isc-projects
diff --git a/‎.gitlab-ci.yml
Lines changed: 1 addition & 0 deletions b/‎.gitlab-ci.yml
Lines changed: 1 addition & 0 deletions
diff --git a/‎CHANGES
Lines changed: 4 additions & 0 deletions b/‎CHANGES
Lines changed: 4 additions & 0 deletions
diff --git a/‎bin/named/config.c
Lines changed: 3 additions & 0 deletions b/‎bin/named/config.c
Lines changed: 3 additions & 0 deletions
diff --git a/‎bin/named/include/named/server.h
Lines changed: 7 additions & 8 deletions b/‎bin/named/include/named/server.h
Lines changed: 7 additions & 8 deletions
diff --git a/‎bin/named/server.c
Lines changed: 36 additions & 11 deletions b/‎bin/named/server.c
Lines changed: 36 additions & 11 deletions
diff --git a/‎bin/tests/system/Makefile.am
Lines changed: 12 additions & 4 deletions b/‎bin/tests/system/Makefile.am
Lines changed: 12 additions & 4 deletions
diff --git a/‎bin/tests/system/ckdnsrps.sh
Lines changed: 7 additions & 91 deletions b/‎bin/tests/system/ckdnsrps.sh
Lines changed: 7 additions & 91 deletions
diff --git a/‎bin/tests/system/rpz/.gitignore
Lines changed: 0 additions & 1 deletion b/‎bin/tests/system/rpz/.gitignore
Lines changed: 0 additions & 1 deletion
diff --git a/‎bin/tests/system/rpz/clean.sh
Lines changed: 2 additions & 3 deletions b/‎bin/tests/system/rpz/clean.sh
Lines changed: 2 additions & 3 deletions
@@ -226,6 +226,7 @@ stages:
       --enable-developer
       --enable-option-checking=fatal
       --enable-dnstap
+      --enable-dnsrps
       --with-cmocka
       --with-libxml2
       --with-json-c
 
@@ -1,3 +1,7 @@
+6131.	[test]		Add a minimal test-only library to allow testing
+			of the DNSRPS API without FastRPZ installed.
+			Thanks to Farsight Securty. [GL !7693]
+
 6130.	[func]		The new "delv +ns" option activates name server mode,
 			in which delv sets up an internal recursive
 			resolver and uses that, rather than an external
 
@@ -149,6 +149,9 @@ options {\n\
 	clients-per-query 10;\n\
 	dnssec-accept-expired no;\n\
 	dnssec-validation " VALIDATION_DEFAULT "; \n"
+#ifdef USE_DNSRPS
+			    "	dnsrps-library \"" DNSRPS_LIBRPZ_PATH "\";\n"
+#endif /* ifdef USE_DNSRPS */
 #ifdef HAVE_DNSTAP
 			    "	dnstap-identity hostname;\n"
 #endif /* ifdef HAVE_DNSTAP */
 
@@ -50,16 +50,15 @@ struct named_server {
 	char *statsfile;    /*%< Statistics file name */
 	char *dumpfile;	    /*%< Dump file name */
 	char *secrootsfile; /*%< Secroots file name */
-	char *bindkeysfile; /*%< bind.keys file name
-			     * */
+	char *bindkeysfile; /*%< bind.keys file name */
 	char *recfile;	    /*%< Recursive file name */
-	bool  version_set;  /*%< User has set version
-			     * */
+	bool  version_set;  /*%< User has set version */
 	char *version;	    /*%< User-specified version */
-	bool  hostname_set; /*%< User has set hostname
-			     * */
-	char *hostname;	    /*%< User-specified hostname
-			     * */
+	bool  hostname_set; /*%< User has set hostname */
+	char *hostname;	    /*%< User-specified hostname */
+#ifdef USE_DNSRPS
+	char *dnsrpslib;
+#endif /* ifdef USE_DNSRPS */
 
 	/* Server data structures. */
 	dns_loadmgr_t	  *loadmgr;
 
@@ -2025,7 +2025,7 @@ conf_dnsrps_sadd(conf_dnsrps_ctx_t *ctx, const char *p, ...) {
 }
 
