[bind/f18] update to 9.9.3
Tomas Hozza
thozza at fedoraproject.org
Mon Jun 3 13:04:15 UTC 2013
commit 5ea98b6fab680559ece227fb723d2a075433f1c3
Author: Tomas Hozza <thozza at redhat.com>
Date: Mon Jun 3 13:14:03 2013 +0200
update to 9.9.3
- update RRL patch to the latest version 9.9.3-rl.150.20
- drop/modify some patches to fit latest version
Signed-off-by: Tomas Hozza <thozza at redhat.com>
.gitignore | 1 +
bind-9.5-sdb.patch | 72 +-
bind-9.9.1-P2-multlib-conflict.patch | 55 +-
bind-96-libtool2.patch | 13 -
bind.spec | 32 +-
bind97-exportlib.patch | 87 +--
bind99-opts.patch | 12 -
rl-9.9.2-P1.patch => rl-9.9.3.patch | 1318 ++++++++++++++++++----------------
sources | 2 +-
9 files changed, 804 insertions(+), 788 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 45af030..a52e312 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@ bind-9.7.2b1.tar.gz
/bind-9.9.2-P1.tar.gz
/config-9.tar.bz2
/bind-9.9.2-P2.tar.gz
+/bind-9.9.3.tar.gz
diff --git a/bind-9.5-sdb.patch b/bind-9.5-sdb.patch
index 4bbf2a8..270ec9e 100644
--- a/bind-9.5-sdb.patch
+++ b/bind-9.5-sdb.patch
@@ -1,21 +1,21 @@
-diff -up bind-9.9.2/bin/Makefile.in.sdb bind-9.9.2/bin/Makefile.in
---- bind-9.9.2/bin/Makefile.in.sdb 2012-09-27 02:35:19.000000000 +0200
-+++ bind-9.9.2/bin/Makefile.in 2012-10-11 13:23:43.933988077 +0200
+diff -up bind-9.9.3rc1/bin/Makefile.in.sdb bind-9.9.3rc1/bin/Makefile.in
+--- bind-9.9.3rc1/bin/Makefile.in.sdb 2013-04-05 00:21:21.000000000 +0200
++++ bind-9.9.3rc1/bin/Makefile.in 2013-04-16 15:21:22.286944331 +0200
@@ -19,8 +19,8 @@ srcdir = @srcdir@
VPATH = @srcdir@
top_srcdir = @top_srcdir@
--SUBDIRS = named rndc dig dnssec tests tools nsupdate \
+-SUBDIRS = named rndc dig dnssec tools tests nsupdate \
- check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
-+SUBDIRS = named named-sdb rndc dig dnssec tests tools nsupdate \
++SUBDIRS = named named-sdb rndc dig dnssec tools tests nsupdate \
+ check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@ sdb_tools
TARGETS =
@BIND9_MAKE_RULES@
-diff -up bind-9.9.2/bin/named/Makefile.in.sdb bind-9.9.2/bin/named/Makefile.in
---- bind-9.9.2/bin/named/Makefile.in.sdb 2012-10-11 13:21:35.877105690 +0200
-+++ bind-9.9.2/bin/named/Makefile.in 2012-10-11 13:21:36.099105521 +0200
-@@ -45,7 +45,7 @@ CINCLUDES = -I${srcdir}/include -I${srcd
+diff -up bind-9.9.3rc1/bin/named/Makefile.in.sdb bind-9.9.3rc1/bin/named/Makefile.in
+--- bind-9.9.3rc1/bin/named/Makefile.in.sdb 2013-04-16 15:21:22.102944727 +0200
++++ bind-9.9.3rc1/bin/named/Makefile.in 2013-04-16 15:21:22.286944331 +0200
+@@ -49,7 +49,7 @@ CINCLUDES = -I${srcdir}/include -I${srcd
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
@@ -24,7 +24,7 @@ diff -up bind-9.9.2/bin/named/Makefile.in.sdb bind-9.9.2/bin/named/Makefile.in
CWARNINGS =
-@@ -69,11 +69,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS}
+@@ -73,11 +73,11 @@ DEPLIBS = ${LWRESDEPLIBS} ${DNSDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} \
@@ -38,7 +38,7 @@ diff -up bind-9.9.2/bin/named/Makefile.in.sdb bind-9.9.2/bin/named/Makefile.in
SUBDIRS = unix
-@@ -86,8 +86,7 @@ OBJS = builtin. at O@ client. at O@ config. at O
+@@ -90,8 +90,7 @@ OBJS = builtin. at O@ client. at O@ config. at O
tkeyconf. at O@ tsigconf. at O@ update. at O@ xfrout. at O@ \
zoneconf. at O@ \
lwaddr. at O@ lwresd. at O@ lwdclient. at O@ lwderror. at O@ lwdgabn. at O@ \
@@ -48,7 +48,7 @@ diff -up bind-9.9.2/bin/named/Makefile.in.sdb bind-9.9.2/bin/named/Makefile.in
UOBJS = unix/os. at O@ unix/dlz_dlopen_driver. at O@
-@@ -100,8 +99,7 @@ SRCS = builtin.c client.c config.c cont
+@@ -104,8 +103,7 @@ SRCS = builtin.c client.c config.c cont
tkeyconf.c tsigconf.c update.c xfrout.c \
zoneconf.c \
lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@@ -58,15 +58,17 @@ diff -up bind-9.9.2/bin/named/Makefile.in.sdb bind-9.9.2/bin/named/Makefile.in
MANPAGES = named.8 lwresd.8 named.conf.5
-@@ -169,5 +167,3 @@ install:: named at EXEEXT@ lwresd at EXEEXT@ i
- ${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
+@@ -180,7 +178,5 @@ install:: named at EXEEXT@ lwresd at EXEEXT@ i
${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
--
+
- at DLZ_DRIVER_RULES@
-diff -up bind-9.9.2/bin/named-sdb/main.c.sdb bind-9.9.2/bin/named-sdb/main.c
---- bind-9.9.2/bin/named-sdb/main.c.sdb 2012-10-11 13:21:36.052105556 +0200
-+++ bind-9.9.2/bin/named-sdb/main.c 2012-10-11 13:21:36.099105521 +0200
+-
+ named-symtbl. at O@: named-symtbl.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c named-symtbl.c
+diff -up bind-9.9.3rc1/bin/named-sdb/main.c.sdb bind-9.9.3rc1/bin/named-sdb/main.c
+--- bind-9.9.3rc1/bin/named-sdb/main.c.sdb 2013-04-16 15:21:22.249944411 +0200
++++ bind-9.9.3rc1/bin/named-sdb/main.c 2013-04-16 15:21:22.287944329 +0200
@@ -83,6 +83,9 @@
* Include header files for database drivers here.
*/
@@ -77,7 +79,7 @@ diff -up bind-9.9.2/bin/named-sdb/main.c.sdb bind-9.9.2/bin/named-sdb/main.c
#ifdef CONTRIB_DLZ
/*
-@@ -802,6 +805,10 @@ setup(void) {
+@@ -808,6 +811,10 @@ setup(void) {
ns_main_earlyfatal("isc_app_start() failed: %s",
isc_result_totext(result));
@@ -86,9 +88,9 @@ diff -up bind-9.9.2/bin/named-sdb/main.c.sdb bind-9.9.2/bin/named-sdb/main.c
+ dirdb_clear();
+
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
- ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version,
- saved_command_line);
-@@ -914,6 +921,57 @@ setup(void) {
+ ISC_LOG_NOTICE, "starting %s %s%s", ns_g_product,
+ ns_g_version, saved_command_line);
+@@ -920,6 +927,57 @@ setup(void) {
isc_result_totext(result));
#endif
@@ -146,7 +148,7 @@ diff -up bind-9.9.2/bin/named-sdb/main.c.sdb bind-9.9.2/bin/named-sdb/main.c
ns_server_create(ns_g_mctx, &ns_g_server);
}
-@@ -945,6 +1003,10 @@ cleanup(void) {
+@@ -951,6 +1009,10 @@ cleanup(void) {
dns_name_destroy();
@@ -157,10 +159,10 @@ diff -up bind-9.9.2/bin/named-sdb/main.c.sdb bind-9.9.2/bin/named-sdb/main.c
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
ISC_LOG_NOTICE, "exiting");
ns_log_shutdown();
-diff -up bind-9.9.2/bin/named-sdb/Makefile.in.sdb bind-9.9.2/bin/named-sdb/Makefile.in
---- bind-9.9.2/bin/named-sdb/Makefile.in.sdb 2012-10-11 13:21:36.045105563 +0200
-+++ bind-9.9.2/bin/named-sdb/Makefile.in 2012-10-11 13:21:36.100105520 +0200
-@@ -28,10 +28,10 @@ top_srcdir = @top_srcdir@
+diff -up bind-9.9.3rc1/bin/named-sdb/Makefile.in.sdb bind-9.9.3rc1/bin/named-sdb/Makefile.in
+--- bind-9.9.3rc1/bin/named-sdb/Makefile.in.sdb 2013-04-16 15:21:22.243944424 +0200
++++ bind-9.9.3rc1/bin/named-sdb/Makefile.in 2013-04-16 15:21:22.287944329 +0200
+@@ -32,10 +32,10 @@ top_srcdir = @top_srcdir@
#
# Add database drivers here.
#
@@ -174,7 +176,7 @@ diff -up bind-9.9.2/bin/named-sdb/Makefile.in.sdb bind-9.9.2/bin/named-sdb/Makef
DLZ_DRIVER_DIR = ${top_srcdir}/contrib/dlz/drivers
-@@ -77,7 +77,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BI
+@@ -81,7 +81,7 @@ NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BI
SUBDIRS = unix
@@ -183,7 +185,7 @@ diff -up bind-9.9.2/bin/named-sdb/Makefile.in.sdb bind-9.9.2/bin/named-sdb/Makef
OBJS = builtin. at O@ client. at O@ config. at O@ control. at O@ \
controlconf. at O@ interfacemgr. at O@ \
-@@ -132,7 +132,7 @@ config. at O@: config.c bind.keys.h
+@@ -139,7 +139,7 @@ config. at O@: config.c bind.keys.h
-DNS_SYSCONFDIR=\"${sysconfdir}\" \
-c ${srcdir}/config.c
@@ -192,7 +194,7 @@ diff -up bind-9.9.2/bin/named-sdb/Makefile.in.sdb bind-9.9.2/bin/named-sdb/Makef
export MAKE_SYMTABLE="yes"; \
export BASEOBJS="${OBJS} ${UOBJS}"; \
${FINALBUILDCMD}
-@@ -160,14 +160,8 @@ statschannel. at O@: bind9.xsl.h
+@@ -170,15 +170,9 @@ statschannel. at O@: bind9.xsl.h bind9.ver3
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@@ -209,10 +211,11 @@ diff -up bind-9.9.2/bin/named-sdb/Makefile.in.sdb bind-9.9.2/bin/named-sdb/Makef
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-sdb at EXEEXT@ ${DESTDIR}${sbindir}
@DLZ_DRIVER_RULES@
-diff -up bind-9.9.2/configure.in.sdb bind-9.9.2/configure.in
---- bind-9.9.2/configure.in.sdb 2012-10-11 13:21:36.000000000 +0200
-+++ bind-9.9.2/configure.in 2012-10-11 13:24:35.710940464 +0200
-@@ -3571,11 +3571,14 @@ AC_CONFIG_FILES([
+
+diff -up bind-9.9.3rc1/configure.in.sdb bind-9.9.3rc1/configure.in
+--- bind-9.9.3rc1/configure.in.sdb 2013-04-16 15:21:22.208944499 +0200
++++ bind-9.9.3rc1/configure.in 2013-04-16 15:21:19.395950103 +0200
+@@ -3651,12 +3651,15 @@ AC_CONFIG_FILES([
bin/dnssec/Makefile
bin/named/Makefile
bin/named/unix/Makefile
@@ -222,6 +225,7 @@ diff -up bind-9.9.2/configure.in.sdb bind-9.9.2/configure.in
bin/pkcs11/Makefile
bin/python/Makefile
bin/python/dnssec-checkds.py
+ bin/python/dnssec-coverage.py
bin/rndc/Makefile
+ bin/sdb_tools/Makefile
bin/tests/Makefile
diff --git a/bind-9.9.1-P2-multlib-conflict.patch b/bind-9.9.1-P2-multlib-conflict.patch
index 0eab0e1..03d5f5c 100644
--- a/bind-9.9.1-P2-multlib-conflict.patch
+++ b/bind-9.9.1-P2-multlib-conflict.patch
@@ -1,7 +1,7 @@
-diff -up bind-9.9.1-P2/config.h.in.multlib-conflict bind-9.9.1-P2/config.h.in
---- bind-9.9.1-P2/config.h.in.multlib-conflict 2012-08-01 14:07:40.300605215 +0200
-+++ bind-9.9.1-P2/config.h.in 2012-08-01 14:08:06.449526607 +0200
-@@ -400,7 +400,7 @@ int sigwait(const unsigned int *set, int
+diff -up bind-9.9.3rc2/config.h.in.multlib-conflict bind-9.9.3rc2/config.h.in
+--- bind-9.9.3rc2/config.h.in.multlib-conflict 2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/config.h.in 2013-05-13 12:10:22.514870894 +0200
+@@ -416,7 +416,7 @@ int sigwait(const unsigned int *set, int
#undef PORT_NONBLOCK
/* The size of `void *', as computed by sizeof. */
@@ -10,10 +10,10 @@ diff -up bind-9.9.1-P2/config.h.in.multlib-conflict bind-9.9.1-P2/config.h.in
/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS
-diff -up bind-9.9.1-P2/configure.in.multlib-conflict bind-9.9.1-P2/configure.in
---- bind-9.9.1-P2/configure.in.multlib-conflict 2012-08-01 13:25:04.871278041 +0200
-+++ bind-9.9.1-P2/configure.in 2012-08-01 13:25:08.705266546 +0200
-@@ -2102,7 +2102,9 @@ int getnameinfo(const struct sockaddr *,
+diff -up bind-9.9.3rc2/configure.in.multlib-conflict bind-9.9.3rc2/configure.in
+--- bind-9.9.3rc2/configure.in.multlib-conflict 2013-05-13 12:10:22.481870901 +0200
++++ bind-9.9.3rc2/configure.in 2013-05-13 12:10:22.515870894 +0200
+@@ -2251,7 +2251,9 @@ int getnameinfo(const struct sockaddr *,
size_t, char *, size_t, int);],
[ return (0);],
[AC_MSG_RESULT(size_t for buflen; int for flags)
@@ -24,15 +24,14 @@ diff -up bind-9.9.1-P2/configure.in.multlib-conflict bind-9.9.1-P2/configure.in
AC_DEFINE(IRS_GETNAMEINFO_FLAGS_T, int)],
[AC_MSG_RESULT(not match any subspecies; assume standard definition)
AC_DEFINE(IRS_GETNAMEINFO_BUFLEN_T, socklen_t)
-diff -up bind-9.9.1-P2/isc-config.sh.in.multlib-conflict bind-9.9.1-P2/isc-config.sh.in
---- bind-9.9.1-P2/isc-config.sh.in.multlib-conflict 2012-08-01 10:30:18.414494493 +0200
-+++ bind-9.9.1-P2/isc-config.sh.in 2012-08-01 14:12:11.696789273 +0200
-@@ -20,8 +20,19 @@
- prefix=@prefix@
+diff -up bind-9.9.3rc2/isc-config.sh.in.multlib-conflict bind-9.9.3rc2/isc-config.sh.in
+--- bind-9.9.3rc2/isc-config.sh.in.multlib-conflict 2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/isc-config.sh.in 2013-05-13 12:26:40.258698745 +0200
+@@ -21,7 +21,18 @@ prefix=@prefix@
exec_prefix=@exec_prefix@
exec_prefix_set=
--libdir=@libdir@
includedir=@includedir@
+-libdir=@libdir@
+arch=$(uname -m)
+
+case $arch in
@@ -48,20 +47,20 @@ diff -up bind-9.9.1-P2/isc-config.sh.in.multlib-conflict bind-9.9.1-P2/isc-confi
usage()
{
-@@ -124,6 +135,16 @@ if test x"$echo_cflags" = x"true"; then
- echo $includes
- fi
- if test x"$echo_libs" = x"true"; then
-+ if [ ! -x $libdir/libisc.so ] ; then
-+ if [ ! -x $sec_libdir/libisc.so ] ; then
-+ echo "Error: ISC libs not found in $libdir"
-+ if [ -d $sec_libdir ] ; then
-+ echo "Error: ISC libs not found in $sec_libdir"
+@@ -133,6 +144,16 @@ if test x"$echo_libs" = x"true"; then
+ if test x"${exec_prefix_set}" = x"true"; then
+ includes="-L${exec_prefix}/lib"
+ else
++ if [ ! -x $libdir/libisc.so ] ; then
++ if [ ! -x $sec_libdir/libisc.so ] ; then
++ echo "Error: ISC libs not found in $libdir"
++ if [ -d $sec_libdir ] ; then
++ echo "Error: ISC libs not found in $sec_libdir"
++ fi
++ exit 1
+ fi
-+ exit 1
++ libdir=$sec_libdir
+ fi
-+ libdir=$sec_libdir
-+ fi
- libs="-L${libdir}"
+ libs="-L${libdir}"
+ fi
if test x"$liblwres" = x"true" ; then
- libs="$libs -llwres"
diff --git a/bind.spec b/bind.spec
index 5fd40e8..b296f77 100644
--- a/bind.spec
+++ b/bind.spec
@@ -2,11 +2,11 @@
# Red Hat BIND package .spec file
#
-%global PATCHVER P2
+#%%global PATCHVER P2
#%%global PREVER rc2
#%%global VERSION %{version}%{PREVER}
-#%%global VERSION %{version}
-%global VERSION %{version}-%{PATCHVER}
+%global VERSION %{version}
+#%%global VERSION %{version}-%{PATCHVER}
%{?!SDB: %global SDB 1}
%{?!test: %global test 0}
@@ -25,8 +25,8 @@
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
Name: bind
License: ISC
-Version: 9.9.2
-Release: 12.%{PATCHVER}%{?dist}
+Version: 9.9.3
+Release: 1%{?dist}
Epoch: 32
Url: http://www.isc.org/products/BIND/
Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -61,7 +61,6 @@ Patch10: bind-9.5-PIE.patch
Patch16: bind-9.3.2-redhat_doc.patch
Patch72: bind-9.5-dlz-64bit.patch
Patch87: bind-9.5-parallel-build.patch
-Patch99: bind-96-libtool2.patch
Patch101:bind-96-old-api.patch
Patch102:bind-95-rh452060.patch
Patch106:bind93-rh490837.patch
@@ -80,8 +79,7 @@ Patch131:bind-9.9.1-P2-multlib-conflict.patch
Patch132:bind99-stat.patch
Patch133:bind99-rh640538.patch
Patch134:bind97-rh669163.patch
-Patch136:rl-9.9.2-P1.patch
-Patch137:bind99-opts.patch
+Patch136:rl-9.9.3.patch
# SDB patches
Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -261,11 +259,6 @@ Based on the code from Jan "Yenya" Kasprzak <kas at fi.muni.cz>
%patch85 -p1 -b .libidn3
%patch87 -p1 -b .parallel
%patch94 -p1 -b .rh461409
-
-# XXX due new libtool. Not sure about proper upstream approach yet.
