbc9 (commit)
from 1bcbd2eeafca5c1e1fbed6a5e8eed17487bbbedd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d1ee05cf0b7f6fe2b6cdc1b7b18ee6ca5aa258e2
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Mon Aug 13 14:05:54 2012 +0200
[2066] Fix lettuce
The fix that allowed resolver to have TSIG keys and other future checks
made the setting of action impossible. This will work once again when
we merge #2184, but for now, we need the fix.
commit 3483f241339bb3926b9a38b092f44579bd92469b
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Mon Aug 13 13:12:58 2012 +0200
[2066] ACL Docs: More tweaks by review
* Note that TSIG key is DNS specific.
* Language fix.
* Returned an example to the resolver.
commit f533afad3cbb047c6a5d4225720ff7b9dccafbc9
Author: Michal 'vorner' Vaner <michal.vaner at nic.cz>
Date: Mon Aug 13 13:08:02 2012 +0200
[2066] Add default values to ACL rules
It otherwise complained during config add somewhere/acl, that there's no
value. The defaults differ from module to module.
Also, some reindentation and removal of tabs is added.
-----------------------------------------------------------------------
Summary of changes:
doc/guide/bind10-guide.xml | 34 +++++++++++++++---
src/bin/ddns/ddns.spec | 9 ++---
src/bin/resolver/resolver.spec.pre.in | 48 +++++++++----------------
src/bin/xfrout/xfrout.spec.pre.in | 6 ++--
tests/lettuce/features/resolver_basic.feature | 4 +--
5 files changed, 57 insertions(+), 44 deletions(-)
-----------------------------------------------------------------------
diff --git a/doc/guide/bind10-guide.xml b/doc/guide/bind10-guide.xml
index 772bd82..dd63313 100644
--- a/doc/guide/bind10-guide.xml
+++ b/doc/guide/bind10-guide.xml
@@ -1352,8 +1352,10 @@ TODO
RULE := { "action": "ACCEPT"|"REJECT"|"DROP", MATCH, MATCH, ... }
RULE_RAW := { MATCH, MATCH, ... }
MATCH := FROM_MATCH|KEY_MATCH|NOT_MATCH|OR_MATCH|AND_MATCH|...
-FROM_MATCH := "from": "<ip range>
-KEY_MATCH := "key": "<key name>
+FROM_MATCH := "from": [RANGE, RANGE, RANGE, ...] | RANGE
+RANGE := "<ip range>
+KEY_MATCH := "key": [KEY, KEY, KEY, ...] | KEY
+KEY := "<key name>
NOT_MATCH := "NOT": RULE_RAW
OR_MATCH := "ANY": [ RULE_RAW, RULE_RAW, ... ]
AND_MATCH := "ALL": [ RULE_RAW, RULE_RAW, ... ]
@@ -1373,8 +1375,9 @@ AND_MATCH := "ALL": [ RULE_RAW, RULE_RAW, ... ]
<para>
The other is TSIG key by which the message was signed. The ACL
contains only the name (under the name "key"), the key itself
- must be stored in the global keyring. <!-- TODO: Section for
- the keyring and link to it.-->
+ must be stored in the global keyring. This property is applicable only
+ to the DNS context. <!-- TODO: Section for the keyring and link to
+ it.-->
</para>
<para>
@@ -2101,7 +2104,7 @@ http://bind10.isc.org/wiki/ScalableZoneLoadDesign#a7.2UpdatingaZone
Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)</screen>
<para>
- You can configure it the same as any ACL
+ You can configure it in the same way as any ACL
(<xref linkend="common-acl" />).
</para>
@@ -2483,6 +2486,27 @@ what is XfroutClient xfr_client??
See <xref linkend="common-acl" />.
</para>
+ <para>
+ To allow queries on the "192.168.1.1" interface, these commands could be
+ issued. Note that we don't set the value of the third rule -- in the case
+ of resolver, rejecting all queries is the default value of new rule. And
+ that last final rule is not needed too, as the default, when a query falls
+ off the list, is rejection.