 /*
- * Get an DNSRPS configuration value using the global and view options
+ * Get a DNSRPS configuration value using the global and view options
  * for the default.  Return false upon failure.
  */
 static bool
@@ -9079,6 +9079,35 @@ load_configuration(const char *filename, named_server_t *server,
 	server->kasplist = kasplist;
 	kasplist = tmpkasplist;
 
+#ifdef USE_DNSRPS
+	/*
+	 * Find the path to the DNSRPS implementation library.
+	 */
+	obj = NULL;
+	if (named_config_get(maps, "dnsrps-library", &obj) == ISC_R_SUCCESS) {
+		if (server->dnsrpslib != NULL) {
+			dns_dnsrps_server_destroy();
+			isc_mem_free(server->mctx, server->dnsrpslib);
+			server->dnsrpslib = NULL;
+		}
+		setstring(server, &server->dnsrpslib, cfg_obj_asstring(obj));
+		result = dns_dnsrps_server_create(server->dnsrpslib);
+		isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
+			      NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+			      "initializing DNSRPS RPZ provider '%s': %s",
+			      server->dnsrpslib, isc_result_totext(result));
+		/*
+		 * It's okay if librpz isn't available. We'll complain
+		 * later if it turns out to be needed for a view with
+		 * "dnsrps-enable yes".
+		 */
+		if (result == ISC_R_FILENOTFOUND) {
+			result = ISC_R_SUCCESS;
+		}
+		CHECKFATAL(result, "initializing RPZ service interface");
+	}
+#endif /* ifdef USE_DNSRPS */
+
 	/*
 	 * Configure the views.
 	 */
@@ -10135,18 +10164,13 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
 		.recfile = isc_mem_strdup(mctx, "named.recursing"),
 	};
 
-#ifdef USE_DNSRPS
-	CHECKFATAL(dns_dnsrps_server_create(), "initializing RPZ service "
-					       "interface");
-#endif /* ifdef USE_DNSRPS */
-
 	/* Initialize server data structures. */
 	ISC_LIST_INIT(server->kasplist);
 	ISC_LIST_INIT(server->viewlist);
 
 	/* Must be first. */
-	CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing "
-							       "DST");
+	CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine),
+		   "initializing DST");
 
 	CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
 				     &server->in_roothints),
@@ -10218,6 +10242,7 @@ named_server_destroy(named_server_t **serverp) {
 
 #ifdef USE_DNSRPS
 	dns_dnsrps_server_destroy();
+	isc_mem_free(server->mctx, server->dnsrpslib);
 #endif /* ifdef USE_DNSRPS */
 
 	named_controls_destroy(&server->controls);
@@ -15826,7 +15851,7 @@ named_server_mkeys(named_server_t *server, isc_lex_t *lex,
 	dns_view_t *view = NULL;
 	dns_rdataclass_t rdclass;
 	char msg[DNS_NAME_FORMATSIZE + 500] = "";
-	enum { NONE, STATUS, REFRESH, SYNC, DESTROY } opt = NONE;
+	enum { NONE, STAT, REFRESH, SYNC, DESTROY } opt = NONE;
 	bool found = false;
 	bool first = true;
 
@@ -15845,7 +15870,7 @@ named_server_mkeys(named_server_t *server, isc_lex_t *lex,
 	}
 
 	if (strcasecmp(cmd, "status") == 0) {
-		opt = STATUS;
+		opt = STAT;
 	} else if (strcasecmp(cmd, "refresh") == 0) {
 		opt = REFRESH;
 	} else if (strcasecmp(cmd, "sync") == 0) {
@@ -15904,7 +15929,7 @@ named_server_mkeys(named_server_t *server, isc_lex_t *lex,
 			}
 			CHECK(mkey_refresh(view, text));
 			break;
-		case STATUS:
+		case STAT:
 			if (!first) {
 				CHECK(putstr(text, "\n\n"));
 			}
 
@@ -11,11 +11,17 @@ dist-hook:
 