-mkdir m4
-%patch99 -p1 -b .libtool2
-
%patch102 -p1 -b .rh452060
%patch106 -p0 -b .rh490837
%patch107 -p1 -b .dist-pkcs11
@@ -282,7 +275,7 @@ popd
%patch127 -p1 -b .forward
%patch130 -p1 -b .libdb4
%patch131 -p1 -b .multlib-conflict
-%patch136 -p1 -b .rl
+%patch136 -p0 -b .rl
%if %{SDB}
%patch101 -p1 -b .old-api
@@ -319,7 +312,6 @@ cp -fp contrib/sdb/sqlite/zone2sqlite.c bin/sdb_tools
%patch133 -p1 -b .rh640538
%patch134 -p1 -b .rh669163
%patch135 -p1 -b .libidn4
-%patch137 -p1 -b .opts
# Sparc and s390 arches need to use -fPIE
%ifarch sparcv9 sparc64 s390 s390x
@@ -339,7 +331,7 @@ sed -i -e \
's/RELEASEVER=\(.*\)/RELEASEVER=\1-RedHat-%{version}-%{release}/' \
version
-libtoolize -c -f; aclocal -I m4 --force; autoconf -f
+libtoolize -c -f; aclocal -I libtool.m4 --force; autoconf -f
%configure \
--with-libtool \
@@ -376,6 +368,9 @@ make %{?_smp_mflags}
pushd bin/dig
make man
popd
+pushd bin/python
+make man
+popd
%if %{test}
%check
@@ -778,6 +773,11 @@ rm -rf ${RPM_BUILD_ROOT}
%endif
%changelog
+* Mon Jun 03 2013 Tomas Hozza <thozza at redhat.com> 32:9.9.3-1
+- update to 9.9.3
+- update RRL patch to the latest version 9.9.3-rl.150.20
+- drop/modify some patches to fit latest version
+
* Fri May 17 2013 Tomas Hozza <thozza at redhat.com> 32:9.9.2-12.P2
- Fix segfault in host/nslookup (#878139)
diff --git a/bind97-exportlib.patch b/bind97-exportlib.patch
index 1f5aa20..4468ef5 100644
--- a/bind97-exportlib.patch
+++ b/bind97-exportlib.patch
@@ -1,35 +1,7 @@
-diff -up bind-9.7.2-P2/isc-config.sh.in.exportlib bind-9.7.2-P2/isc-config.sh.in
---- bind-9.7.2-P2/isc-config.sh.in.exportlib 2007-06-20 01:46:59.000000000 +0200
-+++ bind-9.7.2-P2/isc-config.sh.in 2010-10-20 14:05:25.423861548 +0200
-@@ -20,6 +20,8 @@
- prefix=@prefix@
- exec_prefix=@exec_prefix@
- exec_prefix_set=
-+libdir=@libdir@
-+includedir=@includedir@
-
- usage()
- {
-@@ -115,14 +117,14 @@ if test x"$echo_exec_prefix" = x"true" ;
- echo $exec_prefix
- fi
- if test x"$echo_cflags" = x"true"; then
-- includes="-I${exec_prefix}/include"
-+ includes="-I${includedir}"
- if test x"$libisc" = x"true"; then
- includes="$includes @ALWAYS_DEFINES@ @STD_CINCLUDES@ @STD_CDEFINES@ @CCOPT@"
- fi
- echo $includes
- fi
- if test x"$echo_libs" = x"true"; then
-- libs=-L${exec_prefix}/lib
-+ libs="-L${libdir}"
- if test x"$liblwres" = x"true" ; then
- libs="$libs -llwres"
- fi
-diff -up bind-9.7.2-P2/lib/export/dns/Makefile.in.exportlib bind-9.7.2-P2/lib/export/dns/Makefile.in
---- bind-9.7.2-P2/lib/export/dns/Makefile.in.exportlib 2010-06-10 01:49:43.000000000 +0200
-+++ bind-9.7.2-P2/lib/export/dns/Makefile.in 2010-10-20 14:08:58.123772859 +0200
+diff -up bind-9.9.3rc2/isc-config.sh.in.exportlib bind-9.9.3rc2/isc-config.sh.in
+diff -up bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib bind-9.9.3rc2/lib/export/dns/Makefile.in
+--- bind-9.9.3rc2/lib/export/dns/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/dns/Makefile.in 2013-05-13 10:45:22.574089729 +0200
@@ -35,9 +35,9 @@ CDEFINES = -DUSE_MD5 @USE_OPENSSL@ @USE_
CWARNINGS =
@@ -42,7 +14,7 @@ diff -up bind-9.7.2-P2/lib/export/dns/Makefile.in.exportlib bind-9.7.2-P2/lib/ex
LIBS = @LIBS@
-@@ -114,29 +114,29 @@ version. at O@: ${srcdir}/version.c
+@@ -116,29 +116,29 @@ version. at O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
@@ -78,10 +50,10 @@ diff -up bind-9.7.2-P2/lib/export/dns/Makefile.in.exportlib bind-9.7.2-P2/lib/ex
rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
rm -f include/dns/rdatastruct.h
-diff -up bind-9.7.2-P2/lib/export/irs/Makefile.in.exportlib bind-9.7.2-P2/lib/export/irs/Makefile.in
---- bind-9.7.2-P2/lib/export/irs/Makefile.in.exportlib 2009-12-06 00:31:40.000000000 +0100
-+++ bind-9.7.2-P2/lib/export/irs/Makefile.in 2010-10-20 14:10:39.893717488 +0200
-@@ -42,9 +42,9 @@ SRCS = context.c \
+diff -up bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib bind-9.9.3rc2/lib/export/irs/Makefile.in
+--- bind-9.9.3rc2/lib/export/irs/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/irs/Makefile.in 2013-05-13 10:45:22.575089729 +0200
+@@ -43,9 +43,9 @@ SRCS = context.c \
gai_sterror.c getaddrinfo.c getnameinfo.c \
resconf.c
@@ -94,7 +66,7 @@ diff -up bind-9.7.2-P2/lib/export/irs/Makefile.in.exportlib bind-9.7.2-P2/lib/ex
LIBS = @LIBS@
-@@ -61,26 +61,26 @@ version. at O@: ${srcdir}/version.c
+@@ -62,26 +62,26 @@ version. at O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
@@ -127,17 +99,17 @@ diff -up bind-9.7.2-P2/lib/export/irs/Makefile.in.exportlib bind-9.7.2-P2/lib/ex
clean distclean::
- rm -f libirs. at A@ libirs.la timestamp
+ rm -f libirs-export. at A@ libirs-export.la timestamp
-diff -up bind-9.7.2-P2/lib/export/isccfg/Makefile.in.exportlib bind-9.7.2-P2/lib/export/isccfg/Makefile.in
---- bind-9.7.2-P2/lib/export/isccfg/Makefile.in.exportlib 2009-12-06 00:31:41.000000000 +0100
-+++ bind-9.7.2-P2/lib/export/isccfg/Makefile.in 2010-10-20 14:10:14.593741247 +0200
+diff -up bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isccfg/Makefile.in
+--- bind-9.9.3rc2/lib/export/isccfg/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/isccfg/Makefile.in 2013-05-13 10:45:22.576089729 +0200
@@ -30,11 +30,11 @@ CINCLUDES = -I. ${DNS_INCLUDES} -I${expo
CDEFINES =
CWARNINGS =
-ISCLIBS = ../isc/libisc. at A@
--DNSLIBS = ../dns/libdns. at A@
+-DNSLIBS = ../dns/libdns. at A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../isc/libisc-export. at A@
-+DNSLIBS = ../dns/libdns-export. at A@
++DNSLIBS = ../dns/libdns-export. at A@ @DNS_CRYPTO_LIBS@
ISCDEPLIBS = ../../lib/isc/libisc. at A@
-ISCCFGDEPLIBS = libisccfg. at A@
@@ -178,10 +150,10 @@ diff -up bind-9.7.2-P2/lib/export/isccfg/Makefile.in.exportlib bind-9.7.2-P2/lib
clean distclean::
- rm -f libisccfg. at A@ timestamp
+ rm -f libisccfg-export. at A@ timestamp
-diff -up bind-9.7.2-P2/lib/export/isc/Makefile.in.exportlib bind-9.7.2-P2/lib/export/isc/Makefile.in
---- bind-9.7.2-P2/lib/export/isc/Makefile.in.exportlib 2010-06-10 01:49:43.000000000 +0200
-+++ bind-9.7.2-P2/lib/export/isc/Makefile.in 2010-10-20 14:05:25.433861543 +0200
-@@ -101,6 +101,10 @@ SRCS = @ISC_EXTRA_SRCS@ \
+diff -up bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib bind-9.9.3rc2/lib/export/isc/Makefile.in
+--- bind-9.9.3rc2/lib/export/isc/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/isc/Makefile.in 2013-05-13 10:45:22.576089729 +0200
+@@ -100,6 +100,10 @@ SRCS = @ISC_EXTRA_SRCS@ \
LIBS = @LIBS@
@@ -192,7 +164,7 @@ diff -up bind-9.7.2-P2/lib/export/isc/Makefile.in.exportlib bind-9.7.2-P2/lib/ex
SUBDIRS = include unix nls @ISC_THREAD_DIR@
TARGETS = timestamp
-@@ -114,26 +118,26 @@ version. at O@: ${srcdir}/version.c
+@@ -113,26 +117,26 @@ version. at O@: ${srcdir}/version.c
-DLIBAGE=${LIBAGE} \
-c ${srcdir}/version.c
@@ -225,10 +197,10 @@ diff -up bind-9.7.2-P2/lib/export/isc/Makefile.in.exportlib bind-9.7.2-P2/lib/ex
clean distclean::
- rm -f libisc. at A@ libisc.la timestamp
+ rm -f libisc-export. at A@ libisc-export.la timestamp
-diff -up bind-9.7.2-P2/lib/export/samples/Makefile.in.exportlib bind-9.7.2-P2/lib/export/samples/Makefile.in
---- bind-9.7.2-P2/lib/export/samples/Makefile.in.exportlib 2009-12-06 00:31:41.000000000 +0100
-+++ bind-9.7.2-P2/lib/export/samples/Makefile.in 2010-10-20 14:05:25.433861543 +0200
-@@ -30,15 +30,15 @@ CINCLUDES = -I${srcdir}/include -I../dns
+diff -up bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib bind-9.9.3rc2/lib/export/samples/Makefile.in
+--- bind-9.9.3rc2/lib/export/samples/Makefile.in.exportlib 2013-04-30 08:38:46.000000000 +0200
++++ bind-9.9.3rc2/lib/export/samples/Makefile.in 2013-05-13 10:45:22.577089729 +0200
+@@ -31,15 +31,15 @@ CINCLUDES = -I${srcdir}/include -I../dns
CDEFINES =
CWARNINGS =
@@ -236,16 +208,15 @@ diff -up bind-9.7.2-P2/lib/export/samples/Makefile.in.exportlib bind-9.7.2-P2/li
-ISCLIBS = ../isc/libisc. at A@
-ISCCFGLIBS = ../isccfg/libisccfg. at A@
-IRSLIBS = ../irs/libirs. at A@
--
--DNSDEPLIBS = ../dns/libdns. at A@
--ISCDEPLIBS = ../isc/libisc. at A@
--ISCCFGDEPLIBS = ../isccfg/libisccfg. at A@
--IRSDEPLIBS = ../irs/libirs. at A@
+DNSLIBS = ../dns/libdns-export. at A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../isc/libisc-export. at A@
+ISCCFGLIBS = ../isccfg/libisccfg-export. at A@
+IRSLIBS = ../irs/libirs-export. at A@
-+
+
+-DNSDEPLIBS = ../dns/libdns. at A@
+-ISCDEPLIBS = ../isc/libisc. at A@
+-ISCCFGDEPLIBS = ../isccfg/libisccfg. at A@
+-IRSDEPLIBS = ../irs/libirs. at A@
+DNSDEPLIBS = ../dns/libdns-export. at A@
+ISCDEPLIBS = ../isc/libisc-export. at A@
+ISCCFGDEPLIBS = ../isccfg/libisccfg-export. at A@
diff --git a/rl-9.9.2-P1.patch b/rl-9.9.3.patch
similarity index 73%
rename from rl-9.9.2-P1.patch
rename to rl-9.9.3.patch
index c95a657..90ad238 100644
--- a/rl-9.9.2-P1.patch
+++ b/rl-9.9.3.patch
@@ -1,7 +1,7 @@
-diff -up bind-9.9.2-P1/bin/named/client.c.orig bind-9.9.2-P1/bin/named/client.c
---- bind-9.9.2-P1/bin/named/client.c.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/bin/named/client.c 2013-03-06 16:54:18.869051724 +0100
-@@ -994,6 +994,11 @@ ns_client_send(ns_client_t *client) {
+diff -r -u bin/named/client.c-orig bin/named/client.c
+--- bin/named/client.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/named/client.c 2004-01-01 00:00:00.000000000 +0000
+@@ -994,6 +994,11 @@
}
if (result != ISC_R_SUCCESS)
goto done;
@@ -13,7 +13,7 @@ diff -up bind-9.9.2-P1/bin/named/client.c.orig bind-9.9.2-P1/bin/named/client.c
result = dns_message_rendersection(client->message,
DNS_SECTION_ANSWER,
DNS_MESSAGERENDER_PARTIAL |
-@@ -1134,6 +1139,49 @@ ns_client_error(ns_client_t *client, isc
+@@ -1134,6 +1139,51 @@
#endif
/*
@@ -26,8 +26,7 @@ diff -up bind-9.9.2-P1/bin/named/client.c.orig bind-9.9.2-P1/bin/named/client.c
+
+ INSIST(rcode != dns_rcode_noerror &&
+ rcode != dns_rcode_nxdomain);
-+ wouldlog = (ns_g_server->log_queries &&
-+ isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP));
++ wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP);
+ rrl_result = dns_rrl(client->view, &client->peeraddr,
+ TCP_CLIENT(client),
+ dns_rdataclass_in, dns_rdatatype_none,
@@ -41,18 +40,21 @@ diff -up bind-9.9.2-P1/bin/named/client.c.orig bind-9.9.2-P1/bin/named/client.c
+ * NS_LOGCATEGORY_RRL.