+ <screen>
+> <userinput>config show Resolver/query_acl</userinput>
+Resolver/query_acl[0] {"action": "ACCEPT", "from": "127.0.0.1"} any (default)
+Resolver/query_acl[1] {"action": "ACCEPT", "from": "::1"} any (default)
+> <userinput>config add Resolver/query_acl</userinput>
+> <userinput>config set Resolver/query_acl[2] {"action": "ACCEPT", "from": "192.168.1.1/24"}</userinput>
+> <userinput>config add Resolver/query_acl</userinput>
+> <userinput>config show Resolver/query_acl</userinput>
+Resolver/query_acl[0] {"action": "ACCEPT", "from": "127.0.0.1"} any (modified)
+Resolver/query_acl[1] {"action": "ACCEPT", "from": "::1"} any (modified)
+Resolver/query_acl[2] {"action": "ACCEPT", "from": "192.168.1.1/24"} any (modified)
+Resolver/query_acl[3] {"action": "REJECT"} any (modified)
+> <userinput>config commit</userinput></screen>
+ </para>
+
</section>
<section>
diff --git a/src/bin/ddns/ddns.spec b/src/bin/ddns/ddns.spec
index 70611e6..3061cdc 100644
--- a/src/bin/ddns/ddns.spec
+++ b/src/bin/ddns/ddns.spec
@@ -12,8 +12,8 @@
"item_type": "map",
"item_optional": true,
"item_default": {
- "origin": "",
- "class": "IN",
+ "origin": "",
+ "class": "IN",
"update_acl": []
},
"map_item_spec": [
@@ -33,11 +33,12 @@
"item_name": "update_acl",
"item_type": "list",
"item_optional": false,
- "item_default": [],
+ "item_default": [],
"list_item_spec": {
"item_name": "acl_element",
"item_type": "any",
- "item_optional": true
+ "item_optional": true,
+ "item_default": {"action": "REJECT"}
}
}
]
diff --git a/src/bin/resolver/resolver.spec.pre.in b/src/bin/resolver/resolver.spec.pre.in
index d6bb226..138f4e3 100644
--- a/src/bin/resolver/resolver.spec.pre.in
+++ b/src/bin/resolver/resolver.spec.pre.in
@@ -116,37 +116,23 @@
},
{
"item_name": "query_acl",
- "item_type": "list",
- "item_optional": false,
- "item_default": [
- {
- "action": "ACCEPT",
- "from": "127.0.0.1"
- },
- {
- "action": "ACCEPT",
- "from": "::1"
- }
- ],
- "list_item_spec": {
- "item_name": "rule",
- "item_type": "map",
- "item_optional": false,
- "item_default": {},
- "map_item_spec": [
- {
- "item_name": "action",
- "item_type": "string",
- "item_optional": false,
- "item_default": ""
- },
- {
- "item_name": "from",
- "item_type": "string",
- "item_optional": false,
- "item_default": ""
- }
- ]
+ "item_type": "list",
+ "item_optional": false,
+ "item_default": [
+ {
+ "action": "ACCEPT",
+ "from": "127.0.0.1"
+ },
+ {
+ "action": "ACCEPT",
+ "from": "::1"
+ }
+ ],
+ "list_item_spec": {
+ "item_name": "rule",
+ "item_type": "any",
+ "item_optional": false,
+ "item_default": {"action": "REJECT"}
}
}
],
diff --git a/src/bin/xfrout/xfrout.spec.pre.in b/src/bin/xfrout/xfrout.spec.pre.in
index dfcc6d9..6b113b0 100644
--- a/src/bin/xfrout/xfrout.spec.pre.in
+++ b/src/bin/xfrout/xfrout.spec.pre.in
@@ -17,7 +17,8 @@
{
"item_name": "acl_element",
"item_type": "any",
- "item_optional": true
+ "item_optional": true,
+ "item_default": {"action": "ACCEPT"}
}
},
{
@@ -80,7 +81,8 @@
{
"item_name": "acl_element",
"item_type": "any",
- "item_optional": true
+ "item_optional": true,
+ "item_default": {"action": "ACCEPT"}
}
}
]
diff --git a/tests/lettuce/features/resolver_basic.feature b/tests/lettuce/features/resolver_basic.feature
index 4092101..47fc123 100644
--- a/tests/lettuce/features/resolver_basic.feature
+++ b/tests/lettuce/features/resolver_basic.feature
@@ -27,10 +27,10 @@ Feature: Basic Resolver
A query for l.root-servers.net. should have rcode REFUSED
# Test whether acl ACCEPT works
- When I set bind10 configuration Resolver/query_acl[0]/action to ACCEPT
+ When I set bind10 configuration Resolver/query_acl[0] to {"action": "ACCEPT", "from": "127.0.0.1"}
# This address is currently hardcoded, so shouldn't cause outside traffic
A query for l.root-servers.net. should have rcode NOERROR
# Check whether setting the ACL to reject again works
- When I set bind10 configuration Resolver/query_acl[0]/action to REJECT
+ When I set bind10 configuration Resolver/query_acl[0] to {"action": "REJECT", "from": "127.0.0.1"}
A query for l.root-servers.net. should have rcode REFUSED
More information about the bind10-changes
mailing list