 SUBDIRS = dyndb/driver dlzexternal/driver hooks/driver
 
+if DNSRPS
+SUBDIRS += rpz/testlib
+endif
+
 AM_CPPFLAGS +=			\
-	$(LIBISC_CFLAGS)
+	$(LIBISC_CFLAGS) 	\
+	$(LIBDNS_CFLAGS)
 
 LDADD +=			\
-	$(LIBISC_LIBS)
+	$(LIBISC_LIBS)		\
+	$(LIBDNS_LIBS)
 
 if HAVE_PERL
 
@@ -48,11 +54,13 @@ pipelined_pipequeries_LDADD =	\
 
 rpz_dnsrps_CPPFLAGS =		\
 	$(AM_CPPFLAGS)		\
-	$(LIBDNS_CFLAGS)
+	$(LIBDNS_CFLAGS)	\
+	-DLIBRPZ_LIB_OPEN=\"$(abs_builddir)/rpz/testlib/.libs/libdummyrpz.so\"
 
 rpz_dnsrps_LDADD =		\
 	$(LDADD)		\
-	$(LIBDNS_LIBS)
+	$(LIBDNS_LIBS)		\
+	-ldl
 
 TESTS =
 
 
@@ -14,9 +14,9 @@
 set -e
 
 # Say on stdout whether to test DNSRPS
-#	and create dnsrps.conf and dnsrps-secondary.conf
-# Note that dnsrps.conf and dnsrps-secondary.conf are included in named.conf
-#	and differ from dnsrpz.conf which is used by dnsrpzd.
+#	and creates dnsrps.conf
+# Note that dnsrps.conf is included in named.conf
+#	and differs from dnsrpz.conf which is used by dnsrpzd.
 
 
 . ../conf.sh
@@ -26,15 +26,13 @@ DNSRPS_CMD=../rpz/dnsrps
 AS_NS=
 TEST_DNSRPS=
 MCONF=dnsrps.conf
-SCONF=dnsrps-secondary.conf
-USAGE="$0: [-xAD] [-M dnsrps.conf] [-S dnsrps-secondary.conf]"
+USAGE="$0: [-xAD] [-M dnsrps.conf]"
 while getopts "xADM:S:" c; do
     case $c in
 	x) set -x; DEBUG=-x;;
 	A) AS_NS=yes;;
 	D) TEST_DNSRPS=yes;;
 	M) MCONF="$OPTARG";;
-	S) SCONF="$OPTARG";;
 	*) echo "$USAGE" 1>&2; exit 1;;
     esac
 done
@@ -46,11 +44,9 @@ fi
 