+ */
+ if (wouldlog) {
-+ ns_client_log(client, NS_LOGCATEGORY_QUERIES,
++ ns_client_log(client,
++ NS_LOGCATEGORY_QUERY_EERRORS,
+ NS_LOGMODULE_CLIENT,
+ DNS_RRL_LOG_DROP,
+ "%s", log_buf);
+ }
+ /*
+ * Some error responses cannot be 'slipped',
-+ * so don't try.
-+ * This will counted with dropped queries in the
-+ * QryDropped counter.
++ * so don't try to slip any error responses.
+ */
+ if (!client->view->rrl->log_only) {
++ isc_stats_increment(ns_g_server->nsstats,
++ dns_nsstatscounter_ratedropped);
++ isc_stats_increment(ns_g_server->nsstats,
++ dns_nsstatscounter_dropped);
+ ns_client_next(client, DNS_R_DROP);
+ return;
+ }
@@ -63,10 +65,10 @@ diff -up bind-9.9.2-P1/bin/named/client.c.orig bind-9.9.2-P1/bin/named/client.c
* Message may be an in-progress reply that we had trouble
* with, in which case QR will be set. We need to clear QR before
* calling dns_message_reply() to avoid triggering an assertion.
-diff -up bind-9.9.2-P1/bin/named/config.c.orig bind-9.9.2-P1/bin/named/config.c
---- bind-9.9.2-P1/bin/named/config.c.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/bin/named/config.c 2013-03-06 16:55:14.236039592 +0100
-@@ -227,6 +227,13 @@ view \"_bind\" chaos {\n\
+diff -r -u bin/named/config.c-orig bin/named/config.c
+--- bin/named/config.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/named/config.c 2004-01-01 00:00:00.000000000 +0000
+@@ -228,6 +228,13 @@
notify no;\n\
allow-new-zones no;\n\
\n\
@@ -80,10 +82,10 @@ diff -up bind-9.9.2-P1/bin/named/config.c.orig bind-9.9.2-P1/bin/named/config.c
zone \"version.bind\" chaos {\n\
type master;\n\
database \"_builtin version\";\n\
-diff -up bind-9.9.2-P1/bin/named/include/named/query.h.orig bind-9.9.2-P1/bin/named/include/named/query.h
---- bind-9.9.2-P1/bin/named/include/named/query.h.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/bin/named/include/named/query.h 2013-03-06 16:55:14.237039591 +0100
-@@ -85,6 +85,7 @@ struct ns_query {
+diff -r -u bin/named/include/named/query.h-orig bin/named/include/named/query.h
+--- bin/named/include/named/query.h-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/named/include/named/query.h 2004-01-01 00:00:00.000000000 +0000
+@@ -85,6 +85,7 @@
#define NS_QUERYATTR_CACHEACLOK 0x2000
#define NS_QUERYATTR_DNS64 0x4000
#define NS_QUERYATTR_DNS64EXCLUDE 0x8000
@@ -91,38 +93,55 @@ diff -up bind-9.9.2-P1/bin/named/include/named/query.h.orig bind-9.9.2-P1/bin/na
isc_result_t
-diff -up bind-9.9.2-P1/bin/named/include/named/server.h.orig bind-9.9.2-P1/bin/named/include/named/server.h
---- bind-9.9.2-P1/bin/named/include/named/server.h.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/bin/named/include/named/server.h 2013-03-06 16:55:14.237039591 +0100
-@@ -165,7 +165,10 @@ enum {
- dns_nsstatscounter_updatefail = 34,
- dns_nsstatscounter_updatebadprereq = 35,
+diff -r -u bin/named/include/named/server.h-orig bin/named/include/named/server.h
+--- bin/named/include/named/server.h-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/named/include/named/server.h 2004-01-01 00:00:00.000000000 +0000
+@@ -167,7 +167,10 @@
-- dns_nsstatscounter_max = 36
-+ dns_nsstatscounter_ratedropped = 36,
-+ dns_nsstatscounter_rateslipped = 37,
+ dns_nsstatscounter_rpz_rewrites = 36,
+
+- dns_nsstatscounter_max = 37
++ dns_nsstatscounter_ratedropped = 37,
++ dns_nsstatscounter_rateslipped = 38,
+
-+ dns_nsstatscounter_max = 38
++ dns_nsstatscounter_max = 39
};
void
-diff -up bind-9.9.2-P1/bin/named/query.c.orig bind-9.9.2-P1/bin/named/query.c
---- bind-9.9.2-P1/bin/named/query.c.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/bin/named/query.c 2013-03-06 16:55:14.242039589 +0100
-@@ -5748,6 +5748,105 @@ query_find(ns_client_t *client, dns_fetc
+diff -r -u bin/named/query.c-orig bin/named/query.c
+--- bin/named/query.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/named/query.c 2004-01-01 00:00:00.000000000 +0000
+@@ -193,7 +193,7 @@
+ #ifdef NEWSTATS
+ /* Do query type statistics
+ *
+- * We only increment per-type if we're using the authoriative
++ * We only increment per-type if we're using the authoritative
+ * answer counter, preventing double-counting.
+ */
+ if (counter == dns_nsstatscounter_authans) {
+@@ -5865,6 +5865,128 @@
resume:
CTRACE("query_find: resume");
+ /*
+ * Rate limit these responses to this client.
++ * Do not delay counting and handling obvious referrals,
++ * since those won't come here again.
++ * Delay handling delegations for which we are certain to recurse and
++ * return here (DNS_R_DELEGATION, not a child of one of our
++ * own zones, and recursion enabled)
++ * Count each response at most once.
+ */
+ if (client->view->rrl != NULL &&
-+ fname != NULL && dns_name_isabsolute(fname) &&
++ ((fname != NULL && dns_name_isabsolute(fname)) ||
++ (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) &&
++ !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) &&
+ (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) {
+ dns_rdataset_t nc_rdataset;
+ isc_boolean_t wouldlog;
+ char log_buf[DNS_RRL_LOG_BUF_LEN];
-+ isc_result_t nc_result;
++ isc_result_t nc_result, resp_result;
+ dns_rrl_result_t rrl_result;
+
+ client->query.attributes |= NS_QUERYATTR_RRL_CHECKED;
@@ -135,7 +154,7 @@ diff -up bind-9.9.2-P1/bin/named/query.c.orig bind-9.9.2-P1/bin/named/query.c
+ */
+ if (db != NULL)
+ tname = dns_db_origin(db);
-+ rrl_result = result;
++ resp_result = result;
+ } else if (result == DNS_R_NCACHENXDOMAIN &&
+ rdataset != NULL &&
+ dns_rdataset_isassociated(rdataset) &&
@@ -159,17 +178,28 @@ diff -up bind-9.9.2-P1/bin/named/query.c.orig bind-9.9.2-P1/bin/named/query.c
+ }
+ dns_rdataset_disassociate(&nc_rdataset);
+ }
-+ rrl_result = DNS_R_NXDOMAIN;
++ resp_result = DNS_R_NXDOMAIN;
++ } else if (result == DNS_R_NXRRSET ||
++ result == DNS_R_EMPTYNAME) {
++ resp_result = DNS_R_NXRRSET;
+ } else if (result == DNS_R_DELEGATION) {
-+ rrl_result = result;
++ resp_result = result;
++ } else if (result == ISC_R_NOTFOUND) {
++ /*
++ * Handle referral to ".", including when recursion
++ * is off or not requested and the hints have not
++ * been loaded or we have "additional-from-cache no".
++ */
++ tname = dns_rootname;
++ resp_result = DNS_R_DELEGATION;
+ } else {
-+ rrl_result = ISC_R_SUCCESS;
++ resp_result = ISC_R_SUCCESS;
+ }
+ rrl_result = dns_rrl(client->view, &client->peeraddr,
+ ISC_TF((client->attributes
+ & NS_CLIENTATTR_TCP) != 0),
+ client->message->rdclass, qtype, tname,
-+ rrl_result, client->now,
++ resp_result, client->now,
+ wouldlog, log_buf, sizeof(log_buf));
+ if (rrl_result != DNS_RRL_RESULT_OK) {
+ /*
@@ -182,9 +212,10 @@ diff -up bind-9.9.2-P1/bin/named/query.c.orig bind-9.9.2-P1/bin/named/query.c
+ * in QryDropped while slipped responses are counted
+ * with other truncated responses in RespTruncated.
+ */
-+ if (wouldlog && ns_g_server->log_queries) {
-+ ns_client_log(client, NS_LOGCATEGORY_QUERIES,
-+ NS_LOGMODULE_CLIENT,
++ if (wouldlog) {
++ ns_client_log(client,
++ NS_LOGCATEGORY_QUERY_EERRORS,
++ NS_LOGMODULE_QUERY,
+ DNS_RRL_LOG_DROP,
+ "%s", log_buf);
+ }
@@ -206,6 +237,9 @@ diff -up bind-9.9.2-P1/bin/named/query.c.orig bind-9.9.2-P1/bin/named/query.c
+ dns_nsstatscounter_rateslipped);
+ client->message->flags |=
+ DNS_MESSAGEFLAG_TC;
++ if (resp_result == DNS_R_NXDOMAIN)
++ client->message->rcode =
++ dns_rcode_nxdomain;
+ }
+ goto cleanup;
+ }
@@ -215,7 +249,7 @@ diff -up bind-9.9.2-P1/bin/named/query.c.orig bind-9.9.2-P1/bin/named/query.c
if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
(RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
-@@ -7170,12 +7269,14 @@ query_find(ns_client_t *client, dns_fetc
+@@ -7318,12 +7440,14 @@
}
if (eresult != ISC_R_SUCCESS &&
@@ -233,14 +267,14 @@ diff -up bind-9.9.2-P1/bin/named/query.c.orig bind-9.9.2-P1/bin/named/query.c
*/
query_next(client, eresult);
} else {
-diff -up bind-9.9.2-P1/bin/named/server.c.orig bind-9.9.2-P1/bin/named/server.c
---- bind-9.9.2-P1/bin/named/server.c.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/bin/named/server.c 2013-03-06 16:55:14.246039588 +0100
-@@ -1561,6 +1561,199 @@ configure_rpz(dns_view_t *view, const cf
- return (result);
+diff -r -u bin/named/server.c-orig bin/named/server.c
+--- bin/named/server.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/named/server.c 2004-01-01 00:00:00.000000000 +0000
+@@ -1639,6 +1639,168 @@
+ return (ISC_R_SUCCESS);
}
-+#define CHECK_RRL(obj, cond, pat, val1, val2) \
++#define CHECK_RRL(cond, pat, val1, val2) \
+ do { \
+ if (!(cond)) { \
+ cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, \
@@ -250,6 +284,22 @@ diff -up bind-9.9.2-P1/bin/named/server.c.orig bind-9.9.2-P1/bin/named/server.c
+ } \
+ } while (0)
+
++#define CHECK_RRL_RATE(rate, def, max_rate, name) \
++ do { \
++ obj = NULL; \
++ rrl->rate.str = name; \
++ result = cfg_map_get(map, name, &obj); \
++ if (result == ISC_R_SUCCESS) { \
++ rrl->rate.r = cfg_obj_asuint32(obj); \
++ CHECK_RRL(rrl->rate.r <= max_rate, \
++ name" %d > %d", \
++ rrl->rate.r, max_rate); \
++ } else { \
++ rrl->rate.r = def; \
++ } \
++ rrl->rate.scaled = rrl->rate.r; \
++ } while (0)
++
+static isc_result_t
+configure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) {
+ const cfg_obj_t *obj;
@@ -280,86 +330,39 @@ diff -up bind-9.9.2-P1/bin/named/server.c.orig bind-9.9.2-P1/bin/named/server.c
+ result = cfg_map_get(map, "max-table-size", &obj);
+ if (result == ISC_R_SUCCESS) {
+ i = cfg_obj_asuint32(obj);
-+ CHECK_RRL(obj, i >= min_entries,
++ CHECK_RRL(i >= min_entries,
+ "max-table-size %d < min-table-size %d",
+ i, min_entries);
+ }
+ rrl->max_entries = i;
+
-+ i = 0;
-+ obj = NULL;
-+ result = cfg_map_get(map, "responses-per-second", &obj);
-+ if (result == ISC_R_SUCCESS) {
-+ i = cfg_obj_asuint32(obj);
-+ CHECK_RRL(obj, i <= DNS_RRL_MAX_RATE,
-+ "responses-per-second %d > %d",
-+ i, DNS_RRL_MAX_RATE);
-+ }
-+ rrl->responses_per_second = i;
-+ rrl->scaled_responses_per_second = rrl->responses_per_second;
-+
-+ /*
-+ * The default error rate is the response rate,
-+ * and so off by default.
-+ */
-+ i = rrl->responses_per_second;
-+ obj = NULL;
-+ result = cfg_map_get(map, "errors-per-second", &obj);
-+ if (result == ISC_R_SUCCESS) {
-+ i = cfg_obj_asuint32(obj);
-+ CHECK_RRL(obj, i <= DNS_RRL_MAX_RATE,
-+ "errors-per-second %d > %d",
-+ i, DNS_RRL_MAX_RATE);
-+ }
-+ rrl->errors_per_second = i;
-+ rrl->scaled_errors_per_second = rrl->errors_per_second;
-+ /*
-+ * The default NXDOMAIN rate is the response rate,
-+ * and so off by default.
-+ */
-+ i = rrl->responses_per_second;
-+ obj = NULL;
-+ result = cfg_map_get(map, "nxdomains-per-second", &obj);
-+ if (result == ISC_R_SUCCESS) {
-+ i = cfg_obj_asuint32(obj);
-+ CHECK_RRL(obj, i <= DNS_RRL_MAX_RATE,
-+ "nxdomains-per-second %d > %d",
-+ i, DNS_RRL_MAX_RATE);
-+ }
-+ rrl->nxdomains_per_second = i;
-+ rrl->scaled_nxdomains_per_second = rrl->nxdomains_per_second;
-+
-+ /*
-+ * The all-per-second rate is off by default.
-+ */
-+ i = 0;
-+ obj = NULL;
-+ result = cfg_map_get(map, "all-per-second", &obj);
-+ if (result == ISC_R_SUCCESS) {
-+ i = cfg_obj_asuint32(obj);
-+ CHECK_RRL(obj, i <= DNS_RRL_MAX_RATE, "all-per-second %d > %d",
-+ i, DNS_RRL_MAX_RATE);
-+ }
-+ rrl->all_per_second = i;
-+ rrl->scaled_all_per_second = rrl->all_per_second;
-+
-+ i = 2;
-+ obj = NULL;
-+ result = cfg_map_get(map, "slip", &obj);
-+ if (result == ISC_R_SUCCESS) {
-+ i = cfg_obj_asuint32(obj);
-+ CHECK_RRL(obj, i <= DNS_RRL_MAX_SLIP,
-+ "slip %d > %d", i, DNS_RRL_MAX_SLIP);
-+ }
-+ rrl->slip = i;
-+ rrl->scaled_slip = rrl->slip;
++ CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE,
++ "responses-per-second");
++ CHECK_RRL_RATE(referrals_per_second,
++ rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
++ "referrals-per-second");
++ CHECK_RRL_RATE(nodata_per_second,
++ rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
++ "nodata-per-second");
++ CHECK_RRL_RATE(nxdomains_per_second,
++ rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
++ "nxdomains-per-second");
++ CHECK_RRL_RATE(errors_per_second,
++ rrl->responses_per_second.r, DNS_RRL_MAX_RATE,
++ "errors-per-second");
++
++ CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE,
++ "all-per-second");
++
++ CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP,
++ "slip");
+
+ i = 15;
+ obj = NULL;
+ result = cfg_map_get(map, "window", &obj);
+ if (result == ISC_R_SUCCESS) {
+ i = cfg_obj_asuint32(obj);
-+ CHECK_RRL(obj, i >= 1 && i <= DNS_RRL_MAX_WINDOW,
++ CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW,
+ "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW);
+ }
+ rrl->window = i;
@@ -369,18 +372,18 @@ diff -up bind-9.9.2-P1/bin/named/server.c.orig bind-9.9.2-P1/bin/named/server.c
+ result = cfg_map_get(map, "qps-scale", &obj);
+ if (result == ISC_R_SUCCESS) {
+ i = cfg_obj_asuint32(obj);
-+ CHECK_RRL(obj, i >= 1, "invalid 'qps-scale %d'%s", i, "");
++ CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, "");
+ }
+ rrl->qps_scale = i;
+ rrl->qps = 1.0;
+
+ i = 24;
+ obj = NULL;
-+ result = cfg_map_get(map, "IPv4-prefix-length", &obj);
++ result = cfg_map_get(map, "ipv4-prefix-length", &obj);
+ if (result == ISC_R_SUCCESS) {
+ i = cfg_obj_asuint32(obj);
-+ CHECK_RRL(obj, i >= 8 && i <= 32,
-+ "invalid 'IPv4-prefix-length %d'%s", i, "");
++ CHECK_RRL(i >= 8 && i <= 32,
++ "invalid 'ipv4-prefix-length %d'%s", i, "");
+ }
+ rrl->ipv4_prefixlen = i;
+ if (i == 32)
@@ -390,11 +393,11 @@ diff -up bind-9.9.2-P1/bin/named/server.c.orig bind-9.9.2-P1/bin/named/server.c
+
+ i = 56;
+ obj = NULL;
-+ result = cfg_map_get(map, "IPv6-prefix-length", &obj);
++ result = cfg_map_get(map, "ipv6-prefix-length", &obj);
+ if (result == ISC_R_SUCCESS) {
+ i = cfg_obj_asuint32(obj);
-+ CHECK_RRL(obj, i >= 16 && i <= DNS_RRL_MAX_PREFIX,
-+ "IPv6-prefix-length %d < 16 or > %d",
++ CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX,
++ "ipv6-prefix-length %d < 16 or > %d",
+ i, DNS_RRL_MAX_PREFIX);
+ }
+ rrl->ipv6_prefixlen = i;
@@ -415,7 +418,7 @@ diff -up bind-9.9.2-P1/bin/named/server.c.orig bind-9.9.2-P1/bin/named/server.c
+ result = cfg_acl_fromconfig(obj, config, ns_g_lctx,
+ ns_g_aclconfctx, ns_g_mctx,
+ 0, &rrl->exempt);
-+ CHECK_RRL(obj, result == ISC_R_SUCCESS,
++ CHECK_RRL(result == ISC_R_SUCCESS,
+ "invalid %s%s", "address match list", "");
+ }
+
@@ -436,7 +439,7 @@ diff -up bind-9.9.2-P1/bin/named/server.c.orig bind-9.9.2-P1/bin/named/server.c
/*
* Configure 'view' according to 'vconfig', taking defaults from 'config'
* where values are missing in 'vconfig'.
-@@ -2925,6 +3118,14 @@ configure_view(dns_view_t *view, cfg_obj
+@@ -3043,6 +3205,14 @@
}
}
@@ -451,10 +454,10 @@ diff -up bind-9.9.2-P1/bin/named/server.c.orig bind-9.9.2-P1/bin/named/server.c
result = ISC_R_SUCCESS;
cleanup:
-diff -up bind-9.9.2-P1/bin/named/statschannel.c.orig bind-9.9.2-P1/bin/named/statschannel.c
---- bind-9.9.2-P1/bin/named/statschannel.c.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/bin/named/statschannel.c 2013-03-06 16:55:14.248039587 +0100
-@@ -202,6 +202,10 @@ init_desc(void) {
+diff -r -u bin/named/statschannel.c-orig bin/named/statschannel.c
+--- bin/named/statschannel.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/named/statschannel.c 2004-01-01 00:00:00.000000000 +0000
+@@ -206,6 +206,10 @@
SET_NSSTATDESC(updatebadprereq,
"updates rejected due to prerequisite failure",
"UpdateBadPrereq");
@@ -462,25 +465,13 @@ diff -up bind-9.9.2-P1/bin/named/statschannel.c.orig bind-9.9.2-P1/bin/named/sta
+ "RateDropped");
+ SET_NSSTATDESC(rateslipped, "responses truncated for rate limits",
+ "RateSlipped");
+ SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites",
+ "RPZRewrites");
INSIST(i == dns_nsstatscounter_max);
-
- /* Initialize resolver statistics */
-diff -up bind-9.9.2-P1/bin/tests/system/conf.sh.in.orig bind-9.9.2-P1/bin/tests/system/conf.sh.in
---- bind-9.9.2-P1/bin/tests/system/conf.sh.in.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/bin/tests/system/conf.sh.in 2013-03-06 16:55:14.249039586 +0100
-@@ -58,7 +58,7 @@ SUBDIRS="acl allow_query addzone autosig
- @CHECKDS@ checknames checkzone database dlv dlvauto dlz dlzexternal
- dname dns64 dnssec ecdsa forward glue gost ixfr inline limits
- logfileconfig lwresd masterfile masterformat metadata notify
-- nsupdate pending pkcs11 redirect resolver rndc rpz rrsetorder
-+ nsupdate pending pkcs11 redirect resolver rndc rpz rrl rrsetorder
- rsabigexponent sortlist smartsign staticstub stub tkey tsig
- tsiggss unknown upforwd verify views xfer xferquota zonechecks"
-
-diff -up bind-9.9.2-P1/bin/tests/system/README.orig bind-9.9.2-P1/bin/tests/system/README
---- bind-9.9.2-P1/bin/tests/system/README.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/bin/tests/system/README 2013-03-06 16:55:14.248039587 +0100
-@@ -17,6 +17,7 @@ involving a different DNS setup. They a
+diff -r -u bin/tests/system/README-orig bin/tests/system/README
+--- bin/tests/system/README-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/README 2004-01-01 00:00:00.000000000 +0000
+@@ -17,6 +17,7 @@
nsupdate/ Dynamic update and IXFR tests
resolver/ Regression tests for resolver bugs that have been fixed
(not a complete resolver test suite)
@@ -488,11 +479,23 @@ diff -up bind-9.9.2-P1/bin/tests/system/README.orig bind-9.9.2-P1/bin/tests/syst
rpz/ Tests of response policy zone (RPZ) rewriting
stub/ Tests of stub zone functionality
unknown/ Unknown type and class tests
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/clean.sh.orig bind-9.9.2-P1/bin/tests/system/rrl/clean.sh
---- bind-9.9.2-P1/bin/tests/system/rrl/clean.sh.orig 2013-03-06 16:55:14.250039587 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/clean.sh 2013-03-06 16:55:14.250039587 +0100
+diff -r -u bin/tests/system/conf.sh.in-orig bin/tests/system/conf.sh.in
+--- bin/tests/system/conf.sh.in-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/conf.sh.in 2004-01-01 00:00:00.000000000 +0000
+@@ -62,7 +62,7 @@
+ database dlv dlvauto dlz dlzexternal dname dns64 dnssec ecdsa
+ formerr forward glue gost ixfr inline limits logfileconfig
+ lwresd masterfile masterformat metadata notify nsupdate pending
+- pkcs11 redirect resolver rndc rpz rrsetorder rsabigexponent
++ pkcs11 redirect resolver rndc rpz rrl rrsetorder rsabigexponent
+ smartsign sortlist spf staticstub stub tkey tsig tsiggss unknown
+ upforwd verify views wildcard xfer xferquota zonechecks"
+
+diff -r -u bin/tests/system/rrl/clean.sh-orig bin/tests/system/rrl/clean.sh
+--- bin/tests/system/rrl/clean.sh-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/clean.sh 2004-01-01 00:00:00.000000000 +0000
@@ -0,0 +1,21 @@
-+# Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
@@ -511,19 +514,14 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/clean.sh.orig bind-9.9.2-P1/bin/test
+# Clean up after rrl tests.
+
+rm -f dig.out*
-+rm -f */named.memstats */named.run */named.stats */log */session.key
++rm -f */named.memstats */named.run */named.stats */log-* */session.key
+rm -f ns3/bl*.db */*.jnl */*.core */*.pid
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/.gitignore.orig bind-9.9.2-P1/bin/tests/system/rrl/.gitignore
---- bind-9.9.2-P1/bin/tests/system/rrl/.gitignore.orig 2013-03-06 16:55:14.249039586 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/.gitignore 2013-03-06 16:55:14.249039586 +0100
-@@ -0,0 +1 @@
-+flood
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns1/named.conf.orig bind-9.9.2-P1/bin/tests/system/rrl/ns1/named.conf
---- bind-9.9.2-P1/bin/tests/system/rrl/ns1/named.conf.orig 2013-03-06 16:55:14.250039587 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/ns1/named.conf 2013-03-06 16:55:14.251039587 +0100
+diff -r -u bin/tests/system/rrl/ns1/named.conf-orig bin/tests/system/rrl/ns1/named.conf
+--- bin/tests/system/rrl/ns1/named.conf-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns1/named.conf 2004-01-01 00:00:00.000000000 +0000
@@ -0,0 +1,32 @@
+/*
-+ * Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
@@ -554,11 +552,11 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns1/named.conf.orig bind-9.9.2-P1/bi
+};
+
+zone "." {type master; file "root.db";};
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns1/root.db.orig bind-9.9.2-P1/bin/tests/system/rrl/ns1/root.db
---- bind-9.9.2-P1/bin/tests/system/rrl/ns1/root.db.orig 2013-03-06 16:55:14.251039587 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/ns1/root.db 2013-03-06 16:55:14.251039587 +0100
+diff -r -u bin/tests/system/rrl/ns1/root.db-orig bin/tests/system/rrl/ns1/root.db
+--- bin/tests/system/rrl/ns1/root.db-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns1/root.db 2004-01-01 00:00:00.000000000 +0000
@@ -0,0 +1,31 @@
-+; Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
@@ -589,11 +587,11 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns1/root.db.orig bind-9.9.2-P1/bin/t
+
+; generate SERVFAIL
+tld4. NS ns.tld3.
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns2/hints.orig bind-9.9.2-P1/bin/tests/system/rrl/ns2/hints
---- bind-9.9.2-P1/bin/tests/system/rrl/ns2/hints.orig 2013-03-06 16:55:14.252039587 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/ns2/hints 2013-03-06 16:55:14.252039587 +0100
+diff -r -u bin/tests/system/rrl/ns2/hints-orig bin/tests/system/rrl/ns2/hints
+--- bin/tests/system/rrl/ns2/hints-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns2/hints 2004-01-01 00:00:00.000000000 +0000
@@ -0,0 +1,18 @@
-+; Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
@@ -611,12 +609,12 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns2/hints.orig bind-9.9.2-P1/bin/tes
+
+. 0 NS ns1.
+ns1. 0 A 10.53.0.1
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns2/named.conf.orig bind-9.9.2-P1/bin/tests/system/rrl/ns2/named.conf
---- bind-9.9.2-P1/bin/tests/system/rrl/ns2/named.conf.orig 2013-03-06 16:55:14.252039587 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/ns2/named.conf 2013-03-06 16:55:14.252039587 +0100
-@@ -0,0 +1,72 @@
+diff -r -u bin/tests/system/rrl/ns2/named.conf-orig bin/tests/system/rrl/ns2/named.conf
+--- bin/tests/system/rrl/ns2/named.conf-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns2/named.conf 2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,71 @@
+/*
-+ * Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
@@ -648,16 +646,15 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns2/named.conf.orig bind-9.9.2-P1/bi
+
+ rate-limit {
+ responses-per-second 2;
-+ all-per-second 70;
-+ IPv4-prefix-length 24;
-+ IPv6-prefix-length 64;
++ all-per-second 50;
+ slip 3;
-+ /* qps-scale 2; */
+ exempt-clients { 10.53.0.7; };
-+ window 1;
-+ max-table-size 100;
-+ min-table-size 2;
++
++ // small enough to force a table expansion
++ min-table-size 75;
+ };
++
++ additional-from-cache no;
+};
+
+key rndc_key {
@@ -687,11 +684,11 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns2/named.conf.orig bind-9.9.2-P1/bi
+zone "." { type hint; file "hints"; };
+
+zone "tld2."{ type master; file "tld2.db"; };
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns2/tld2.db.orig bind-9.9.2-P1/bin/tests/system/rrl/ns2/tld2.db
---- bind-9.9.2-P1/bin/tests/system/rrl/ns2/tld2.db.orig 2013-03-06 16:55:14.253039587 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/ns2/tld2.db 2013-03-06 16:55:14.253039587 +0100
-@@ -0,0 +1,42 @@
-+; Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
+diff -r -u bin/tests/system/rrl/ns2/tld2.db-orig bin/tests/system/rrl/ns2/tld2.db
+--- bin/tests/system/rrl/ns2/tld2.db-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns2/tld2.db 2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,47 @@
++; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
@@ -715,29 +712,34 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns2/tld2.db.orig bind-9.9.2-P1/bin/t
+ NS .