 # erase any existing conf files
 cat /dev/null > $MCONF
-cat /dev/null > $SCONF
 
 add_conf () {
     echo "$*" >>$MCONF
-    echo "$*" >>$SCONF
 }
 
 if ! $FEATURETEST --enable-dnsrps; then
@@ -82,86 +78,6 @@ else
     exit 0
 fi
 
-CMN="	dnsrps-options { dnsrpzd-conf ../dnsrpzd.conf
-			 dnsrpzd-sock ../dnsrpzd.sock
-			 dnsrpzd-rpzf ../dnsrpzd.rpzf
-			 dnsrpzd-args '-dddd -L stdout'
-			 log-level 3"
-
-PRIMARY="$CMN"
-if [ -n "$AS_NS" ]; then
-    PRIMARY="$PRIMARY
-			qname-as-ns yes
-			ip-as-ns yes"
-fi
-
-# write dnsrps settings for primary resolver
-cat <<EOF >>$MCONF
-$PRIMARY };
-EOF
-
-# write dnsrps settings for resolvers that should not start dnsrpzd
-cat <<EOF >>$SCONF
-$CMN
-			dnsrpzd '' };	# do not start dnsrpzd
-EOF
-
-
-# DNSRPS is available.
-# The test should fail if the license is bad.
-add_conf "dnsrps-enable yes;"
-
-# Use alt-dnsrpzd-license.conf if it exists
-CUR_L=dnsrpzd-license-cur.conf
-ALT_L=alt-dnsrpzd-license.conf
-# try ../rpz/alt-dnsrpzd-license.conf if alt-dnsrpzd-license.conf does not exist
-[ -s $ALT_L ] || ALT_L=../rpz/alt-dnsrpzd-license.conf
-if [ -s $ALT_L ]; then
-    SRC_L=$ALT_L
-    USE_ALT=
-else
-    SRC_L=../rpz/dnsrpzd-license.conf
-    USE_ALT="## consider installing alt-dnsrpzd-license.conf"
-fi
-cp $SRC_L $CUR_L
-
-# parse $CUR_L for the license zone name, primary IP addresses, and optional
-#   transfer-source IP addresses
-eval `sed -n -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'\
-    -e 's/.*zone *\([-a-z0-9]*.license.fastrpz.com\).*/NAME=\1/p'	\
-    -e 's/.*farsight_fastrpz_license *\([0-9.]*\);.*/IPV4=\1/p'		\
-    -e 's/.*farsight_fastrpz_license *\([0-9a-f:]*\);.*/IPV6=\1/p'	\
-    -e 's/.*transfer-source *\([0-9.]*\);.*/TS4=-b\1/p'			\
-    -e 's/.*transfer-source *\([0-9a-f:]*\);.*/TS6=-b\1/p'		\
-    -e 's/.*transfer-source-v6 *\([0-9a-f:]*\);.*/TS6=-b\1/p'		\
-	$CUR_L`
-if [ -z "$NAME" ]; then
-    add_conf "## no DNSRPS tests; no license domain name in $SRC_L"
-    add_conf '#fail'
-    exit 0
-fi
-if [ -z "$IPV4" ]; then
-    IPV4=license1.fastrpz.com
-    TS4=
-fi
-if [ -z "$IPV6" ]; then
-    IPV6=license1.fastrpz.com
-    TS6=
-fi
-
-# This TSIG key is common and NOT a secret
-KEY='hmac-sha256:farsight_fastrpz_license:f405d02b4c8af54855fcebc1'
-
-# Try IPv4 and then IPv6 to deal with IPv6 tunnel and connectivity problems
-if `$DIG -4 -t axfr -y$KEY $TS4 $NAME @$IPV4				\
-	    | grep -i "^$NAME.*TXT" >/dev/null`; then
-    exit 0
-fi
-if `$DIG -6 -t axfr -y$KEY $TS6 $NAME @$IPV6				\
-	    | grep -i "^$NAME.*TXT" >/dev/null`; then
-    exit 0
-fi
-
-add_conf "## DNSRPS lacks a valid license via $SRC_L"
-[ -z "$USE_ALT" ] || add_conf "$USE_ALT"
-add_conf '#fail'
+add_conf 'dnsrps-options { log-level 3 };'
+add_conf 'dnsrps-enable yes;'
+add_conf 'dnsrps-library "../../rpz/testlib/.libs/libdummyrpz.so";'
@@ -1,2 +1 @@
-alt-dnsrpzd-license.conf
 dnsrps
@@ -40,6 +40,7 @@ rm -f ns5/example.db ns5/bl.db ns5/fast-expire.db ns5/expire.conf
 rm -f ns8/manual-update-rpz.db
 rm -f */policy2.db
 rm -f */*.jnl
+rm -f dnsrps.cache dnsrps.conf
 
 if [ ${PARTIAL:-unset} = unset ]; then
     rm -f proto.* dsset-* trusted.conf dig.out* nsupdate.tmp ns*/*tmp
@@ -49,9 +50,7 @@ if [ ${PARTIAL:-unset} = unset ]; then
     rm -f ns*/named.lock
     rm -f ns*/named.conf
     rm -f ns*/*switch
-    rm -f dnsrps*.conf
-    rm -f dnsrpzd.conf
-    rm -f dnsrpzd-license-cur.conf dnsrpzd.rpzf dnsrpzd.sock dnsrpzd.pid
+    rm -f dnsrps.zones
     rm -f ns*/managed-keys.bind*
     rm -f tmp
 fi