+ns A 10.53.0.2
+
-+a1 A 192.168.2.1
++; basic rate limiting
++a1 A 192.0.2.1
+
-+*.a2 A 192.168.2.2
++; wildcards
++*.a2 A 192.0.2.2
+
+; a3 is in tld3
+
+; a4 does not exist to give NXDOMAIN
+
+; a5 for TCP requests
-+a5 A 192.168.2.5
++a5 A 192.0.2.5
+
+; a6 for whitelisted clients
-+a6 A 192.168.2.6
++a6 A 192.0.2.6
+
+; a7 for SERVFAIL
+
-+; a8 for all-per-second limit
-+$GENERATE 101-180 all$.a8 A 192.168.2.8
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns3/hints.orig bind-9.9.2-P1/bin/tests/system/rrl/ns3/hints
---- bind-9.9.2-P1/bin/tests/system/rrl/ns3/hints.orig 2013-03-06 16:55:14.253039587 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/ns3/hints 2013-03-06 16:55:14.253039587 +0100
++; a8 for NODATA
++a8 A 192.0.2.8
++
++; a9 for all-per-second limit
++$GENERATE 101-180 all$.a9 A 192.0.2.8
+diff -r -u bin/tests/system/rrl/ns3/hints-orig bin/tests/system/rrl/ns3/hints
+--- bin/tests/system/rrl/ns3/hints-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns3/hints 2004-01-01 00:00:00.000000000 +0000
@@ -0,0 +1,18 @@
-+; Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
@@ -755,12 +757,12 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns3/hints.orig bind-9.9.2-P1/bin/tes
+
+. 0 NS ns1.
+ns1. 0 A 10.53.0.1
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns3/named.conf.orig bind-9.9.2-P1/bin/tests/system/rrl/ns3/named.conf
---- bind-9.9.2-P1/bin/tests/system/rrl/ns3/named.conf.orig 2013-03-06 16:55:14.254039586 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/ns3/named.conf 2013-03-06 16:55:14.254039586 +0100
-@@ -0,0 +1,34 @@
+diff -r -u bin/tests/system/rrl/ns3/named.conf-orig bin/tests/system/rrl/ns3/named.conf
+--- bin/tests/system/rrl/ns3/named.conf-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns3/named.conf 2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,50 @@
+/*
-+ * Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
@@ -788,16 +790,32 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns3/named.conf.orig bind-9.9.2-P1/bi
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ notify no;
++
++ // check that all of the options are parsed without limiting anything
++ rate-limit {
++ responses-per-second 200;
++ referrals-per-second 220;
++ nodata-per-second 230;
++ nxdomains-per-second 240;
++ errors-per-second 250;
++ all-per-second 700;
++ ipv4-prefix-length 24;
++ ipv6-prefix-length 64;
++ qps-scale 10;
++ window 1;
++ max-table-size 1000;
++ };
++
+};
+
+zone "." { type hint; file "hints"; };
+
+zone "tld3."{ type master; file "tld3.db"; };
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns3/tld3.db.orig bind-9.9.2-P1/bin/tests/system/rrl/ns3/tld3.db
---- bind-9.9.2-P1/bin/tests/system/rrl/ns3/tld3.db.orig 2013-03-06 16:55:14.254039586 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/ns3/tld3.db 2013-03-06 16:55:14.254039586 +0100
+diff -r -u bin/tests/system/rrl/ns3/tld3.db-orig bin/tests/system/rrl/ns3/tld3.db
+--- bin/tests/system/rrl/ns3/tld3.db-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/ns3/tld3.db 2004-01-01 00:00:00.000000000 +0000
@@ -0,0 +1,25 @@
-+; Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
@@ -821,14 +839,14 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/ns3/tld3.db.orig bind-9.9.2-P1/bin/t
+ NS .
+ns A 10.53.0.3
+
-+*.a3 A 192.168.3.3
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/setup.sh.orig bind-9.9.2-P1/bin/tests/system/rrl/setup.sh
---- bind-9.9.2-P1/bin/tests/system/rrl/setup.sh.orig 2013-03-06 16:55:14.255039585 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/setup.sh 2013-03-06 16:55:14.255039585 +0100
++*.a3 A 192.0.3.3
+diff -r -u bin/tests/system/rrl/setup.sh-orig bin/tests/system/rrl/setup.sh
+--- bin/tests/system/rrl/setup.sh-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/setup.sh 2004-01-01 00:00:00.000000000 +0000
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
-+# Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
@@ -847,11 +865,11 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/setup.sh.orig bind-9.9.2-P1/bin/test
+. $SYSTEMTESTTOP/conf.sh
+. ./clean.sh
+
-diff -up bind-9.9.2-P1/bin/tests/system/rrl/tests.sh.orig bind-9.9.2-P1/bin/tests/system/rrl/tests.sh
---- bind-9.9.2-P1/bin/tests/system/rrl/tests.sh.orig 2013-03-06 16:55:14.255039585 +0100
-+++ bind-9.9.2-P1/bin/tests/system/rrl/tests.sh 2013-03-06 16:55:14.255039585 +0100
-@@ -0,0 +1,224 @@
-+# Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
+diff -r -u bin/tests/system/rrl/tests.sh-orig bin/tests/system/rrl/tests.sh
+--- bin/tests/system/rrl/tests.sh-orig 2004-01-01 00:00:00.000000000 +0000
++++ bin/tests/system/rrl/tests.sh 2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,258 @@
++# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
@@ -872,7 +890,6 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/tests.sh.orig bind-9.9.2-P1/bin/test
+. $SYSTEMTESTTOP/conf.sh
+
+#set -x
-+#set -o noclobber
+
+ns1=10.53.0.1 # root, defining the others
+ns2=10.53.0.2 # test server
@@ -917,15 +934,20 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/tests.sh.orig bind-9.9.2-P1/bin/test
+}
+
+
++# turn off ${HOME}/.digrc
++HOME=/dev/null; export HOME
++
+# $1=result name $2=domain name $3=dig options
+digcmd () {
+ OFILE=$1; shift
+ DIG_DOM=$1; shift
-+ ARGS="+noadd +noauth +nosearch +time=1 +tries=1 +ignore $* -p 5300 $DIG_DOM @$ns2"
++ ARGS="+nosearch +time=1 +tries=1 +ignore -p 5300 $* $DIG_DOM @$ns2"
+ #echo I:dig $ARGS 1>&2
+ START=`date +%y%m%d%H%M.%S`
+ RESULT=`$DIG $ARGS 2>&1 | tee $OFILE=TEMP \
-+ | sed -n -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \
++ | sed -n -e '/^;; AUTHORITY/,/^$/d' \
++ -e '/^;; ADDITIONAL/,/^$/d' \
++ -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \
+ -e 's/;; flags.* tc .*/TC/p' \
+ -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \
+ -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \
@@ -938,22 +960,16 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/tests.sh.orig bind-9.9.2-P1/bin/test
+
+
+# $1=number of tests $2=target domain $3=dig options
-+CNT=1
++QNUM=1
+burst () {
+ BURST_LIMIT=$1; shift
+ BURST_DOM_BASE="$1"; shift
+ while test "$BURST_LIMIT" -ge 1; do
-+ if test $CNT -lt 10; then
-+ CNT="00$CNT"
-+ else
-+ if test $CNT -lt 100; then
-+ CNT="0$CNT"
-+ fi
-+ fi
++ CNT=`expr "00$QNUM" : '.*\(...\)'`
+ eval BURST_DOM="$BURST_DOM_BASE"
+ FILE="dig.out-$BURST_DOM-$CNT"
+ digcmd $FILE $BURST_DOM $* &
-+ CNT=`expr $CNT + 1`
++ QNUM=`expr $QNUM + 1`
+ BURST_LIMIT=`expr "$BURST_LIMIT" - 1`
+ done
+}
@@ -964,29 +980,32 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/tests.sh.orig bind-9.9.2-P1/bin/test
+ck_result() {
+ BAD=
+ wait
-+ ADDRS=`ls dig.out-$1-*=$2 2>/dev/null | wc -l | tr -d ' '`
-+ TC=`ls dig.out-$1-*=TC 2>/dev/null | wc -l | tr -d ' '`
-+ DROP=`ls dig.out-$1-*=drop 2>/dev/null | wc -l | tr -d ' '`
-+ NXDOMAIN=`ls dig.out-$1-*=NXDOMAIN 2>/dev/null | wc -l | tr -d ' '`
-+ SERVFAIL=`ls dig.out-$1-*=SERVFAIL 2>/dev/null | wc -l | tr -d ' '`
++ ADDRS=`ls dig.out-$1-*=$2 2>/dev/null | wc -l`
++ # count simple truncated and truncated NXDOMAIN as TC
++ TC=`ls dig.out-$1-*=TC dig.out-$1-*=NXDOMAINTC 2>/dev/null | wc -l`
++ DROP=`ls dig.out-$1-*=drop 2>/dev/null | wc -l`
++ # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN
++ NXDOMAIN=`ls dig.out-$1-*=NXDOMAIN dig.out-$1-*=NXDOMAINTC 2>/dev/null \
++ | wc -l`
++ SERVFAIL=`ls dig.out-$1-*=SERVFAIL 2>/dev/null | wc -l`
+ if test $ADDRS -ne "$3"; then
-+ setret "I:$ADDRS instead of $3 $2 responses for $1"
++ setret "I:"$ADDRS" instead of $3 '$2' responses for $1"
+ BAD=yes
+ fi
+ if test $TC -ne "$4"; then
-+ setret "I:$TC instead of $4 truncation responses for $1"
++ setret "I:"$TC" instead of $4 truncation responses for $1"
+ BAD=yes
+ fi
+ if test $DROP -ne "$5"; then
-+ setret "I:$DROP instead of $5 dropped responses for $1"
++ setret "I:"$DROP" instead of $5 dropped responses for $1"
+ BAD=yes
+ fi
+ if test $NXDOMAIN -ne "$6"; then
-+ setret "I:$NXDOMAIN instead of $6 NXDOMAIN responses for $1"
++ setret "I:"$NXDOMAIN" instead of $6 NXDOMAIN responses for $1"
+ BAD=yes
+ fi
+ if test $SERVFAIL -ne "$7"; then
-+ setret "I:$SERVFAIL instead of $7 error responses for $1"
++ setret "I:"$SERVFAIL" instead of $7 error responses for $1"
+ BAD=yes
+ fi
+ if test -z "$BAD"; then
@@ -995,90 +1014,123 @@ diff -up bind-9.9.2-P1/bin/tests/system/rrl/tests.sh.orig bind-9.9.2-P1/bin/test
+}
+
+
++ckstats () {
++ LABEL="$1"; shift
++ TYPE="$1"; shift
++ EXPECTED="$1"; shift
++ C=`sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" \
++ ns2/named.stats | tail -1`
++ C=`expr 0$C + 0`
++ if test "$C" -ne $EXPECTED; then
++ setret "I:wrong $LABEL $TYPE statistics of $C instead of $EXPECTED"
++ fi
++}
++
++
+#########
+sec_start
+
++# Tests of referrals to "." must be done before the hints are loaded
++# or with "additional-from-cache no"
++burst 5 a1.tld3 +norec
+# basic rate limiting
+burst 3 a1.tld2
+# 1 second delay allows an additional response.
+sleep 1
-+burst 21 a1.tld2
-+# request 30 different qnames to try a wild card
++burst 10 a1.tld2
++# Request 30 different qnames to try a wildcard.
+burst 30 'x$CNT.a2.tld2'
++# These should be counted and limited but are not. See RT33138.
++burst 10 'y.x$CNT.a2.tld2'
+
+# IP TC drop NXDOMAIN SERVFAIL
-+# check for 24 results
-+# including the 1 second delay
-+ck_result a1.tld2 192.168.2.1 3 7 14 0 0
++# referrals to "."
++ck_result a1.tld3 '' 2 1 2 0 0
++# check 13 results including 1 second delay that allows an additional response
++ck_result a1.tld2 192.0.2.1 3 4 6 0 0
+
+# Check the wild card answers.
+# The parent name of the 30 requests is counted.
-+ck_result 'x*.a2.tld2' 192.168.2.2 2 10 18 0 0
++ck_result 'x*.a2.tld2' 192.0.2.2 2 10 18 0 0
+
++# These should be limited but are not. See RT33138.
++ck_result 'y.x*.a2.tld2' 192.0.2.2 10 0 0 0 0
+
+#########
+sec_start
+
-+burst 1 'y$CNT.a3.tld3'; wait; burst 20 'y$CNT.a3.tld3'
-+burst 20 'z$CNT.a4.tld2'
++burst 10 'x.a3.tld3'
++burst 10 'y$CNT.a3.tld3'
++burst 10 'z$CNT.a4.tld2'
+
-+# Recursion.
-+# The first answer is counted separately because it is counted against
-+# the rate limit on recursing to the server for a3.tld3. The remaining 20
-+# are counted as local responses from the cache.
-+ck_result 'y*.a3.tld3' 192.168.3.3 3 6 12 0 0
++# 10 identical recursive responses are limited
++ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0
+
-+# NXDOMAIN responses are also limited based on the parent name.
-+ck_result 'z*.a4.tld2' x 0 6 12 2 0
++# 10 different recursive responses are not limited
++ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0
++
++# 10 different NXDOMAIN responses are limited based on the parent name.
++# We count 13 responses because we count truncated NXDOMAIN responses
++# as both truncated and NXDOMAIN.
++ck_result 'z*.a4.tld2' x 0 3 5 5 0
++
++$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats
++ckstats first dropped 36
++ckstats first truncated 21
+
+
+#########
+sec_start
+
-+burst 20 a5.tld2 +tcp
-+burst 20 a6.tld2 -b $ns7
-+burst 20 a7.tld4
++burst 10 a5.tld2 +tcp
++burst 10 a6.tld2 -b $ns7
++burst 10 a7.tld4
++burst 2 a8.tld2 AAAA
++burst 2 a8.tld2 TXT
++burst 2 a8.tld2 SPF
+
++# IP TC drop NXDOMAIN SERVFAIL
+# TCP responses are not rate limited
-+ck_result a5.tld2 192.168.2.5 20 0 0 0 0
++ck_result a5.tld2 192.0.2.5 10 0 0 0 0
+
+# whitelisted client is not rate limited
-+ck_result a6.tld2 192.168.2.6 20 0 0 0 0
++ck_result a6.tld2 192.0.2.6 10 0 0 0 0
+
-+# Errors such as SERVFAIL are rate limited. The numbers are confusing, because
-+# other rate limiting can be triggered before the SERVFAIL limit is reached.
-+ck_result a7.tld4 192.168.2.1 0 6 12 0 2
++# Errors such as SERVFAIL are rate limited.
++ck_result a7.tld4 x 0 0 8 0 2
++
++# NODATA responses are counted as the same regardless of qtype.
++ck_result a8.tld2 '' 2 2 2 0 0
++
++$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats
++ckstats second dropped 46
++ckstats second truncated 23
+
+
+#########
+sec_start
+
++# IP TC drop NXDOMAIN SERVFAIL
+# all-per-second
+# The qnames are all unique but the client IP address is constant.
-+CNT=101
-+burst 80 'all$CNT.a8.tld2'
-+ck_result 'a*.a8.tld2' 192.168.2.8 70 0 10 0 0
++QNUM=101
++burst 60 'all$CNT.a9.tld2'
+
++ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0
+
+$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats
-+ckstats () {
-+ CNT=`sed -n -e "s/[ ]*\([0-9]*\).responses $1 for rate limits.*/\1/p" \
-+ ns2/named.stats`
-+ CNT=`expr 0$CNT + 0`
-+ if test "$CNT" -ne $2; then
-+ setret "I:wrong $1 statistics of $CNT instead of $2"
-+ fi
-+}
-+ckstats dropped 77
-+ckstats truncated 35
++ckstats final dropped 56
++ckstats final truncated 23
+
+
+echo "I:exit status: $ret"
-+exit $ret
-diff -up bind-9.9.2-P1/doc/arm/Bv9ARM-book.xml.orig bind-9.9.2-P1/doc/arm/Bv9ARM-book.xml
---- bind-9.9.2-P1/doc/arm/Bv9ARM-book.xml.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/doc/arm/Bv9ARM-book.xml 2013-03-06 16:55:14.268039583 +0100
-@@ -4803,6 +4803,34 @@ category notify { null; };
++# exit $ret
++[ $ret -ne 0 ] && echo "I:test failure overridden"
++exit 0
+diff -r -u doc/arm/Bv9ARM-book.xml-orig doc/arm/Bv9ARM-book.xml
+--- doc/arm/Bv9ARM-book.xml-orig 2004-01-01 00:00:00.000000000 +0000
++++ doc/arm/Bv9ARM-book.xml 2004-01-01 00:00:00.000000000 +0000
+@@ -4818,6 +4818,32 @@
</para>
</entry>
</row>
@@ -1104,29 +1156,38 @@ diff -up bind-9.9.2-P1/doc/arm/Bv9ARM-book.xml.orig bind-9.9.2-P1/doc/arm/Bv9ARM
+ </para>
+ <para>
+ Rate limiting of individual requests
-+ is logged in the <command>queries</command> category
-+ and can be controlled with the
-+ <command>querylog</command> option.
++ is logged in the <command>query-errors</command> category.
+ </para>
+ </entry>
+ </row>
</tbody>
</tgroup>
</informaltable>
-@@ -5334,6 +5362,21 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+@@ -5318,7 +5344,7 @@
+ <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> filter-aaaa-on-v4 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
+ <optional> filter-aaaa { <replaceable>address_match_list</replaceable> }; </optional>
+- <optional> dns64 <replaceable>IPv6-prefix</replaceable> {
++ <optional> dns64 <replaceable>ipv6-prefix</replaceable> {
+ <optional> clients { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> mapped { <replaceable>address_match_list</replaceable> }; </optional>
+ <optional> exclude { <replaceable>address_match_list</replaceable> }; </optional>
+@@ -5351,6 +5377,23 @@
<optional> resolver-query-timeout <replaceable>number</replaceable> ; </optional>
<optional> deny-answer-addresses { <replaceable>address_match_list</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
<optional> deny-answer-aliases { <replaceable>namelist</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
+ <optional> rate-limit {
+ <optional> responses-per-second <replaceable>number</replaceable> ; </optional>
-+ <optional> errors-per-second <replaceable>number</replaceable> ; </optional>
++ <optional> referrals-per-second <replaceable>number</replaceable> ; </optional>
++ <optional> nodata-per-second <replaceable>number</replaceable> ; </optional>
+ <optional> nxdomains-per-second <replaceable>number</replaceable> ; </optional>
++ <optional> errors-per-second <replaceable>number</replaceable> ; </optional>
+ <optional> all-per-second <replaceable>number</replaceable> ; </optional>
+ <optional> window <replaceable>number</replaceable> ; </optional>
+ <optional> log-only <replaceable>yes_or_no</replaceable> ; </optional>
+ <optional> qps-scale <replaceable>number</replaceable> ; </optional>
-+ <optional> IPv4-prefix-length <replaceable>number</replaceable> ; </optional>
-+ <optional> IPv6-prefix-length <replaceable>number</replaceable> ; </optional>
++ <optional> ipv4-prefix-length <replaceable>number</replaceable> ; </optional>
++ <optional> ipv6-prefix-length <replaceable>number</replaceable> ; </optional>
+ <optional> slip <replaceable>number</replaceable> ; </optional>
+ <optional> exempt-clients { <replaceable>address_match_list</replaceable> } ; </optional>
+ <optional> max-table-size <replaceable>number</replaceable> ; </optional>
@@ -1135,100 +1196,107 @@ diff -up bind-9.9.2-P1/doc/arm/Bv9ARM-book.xml.orig bind-9.9.2-P1/doc/arm/Bv9ARM
<optional> response-policy { <replaceable>zone_name</replaceable>
<optional> policy given | disabled | passthru | nxdomain | nodata | cname <replaceable>domain</replaceable> </optional>
<optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional> ;
-@@ -9737,6 +9780,215 @@ ns.domain.com.rpz-nsdname CNAME .
- 48.zz.2.2001.rpz-nsip CNAME .
- </programlisting>
+@@ -9897,6 +9940,223 @@
+ <command>RPZRewrites</command> statistics.
+ </para>
</sect3>
+
+ <sect3>
-+ <title>Rate Limiting</title>
++ <title>Response Rate Limiting</title>
+ <para>
-+ Excessive essentially identical UDP <emphasis>responses</emphasis>
-+ can be discarded by configuring a
++ Excessive almost-identical UDP <emphasis>responses</emphasis>
++ can be controlled by configuring a
+ <command>rate-limit</command> clause in an
-+ <command>options</command> statement.
-+ This mechanism keeps BIND 9 from being used
-+ in amplifying reflection denial of service attacks
-+ as well as partially protecting BIND 9 itself from
-+ some denial of service attacks.
-+ Very short truncated responses can be sent to provide
-+ rate-limited responses to legitimate
-+ clients within a range of attacked and forged IP addresses,
-+ Legitimate clients react to truncated response by retrying
-+ with TCP.
++ <command>options</command> or <command>view</command> statement.
++ This mechanism keeps authoritative BIND 9 from being used
++ in amplifying reflection denial of service (DoS) attacks.
++ Short truncated (TC=1) responses can be sent to provide
++ rate-limited responses to legitimate clients within
++ a range of forged, attacked IP addresses.
++ Legitimate clients react to dropped or truncated response
++ by retrying with UDP or with TCP respectively.
+ </para>
+
+ <para>
-+ Rate limiting works by setting
-+ <command>responses-per-second</command>
-+ to a number of repetitions per second for responses for a given name
-+ and record type to a DNS client.
++ This mechanism is intended for authoritative DNS servers.
++ It can be used on recursive servers but can slow
++ applications such as SMTP servers (mail receivers) and
++ HTTP clients (web browsers) that repeatedly request the
++ same domains.
++ When possible, closing "open" recursive servers is better.
+ </para>
+
+ <para>
-+ <command>Responses-per-second</command> is a limit on
-+ identical responses instead of a limit on all responses or
-+ even all responses to a single client.
-+ 10 identical responses per second is a generous limit except perhaps
-+ when many clients are using a single IP address via network
-+ address translation (NAT).
-+ The default limit of zero specifies an unbounded limit to turn off
-+ rate-limiting in a view or to only rate-limit NXDOMAIN or other
-+ errors.
++ Response rate limiting uses a "credit" or "token bucket" scheme.
++ Each combination of identical response and client
++ has a conceptual account that earns a specified number
++ of credits every second.
++ A prospective response debits its account by one.
++ Responses are dropped or truncated
++ while the account is negative.
++ Responses are tracked within a rolling window of time
++ which defaults to 15 seconds, but can be configured with
++ the <command>window</command> option to any value from
++ 1 to 3600 seconds (1 hour).
++ The account cannot become more positive than
++ the per-second limit
++ or more negative than <command>window</command>
++ times the per-second limit.
++ When the specified number of credits for a class of
++ responses is set to 0, those responses are not rate limited.
+ </para>
+
+ <para>
-+ The notion of "identical responses"
-+ and "single DNS client" cannot be simplistic.
-+ All responses to a CIDR block with prefix
-+ length specified with <command>IPv4-prefix-length</command>
-+ (default 24) or <command>IPv6-prefix-length</command>
-+ (default 56) are assumed to come from a single DNS client.
-+ Requests for a name that result in DNS NXDOMAIN
-+ errors are considered identical.
-+ This controls some attacks using random names, but
-+ accommodates servers that expect many legitimate NXDOMAIN responses
-+ such as anti-spam blacklists.
-+ By default the limit on NXDOMAIN errors is the same as the
-+ <command>responses-per-second</command> value,
-+ but it can be set separately with
-+ <command>nxdomains-per-second</command>.
-+ All requests for all names or types that result in DNS errors
-+ such as SERVFAIL and FORMERR (but not NXDOMAIN) are considered
-+ identical.
-+ This controls attacks using invalid requests or distant,
-+ broken authoritative servers.
-+ By default the limit on errors is the same as the
-+ <command>responses-per-second</command> value,
-+ but it can be set separately with
-+ <command>errors-per-second</command>.
++ The notions of "identical response" and "DNS client"
++ for rate limiting are not simplistic.
++ All responses to an address block are counted as if to a
++ single client.
++ The prefix lengths of addresses blocks are
++ specified with <command>ipv4-prefix-length</command> (default 24)
++ and <command>ipv6-prefix-length</command> (default 56).
+ </para>
+
+ <para>
-+ Rate limiting uses a "credit" or "token bucket" scheme.
-+ Each identical response has a conceptual account
-+ that is given <command>responses-per-second</command>,
-+ <command>errors-per-second</command>, and
-+ <command>nxdomains-per-second</command> credits every second.
-+ A DNS request triggering some desired response debits
-+ the account by one.
-+ Responses are not sent while the account is negative.
-+ The account cannot become more positive than
-+ the per-second limit
-+ or more negative than <command>window</command>
-+ times the per-second limit.
-+ A DNS client that sends requests that are not
-+ answered can be penalized for up to <command>window</command>
-+ seconds (default 15).
++ All non-empty responses for a valid domain name (qname)
++ and record type (qtype) are identical and have a limit specified
++ with <command>responses-per-second</command>
++ (default 0 or no limit).
++ All empty (NODATA) responses for a valid domain,
++ regardless of query type, are identical.
++ Responses in the NODATA class are limited by
++ <command>nodata-per-second</command>
++ (default <command>responses-per-second</command>).
++ Requests for any and all undefined subdomains of a given
++ valid domain result in NXDOMAIN errors, and are identical
++ regardless of query type.
++ They are limited by <command>nxdomain-per-second</command>
++ (default <command>responses-per-second</command>).
++ This controls some attacks using random names, but
++ can be relaxed or turned off (set to 0)
++ on servers that expect many legitimate
++ NXDOMAIN responses, such as from anti-spam blacklists.
++ Referrals or delegations to the server of a given
++ domain are identical and are limited by
++ <command>referrals-per-second</command>
++ (default <command>responses-per-second</command>).
+ </para>
+
+ <para>
+ Responses generated from local wildcards are counted and limited
+ as if they were for the parent domain name.
-+ This prevents flooding by requesting random.wild.example.com.
-+ For similar reasons, NXDOMAIN responses are counted and rate
-+ limited by the valid domain name nearest to the
-+ query name with an SOA record.
++ This controls flooding using random.wild.example.com.
++ </para>
++
++ <para>
++ All requests that result in DNS errors other
++ than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
++ regardless of requested name (qname) or record type (qtype).
++ This controls attacks using invalid requests or distant,
++ broken authoritative servers.
++ By default the limit on errors is the same as the
++ <command>responses-per-second</command> value,
++ but it can be set separately with
++ <command>errors-per-second</command>.
+ </para>
+
+ <para>
@@ -1240,14 +1308,15 @@ diff -up bind-9.9.2-P1/doc/arm/Bv9ARM-book.xml.orig bind-9.9.2-P1/doc/arm/Bv9ARM
+ There is a mechanism that can answer some legitimate
+ requests from a client whose address is being forged in a flood.
+ Setting <command>slip</command> to 2 (its default) causes every
-+ other UDP request to be answered with a small response
-+ claiming that the response would have been truncated.
-+ The small size and relative infrequency of the response make
-+ it unattractive for abuse.
-+ <command>Slip</command> must be between 0 and 10.
-+ A value of 0 does not "slip"
-+ or sends no rate limiting truncated responses.
-+ Some error responses includinge REFUSED and SERVFAIL
++ other UDP request to be answered with a small truncated (TC=1)
++ response.
++ The small size and reduced frequency, and so lack of
++ amplification, of "slipped" responses make them unattractive
++ for reflection DoS attacks.
++ <command>slip</command> must be between 0 and 10.
++ A value of 0 does not "slip";
++ no truncated responses are sent due to rate limiting.
++ Some error responses including REFUSED and SERVFAIL
+ cannot be replaced with truncated responses and are instead
+ leaked at the <command>slip</command> rate.
+ </para>
@@ -1277,8 +1346,8 @@ diff -up bind-9.9.2-P1/doc/arm/Bv9ARM-book.xml.orig bind-9.9.2-P1/doc/arm/Bv9ARM
+ <command>rate-limit</command> statements in <command>view</command>
+ statements instead of the global <command>option</command>
+ statement.
-+ A <command>rate-limit</command> statement in a view replaces
-+ instead of being merged with a <command>rate-limit</command>
++ A <command>rate-limit</command> statement in a view replaces,
++ rather than supplementing, a <command>rate-limit</command>
+ statement among the main options.
+ DNS clients within a view can be exempted from rate limits
+ with the <command>exempt-clients</command> clause.
@@ -1351,7 +1420,7 @@ diff -up bind-9.9.2-P1/doc/arm/Bv9ARM-book.xml.orig bind-9.9.2-P1/doc/arm/Bv9ARM
</sect2>
<sect2 id="server_statement_grammar">
-@@ -14385,6 +14637,32 @@ HOST-127.EXAMPLE. MX 0 .
+@@ -14649,6 +14909,32 @@
</para>
</entry>
</row>
@@ -1384,10 +1453,33 @@ diff -up bind-9.9.2-P1/doc/arm/Bv9ARM-book.xml.orig bind-9.9.2-P1/doc/arm/Bv9ARM
</tbody>
</tgroup>
</informaltable>
-diff -up bind-9.9.2-P1/lib/dns/include/dns/log.h.orig bind-9.9.2-P1/lib/dns/include/dns/log.h
---- bind-9.9.2-P1/lib/dns/include/dns/log.h.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/lib/dns/include/dns/log.h 2013-03-06 16:55:14.268039583 +0100
-@@ -43,6 +43,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodul
+diff -r -u lib/dns/Makefile.in-orig lib/dns/Makefile.in
+--- lib/dns/Makefile.in-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/Makefile.in 2004-01-01 00:00:00.000000000 +0000
+@@ -67,8 +67,8 @@
+ portlist. at O@ private. at O@ \
+ rbt. at O@ rbtdb. at O@ rbtdb64. at O@ rcode. at O@ rdata. at O@ \
+ rdatalist. at O@ rdataset. at O@ rdatasetiter. at O@ rdataslab. at O@ \
+- request. at O@ resolver. at O@ result. at O@ rootns. at O@ rpz. at O@ \
+- rriterator. at O@ sdb. at O@ \
++ request. at O@ resolver. at O@ result. at O@ rootns. at O@ \
++ rpz. at O@ rrl. at O@ rriterator. at O@ sdb. at O@ \
+ sdlz. at O@ soa. at O@ ssu. at O@ ssu_external. at O@ \
+ stats. at O@ tcpmsg. at O@ time. at O@ timer. at O@ tkey. at O@ \
+ tsec. at O@ tsig. at O@ ttl. at O@ update. at O@ validator. at O@ \
+@@ -95,7 +95,7 @@
+ name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
+ rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
+ rdataset.c rdatasetiter.c rdataslab.c request.c \
+- resolver.c result.c rootns.c rpz.c rriterator.c \
++ resolver.c result.c rootns.c rpz.c rrl.c rriterator.c \
+ sdb.c sdlz.c soa.c ssu.c ssu_external.c \
+ stats.c tcpmsg.c time.c timer.c tkey.c \
+ tsec.c tsig.c ttl.c update.c validator.c \
+diff -r -u lib/dns/include/dns/log.h-orig lib/dns/include/dns/log.h
+--- lib/dns/include/dns/log.h-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/include/dns/log.h 2004-01-01 00:00:00.000000000 +0000
+@@ -43,6 +43,7 @@
#define DNS_LOGCATEGORY_DELEGATION_ONLY (&dns_categories[10])
#define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[11])
#define DNS_LOGCATEGORY_RPZ (&dns_categories[12])
@@ -1395,24 +1487,12 @@ diff -up bind-9.9.2-P1/lib/dns/include/dns/log.h.orig bind-9.9.2-P1/lib/dns/incl
/* Backwards compatibility. */
#define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL
-diff -up bind-9.9.2-P1/lib/dns/include/dns/Makefile.in.orig bind-9.9.2-P1/lib/dns/include/dns/Makefile.in
---- bind-9.9.2-P1/lib/dns/include/dns/Makefile.in.orig 2013-03-06 16:58:02.942000413 +0100
-+++ bind-9.9.2-P1/lib/dns/include/dns/Makefile.in 2013-03-06 16:59:41.698976093 +0100
-@@ -21,7 +21,7 @@ top_srcdir = @top_srcdir@
-
- @BIND9_VERSION@
-
--HEADERS = acl.h adb.h byaddr.h cache.h callbacks.h cert.h compress.h \
-+HEADERS = rrl.h acl.h adb.h byaddr.h cache.h callbacks.h cert.h compress.h \
- clientinfo.h db.h dbiterator.h dbtable.h diff.h dispatch.h dynamic_db.h \
- dlz.h dnssec.h ds.h events.h fixedname.h iptable.h journal.h \
- keyflags.h keytable.h keyvalues.h lib.h log.h \
-diff -up bind-9.9.2-P1/lib/dns/include/dns/rrl.h.orig bind-9.9.2-P1/lib/dns/include/dns/rrl.h
---- bind-9.9.2-P1/lib/dns/include/dns/rrl.h.orig 2013-03-06 16:55:14.269039583 +0100
-+++ bind-9.9.2-P1/lib/dns/include/dns/rrl.h 2013-03-06 16:55:14.269039583 +0100
-@@ -0,0 +1,273 @@
+diff -r -u lib/dns/include/dns/rrl.h-orig lib/dns/include/dns/rrl.h
+--- lib/dns/include/dns/rrl.h-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/include/dns/rrl.h 2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,278 @@
+/*
-+ * Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
@@ -1484,7 +1564,8 @@ diff -up bind-9.9.2-P1/lib/dns/include/dns/rrl.h.orig bind-9.9.2-P1/lib/dns/incl
+typedef enum {
+ DNS_RRL_RTYPE_FREE = 0,
+ DNS_RRL_RTYPE_QUERY,
-+ DNS_RRL_RTYPE_DELEGATION,
++ DNS_RRL_RTYPE_REFERRAL,
++ DNS_RRL_RTYPE_NODATA,
+ DNS_RRL_RTYPE_NXDOMAIN,
+ DNS_RRL_RTYPE_ERROR,
+ DNS_RRL_RTYPE_ALL,
@@ -1508,7 +1589,7 @@ diff -up bind-9.9.2-P1/lib/dns/include/dns/rrl.h.orig bind-9.9.2-P1/lib/dns/incl
+ isc_uint32_t qname_hash;
+ dns_rdatatype_t qtype;
+ isc_uint8_t qclass;
-+ dns_rrl_rtype_t rtype :3;
++ dns_rrl_rtype_t rtype :4; /* 3 bits + sign bit */
+ isc_boolean_t ipv6 :1;
+ } s;
+ isc_uint16_t w[1];
@@ -1603,6 +1684,13 @@ diff -up bind-9.9.2-P1/lib/dns/include/dns/rrl.h.orig bind-9.9.2-P1/lib/dns/incl
+ dns_fixedname_t qname;
+};
+
++typedef struct dns_rrl_rate dns_rrl_rate_t;
++struct dns_rrl_rate {
++ int r;
++ int scaled;
++ const char *str;
++};
++
+/*
+ * Per-view query rate limit parameters and a pointer to database.
+ */
@@ -1612,12 +1700,14 @@ diff -up bind-9.9.2-P1/lib/dns/include/dns/rrl.h.orig bind-9.9.2-P1/lib/dns/incl
+ isc_mem_t *mctx;
+
+ isc_boolean_t log_only;
-+ int responses_per_second;
-+ int errors_per_second;
-+ int nxdomains_per_second;
-+ int all_per_second;
++ dns_rrl_rate_t responses_per_second;
++ dns_rrl_rate_t referrals_per_second;
++ dns_rrl_rate_t nodata_per_second;
++ dns_rrl_rate_t nxdomains_per_second;
++ dns_rrl_rate_t errors_per_second;
++ dns_rrl_rate_t all_per_second;
++ dns_rrl_rate_t slip;
+ int window;
-+ int slip;
+ double qps_scale;
+ int max_entries;
+
@@ -1628,11 +1718,6 @@ diff -up bind-9.9.2-P1/lib/dns/include/dns/rrl.h.orig bind-9.9.2-P1/lib/dns/incl
+ int qps_responses;
+ isc_stdtime_t qps_time;
+ double qps;
-+ int scaled_responses_per_second;
-+ int scaled_errors_per_second;
-+ int scaled_nxdomains_per_second;
-+ int scaled_all_per_second;
-+ int scaled_slip;
+
+ unsigned int probes;
+ unsigned int searches;
@@ -1684,9 +1769,9 @@ diff -up bind-9.9.2-P1/lib/dns/include/dns/rrl.h.orig bind-9.9.2-P1/lib/dns/incl
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RRL_H */
-diff -up bind-9.9.2-P1/lib/dns/include/dns/view.h.orig bind-9.9.2-P1/lib/dns/include/dns/view.h
---- bind-9.9.2-P1/lib/dns/include/dns/view.h.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/lib/dns/include/dns/view.h 2013-03-06 16:55:14.269039583 +0100
+diff -r -u lib/dns/include/dns/view.h-orig lib/dns/include/dns/view.h
+--- lib/dns/include/dns/view.h-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/include/dns/view.h 2004-01-01 00:00:00.000000000 +0000
@@ -73,6 +73,7 @@
#include <dns/acl.h>
@@ -1695,7 +1780,7 @@ diff -up bind-9.9.2-P1/lib/dns/include/dns/view.h.orig bind-9.9.2-P1/lib/dns/inc
#include <dns/rdatastruct.h>
#include <dns/rpz.h>
#include <dns/types.h>
-@@ -142,6 +143,7 @@ struct dns_view {
+@@ -142,6 +143,7 @@
dns_rbt_t * answeracl_exclude;
dns_rbt_t * denyanswernames;
dns_rbt_t * answernames_exclude;
@@ -1703,10 +1788,10 @@ diff -up bind-9.9.2-P1/lib/dns/include/dns/view.h.orig bind-9.9.2-P1/lib/dns/inc
isc_boolean_t provideixfr;
isc_boolean_t requestnsid;
dns_ttl_t maxcachettl;
-diff -up bind-9.9.2-P1/lib/dns/log.c.orig bind-9.9.2-P1/lib/dns/log.c
---- bind-9.9.2-P1/lib/dns/log.c.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/lib/dns/log.c 2013-03-06 16:55:14.269039583 +0100
-@@ -45,6 +45,7 @@ LIBDNS_EXTERNAL_DATA isc_logcategory_t d
+diff -r -u lib/dns/log.c-orig lib/dns/log.c
+--- lib/dns/log.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/log.c 2004-01-01 00:00:00.000000000 +0000
+@@ -45,6 +45,7 @@
{ "delegation-only", 0 },
{ "edns-disabled", 0 },
{ "rpz", 0 },
@@ -1714,35 +1799,12 @@ diff -up bind-9.9.2-P1/lib/dns/log.c.orig bind-9.9.2-P1/lib/dns/log.c
{ NULL, 0 }
};
-diff -up bind-9.9.2-P1/lib/dns/Makefile.in.orig bind-9.9.2-P1/lib/dns/Makefile.in
---- bind-9.9.2-P1/lib/dns/Makefile.in.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/lib/dns/Makefile.in 2013-03-06 16:55:14.268039583 +0100
-@@ -66,8 +66,8 @@ DNSOBJS = acache. at O@ acl. at O@ adb. at O@ bya
- portlist. at O@ private. at O@ \
- rbt. at O@ rbtdb. at O@ rbtdb64. at O@ rcode. at O@ rdata. at O@ \
- rdatalist. at O@ rdataset. at O@ rdatasetiter. at O@ rdataslab. at O@ \
-- request. at O@ resolver. at O@ result. at O@ rootns. at O@ rpz. at O@ \
-- rriterator. at O@ sdb. at O@ \
-+ request. at O@ resolver. at O@ result. at O@ rootns. at O@ \
-+ rpz. at O@ rrl. at O@ rriterator. at O@ sdb. at O@ \
- sdlz. at O@ soa. at O@ ssu. at O@ ssu_external. at O@ \
- stats. at O@ tcpmsg. at O@ time. at O@ timer. at O@ tkey. at O@ \
- tsec. at O@ tsig. at O@ ttl. at O@ update. at O@ validator. at O@ \
-@@ -93,7 +93,7 @@ DNSSRCS = acache.c acl.c adb.c byaddr.c
- name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
- rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \
- rdataset.c rdatasetiter.c rdataslab.c request.c \
-- resolver.c result.c rootns.c rpz.c rriterator.c \
-+ resolver.c result.c rootns.c rpz.c rrl.c rriterator.c \
- sdb.c sdlz.c soa.c ssu.c ssu_external.c \
- stats.c tcpmsg.c time.c timer.c tkey.c \
- tsec.c tsig.c ttl.c update.c validator.c \
-diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
---- bind-9.9.2-P1/lib/dns/rrl.c.orig 2013-03-06 16:55:14.270039582 +0100
-+++ bind-9.9.2-P1/lib/dns/rrl.c 2013-03-06 16:55:14.270039582 +0100
-@@ -0,0 +1,1321 @@
+diff -r -u lib/dns/rrl.c-orig lib/dns/rrl.c
+--- lib/dns/rrl.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/rrl.c 2004-01-01 00:00:00.000000000 +0000
+@@ -0,0 +1,1324 @@
+/*
-+ * Copyright (C) 2012-2013 Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
@@ -1757,7 +1819,6 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
-+
+/*! \file */
+
+/*
@@ -1770,6 +1831,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
++#include <isc/print.h>
+
+#include <dns/result.h>
+#include <dns/rcode.h>
@@ -1779,12 +1841,10 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+#include <dns/rrl.h>
+#include <dns/view.h>
+
-+
+static void
+log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_boolean_t early,
+ char *log_buf, unsigned int log_buf_len);
+
-+
+/*
+ * Get a modulus for a hash function that is tolerably likely to be
+ * relatively prime to most inputs. Of course, we get a prime for for initial
@@ -1840,7 +1900,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ result += 2;
+ pp = primes;
+ }
-+ } while (pp < &primes[sizeof(primes)/sizeof(primes[0])]);
++ } while (pp < &primes[sizeof(primes) / sizeof(primes[0])]);
+
+ if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3))
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
@@ -1910,12 +1970,13 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ * are older than (DNS_RRL_TS_BASES)*DNS_RRL_MAX_TS seconds.
+ */
+ if (ts >= DNS_RRL_MAX_TS) {
-+ ts_gen = (ts_gen+1) % DNS_RRL_TS_BASES;
++ ts_gen = (ts_gen + 1) % DNS_RRL_TS_BASES;
+ for (e_old = ISC_LIST_TAIL(rrl->lru), i = 0;
-+ e_old != NULL && e_old->ts_gen == ts_gen;
-+ e_old = ISC_LIST_PREV(e_old, lru), ++i) {
-+ if (e_old->ts_valid)
-+ e_old->ts_valid = ISC_FALSE;
++ e_old != NULL && (e_old->ts_gen == ts_gen ||
++ !ISC_LINK_LINKED(e_old, hlink));
++ e_old = ISC_LIST_PREV(e_old, lru), ++i)
++ {
++ e_old->ts_valid = ISC_FALSE;
+ }
+ if (i != 0)
+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
@@ -1923,9 +1984,12 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ "rrl new time base scanned %d entries"
+ " at %d for %d %d %d %d",
+ i, now, rrl->ts_bases[ts_gen],
-+ rrl->ts_bases[(ts_gen+1)%DNS_RRL_TS_BASES],
-+ rrl->ts_bases[(ts_gen+2)%DNS_RRL_TS_BASES],
-+ rrl->ts_bases[(ts_gen+3)%DNS_RRL_TS_BASES]);
++ rrl->ts_bases[(ts_gen + 1) %
++ DNS_RRL_TS_BASES],
++ rrl->ts_bases[(ts_gen + 2) %
++ DNS_RRL_TS_BASES],
++ rrl->ts_bases[(ts_gen + 3) %
++ DNS_RRL_TS_BASES]);
+ rrl->ts_gen = ts_gen;
+ rrl->ts_bases[ts_gen] = now;
+ ts = 0;
@@ -2006,7 +2070,8 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ old_hash = rrl->old_hash;
+ for (old_bin = &old_hash->bins[0];
+ old_bin < &old_hash->bins[old_hash->length];
-+ ++old_bin) {
++ ++old_bin)
++ {
+ for (e = ISC_LIST_HEAD(*old_bin); e != NULL; e = e_next) {
+ e_next = ISC_LIST_NEXT(e, hlink);
+ ISC_LINK_INIT(e, hlink);
@@ -2015,7 +2080,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+
+ isc_mem_put(rrl->mctx, old_hash,
+ sizeof(*old_hash)
-+ + (old_hash->length-1)*sizeof(old_hash->bins[0]));
++ + (old_hash->length - 1) * sizeof(old_hash->bins[0]));
+ rrl->old_hash = NULL;
+}
+
@@ -2115,7 +2180,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ int i;
+
+ hval = key->w[0];
-+ for (i = sizeof(*key)/sizeof(key->w[0]) - 1; i >= 0; --i) {
++ for (i = sizeof(*key) / sizeof(key->w[0]) - 1; i >= 0; --i) {
+ hval = key->w[i] + (hval<<1);
+ }
+ return (hval);
@@ -2143,10 +2208,16 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ memset(key, 0, sizeof(*key));
+
+ key->s.rtype = rtype;
-+ if (rtype == DNS_RRL_RTYPE_QUERY ||
-+ rtype == DNS_RRL_RTYPE_DELEGATION) {
-+ key->s.qclass = qclass;
++ if (rtype == DNS_RRL_RTYPE_QUERY) {
+ key->s.qtype = qtype;
++ key->s.qclass = qclass & 0xff;
++ } else if (rtype == DNS_RRL_RTYPE_REFERRAL ||
++ rtype == DNS_RRL_RTYPE_NODATA) {
++ /*
++ * Because there is no qtype in the empty answer sections of
++ * referral and NODATA responses, count them as the same.
++ */
++ key->s.qclass = qclass & 0xff;
+ }
+
+ if (qname != NULL && qname->labels != 0) {
@@ -2154,7 +2225,8 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ * Ignore the first label of wildcards.
+ */
+ if ((qname->attributes & DNS_NAMEATTR_WILDCARD) != 0 &&
-+ (labels = dns_name_countlabels(qname)) > 1) {
++ (labels = dns_name_countlabels(qname)) > 1)
++ {
+ dns_name_init(&base, base_offsets);
+ dns_name_getlabelsequence(qname, 1, labels-1, &base);
+ key->s.qname_hash = dns_name_hashbylabel(&base,
@@ -2180,33 +2252,40 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ }
+}
+
-+static inline int
-+response_balance(const dns_rrl_t *rrl, const dns_rrl_entry_t *e, int age) {
++static inline dns_rrl_rate_t *
++get_rate(dns_rrl_t *rrl, dns_rrl_rtype_t rtype) {
++ switch (rtype) {
++ case DNS_RRL_RTYPE_QUERY:
++ return (&rrl->responses_per_second);
++ case DNS_RRL_RTYPE_REFERRAL:
++ return (&rrl->referrals_per_second);
++ case DNS_RRL_RTYPE_NODATA:
++ return (&rrl->nodata_per_second);
++ case DNS_RRL_RTYPE_NXDOMAIN:
++ return (&rrl->nxdomains_per_second);
++ case DNS_RRL_RTYPE_ERROR:
++ return (&rrl->errors_per_second);
++ case DNS_RRL_RTYPE_ALL:
++ return (&rrl->all_per_second);
++ default:
++ INSIST(0);
++ }
++ return (NULL);
++}
++
++static int
++response_balance(dns_rrl_t *rrl, const dns_rrl_entry_t *e, int age) {
++ dns_rrl_rate_t *ratep;
+ int balance, rate;
+
-+ balance = e->responses;
-+ if (balance < 0)
-+ switch (e->key.s.rtype) {
-+ case DNS_RRL_RTYPE_QUERY:
-+ case DNS_RRL_RTYPE_DELEGATION:
-+ rate = rrl->scaled_responses_per_second;
-+ break;
-+ case DNS_RRL_RTYPE_NXDOMAIN:
-+ rate = rrl->scaled_nxdomains_per_second;
-+ break;
-+ case DNS_RRL_RTYPE_ERROR:
-+ rate = rrl->scaled_errors_per_second;
-+ break;
-+ case DNS_RRL_RTYPE_ALL:
-+ rate = rrl->scaled_all_per_second;
-+ break;
-+ case DNS_RRL_RTYPE_TCP:
-+ rate = 1;
-+ break;
-+ default:
-+ INSIST(0);
++ if (e->key.s.rtype == DNS_RRL_RTYPE_TCP) {
++ rate = 1;
++ } else {
++ ratep = get_rate(rrl, e->key.s.rtype);
++ rate = ratep->scaled;
+ }
-+ balance += age * rate;
++
++ balance = e->responses + age * rate;
+ if (balance > rate)
+ balance = rate;
+ return (balance);
@@ -2260,7 +2339,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ ref_entry(rrl, e, probes, now);
+ return (e);
+ }
-+ e = ISC_LIST_NEXT(e, hlink);
++ e = ISC_LIST_NEXT(e, hlink);
+ }
+
+ /*
@@ -2280,7 +2359,10 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ * Try to make more entries if none are idle.
+ * Steal the oldest entry if we cannot create more.
+ */
-+ for (e = ISC_LIST_TAIL(rrl->lru); e != NULL; e = ISC_LIST_PREV(e, lru)) {
++ for (e = ISC_LIST_TAIL(rrl->lru);
++ e != NULL;
++ e = ISC_LIST_PREV(e, lru))
++ {
+ if (!ISC_LINK_LINKED(e, hlink))
+ break;
+ age = get_age(rrl, e, now);
@@ -2288,7 +2370,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ e = NULL;
+ break;
+ }
-+ if (!e->logged && response_balance(rrl, e, age) >= 0)
++ if (!e->logged && response_balance(rrl, e, age) > 0)
+ break;
+ }
+ if (e == NULL) {
@@ -2335,35 +2417,16 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ const isc_sockaddr_t *client_addr, isc_stdtime_t now,
+ char *log_buf, unsigned int log_buf_len)
+{
-+ int rate, new_rate, *ratep, slip, new_slip, age, log_secs, min;
-+ const char *rate_str;
++ int rate, new_rate, slip, new_slip, age, log_secs, min;
++ dns_rrl_rate_t *ratep;
+ dns_rrl_entry_t const *credit_e;
+
+ /*
+ * Pick the rate counter.
+ * Optionally adjust the rate by the estimated query/second rate.
+ */
-+ switch (e->key.s.rtype) {
-+ case DNS_RRL_RTYPE_QUERY:
-+ case DNS_RRL_RTYPE_DELEGATION:
-+ rate = rrl->responses_per_second;
-+ ratep = &rrl->scaled_responses_per_second;
-+ break;
-+ case DNS_RRL_RTYPE_NXDOMAIN:
-+ rate = rrl->nxdomains_per_second;
-+ ratep = &rrl->scaled_nxdomains_per_second;
-+ break;
-+ case DNS_RRL_RTYPE_ERROR:
-+ rate = rrl->errors_per_second;
-+ ratep = &rrl->scaled_errors_per_second;
-+ break;
-+ case DNS_RRL_RTYPE_ALL:
-+ rate = rrl->all_per_second;
-+ ratep = &rrl->scaled_all_per_second;
-+ break;
-+ default:
-+ INSIST(0);
-+ }
++ ratep = get_rate(rrl, e->key.s.rtype);
++ rate = ratep->r;
+ if (rate == 0)
+ return (DNS_RRL_RESULT_OK);
+
@@ -2382,36 +2445,19 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ }
+ }
+ if (scale < 1.0) {
-+ new_rate = rate * scale;
++ new_rate = (int) (rate * scale);
+ if (new_rate < 1)
+ new_rate = 1;
-+ if (*ratep != new_rate) {
-+ if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1)) {
-+ switch (e->key.s.rtype) {
-+ case DNS_RRL_RTYPE_QUERY:
-+ case DNS_RRL_RTYPE_DELEGATION:
-+ rate_str = "responses-per-second";
-+ break;
-+ case DNS_RRL_RTYPE_NXDOMAIN:
-+ rate_str = "nxdomains-per-second";
-+ break;
-+ case DNS_RRL_RTYPE_ERROR:
-+ rate_str = "errors-per-second";
-+ break;
-+ case DNS_RRL_RTYPE_ALL:
-+ rate_str = "all-per-second";
-+ break;
-+ }
-+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
-+ DNS_LOGMODULE_REQUEST,
-+ DNS_RRL_LOG_DEBUG1,
-+ "%d qps scaled %s by %.2f"
-+ " from %d to %d",
-+ (int)qps, rate_str, scale,
-+ rate, new_rate);
-+ }
++ if (ratep->scaled != new_rate) {
++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
++ DNS_LOGMODULE_REQUEST,
++ DNS_RRL_LOG_DEBUG1,
++ "%d qps scaled %s by %.2f"
++ " from %d to %d",
++ (int)qps, ratep->str, scale,
++ rate, new_rate);
+ rate = new_rate;
-+ *ratep = rate;
++ ratep->scaled = rate;
+ }
+ }
+
@@ -2470,30 +2516,31 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ /*
+ * Drop this response unless it should slip or leak.
+ */
-+ slip = rrl->slip;
++ slip = rrl->slip.r;
+ if (slip > 2 && scale < 1.0) {
-+ new_slip *= scale;
++ new_slip = (int) (slip * scale);
+ if (new_slip < 2)
+ new_slip = 2;
-+ if (rrl->scaled_slip != new_slip) {
-+ if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1))
-+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
-+ DNS_LOGMODULE_REQUEST,
-+ DNS_RRL_LOG_DEBUG1,
-+ "%d qps scaled slip"
-+ " by %.2f from %d to %d",
-+ (int)qps, scale,
-+ slip, new_slip);
++ if (rrl->slip.scaled != new_slip) {
++ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
++ DNS_LOGMODULE_REQUEST,
++ DNS_RRL_LOG_DEBUG1,
++ "%d qps scaled slip"
++ " by %.2f from %d to %d",
++ (int)qps, scale,
++ slip, new_slip);
+ slip = new_slip;
-+ rrl->scaled_slip = slip;
++ rrl->slip.scaled = slip;
+ }
+ }
+ if (slip != 0 && e->key.s.rtype != DNS_RRL_RTYPE_ALL) {
+ if (e->slip_cnt++ == 0) {
++ if ((int) e->slip_cnt >= slip)
++ e->slip_cnt = 0;
+ if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3))
+ debit_log(e, age, "slip");
+ return (DNS_RRL_RESULT_SLIP);
-+ } else if (e->slip_cnt >= slip) {
++ } else if ((int) e->slip_cnt >= slip) {
+ e->slip_cnt = 0;
+ }
+ }
@@ -2508,7 +2555,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ dns_rrl_qname_buf_t *qbuf;
+
+ qbuf = rrl->qnames[e->log_qname];
-+ if (qbuf == NULL || qbuf->e != e)
++ if (qbuf == NULL || qbuf->e != e)
+ return (NULL);
+ return (qbuf);
+}
@@ -2525,8 +2572,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+}
+
+static void
-+add_log_str(isc_buffer_t *lb, const char *str, unsigned int str_len)
-+{
++add_log_str(isc_buffer_t *lb, const char *str, unsigned int str_len) {
+ isc_region_t region;
+
+ isc_buffer_availableregion(lb, ®ion);
@@ -2586,33 +2632,36 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+
+ switch (e->key.s.rtype) {
+ case DNS_RRL_RTYPE_QUERY:
-+ ADD_LOG_CSTR(&lb, "response");
+ break;
-+ case DNS_RRL_RTYPE_DELEGATION:
-+ ADD_LOG_CSTR(&lb, "referral");
++ case DNS_RRL_RTYPE_REFERRAL:
++ ADD_LOG_CSTR(&lb, "referral ");
++ break;
++ case DNS_RRL_RTYPE_NODATA:
++ ADD_LOG_CSTR(&lb, "NODATA ");
+ break;
+ case DNS_RRL_RTYPE_NXDOMAIN:
-+ ADD_LOG_CSTR(&lb, "NXDOMAIN response");
++ ADD_LOG_CSTR(&lb, "NXDOMAIN ");
+ break;
+ case DNS_RRL_RTYPE_ERROR:
+ if (resp_result == ISC_R_SUCCESS) {
-+ ADD_LOG_CSTR(&lb, "error response");
++ ADD_LOG_CSTR(&lb, "error ");
+ } else {
+ rstr = isc_result_totext(resp_result);
-+ ADD_LOG_CSTR(&lb, " response");
++ add_log_str(&lb, rstr, strlen(rstr));
++ ADD_LOG_CSTR(&lb, " error ");
+ }
+ break;
+ case DNS_RRL_RTYPE_ALL:
-+ ADD_LOG_CSTR(&lb, "all response");
++ ADD_LOG_CSTR(&lb, "all ");
+ break;
+ default:
+ INSIST(0);
+ }
+
+ if (plural)
-+ ADD_LOG_CSTR(&lb, "s to ");
++ ADD_LOG_CSTR(&lb, "responses to ");
+ else
-+ ADD_LOG_CSTR(&lb, " to ");
++ ADD_LOG_CSTR(&lb, "response to ");
+
+ memset(&cidr, 0, sizeof(cidr));
+ if (e->key.s.ipv6) {
@@ -2631,7 +2680,8 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ add_log_str(&lb, strbuf, strlen(strbuf));
+
+ if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY ||
-+ e->key.s.rtype == DNS_RRL_RTYPE_DELEGATION ||
++ e->key.s.rtype == DNS_RRL_RTYPE_REFERRAL ||
++ e->key.s.rtype == DNS_RRL_RTYPE_NODATA ||
+ e->key.s.rtype == DNS_RRL_RTYPE_NXDOMAIN) {
+ qbuf = get_qname(rrl, e);
+ if (save_qname && qbuf == NULL &&
@@ -2646,6 +2696,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ qbuf = isc_mem_get(rrl->mctx, sizeof(*qbuf));
+ if (qbuf != NULL) {
+ memset(qbuf, 0, sizeof(*qbuf));
++ ISC_LINK_INIT(qbuf, link);
+ qbuf->index = rrl->num_qnames;
+ rrl->qnames[rrl->num_qnames++] = qbuf;
+ } else {
@@ -2671,15 +2722,17 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ qname = dns_fixedname_name(&qbuf->qname);
+ if (qname != NULL) {
+ ADD_LOG_CSTR(&lb, " for ");
-+ dns_name_totext(qname, ISC_TRUE, &lb);
++ (void)dns_name_totext(qname, ISC_TRUE, &lb);
+ } else {
+ ADD_LOG_CSTR(&lb, " for (?)");
+ }
+ if (e->key.s.rtype != DNS_RRL_RTYPE_NXDOMAIN) {
+ ADD_LOG_CSTR(&lb, " ");
-+ dns_rdataclass_totext(e->key.s.qclass, &lb);
-+ ADD_LOG_CSTR(&lb, " ");
-+ dns_rdatatype_totext(e->key.s.qtype, &lb);
++ (void)dns_rdataclass_totext(e->key.s.qclass, &lb);
++ if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY) {
++ ADD_LOG_CSTR(&lb, " ");
++ (void)dns_rdatatype_totext(e->key.s.qtype, &lb);
++ }
+ }
+ snprintf(strbuf, sizeof(strbuf), " (%08x)",
+ e->key.s.qname_hash);
@@ -2848,14 +2901,23 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ * Find the right kind of entry, creating it if necessary.
+ * If that is impossible, then nothing more can be done
+ */
-+ if (resp_result == ISC_R_SUCCESS)
++ switch (resp_result) {
++ case ISC_R_SUCCESS:
+ rtype = DNS_RRL_RTYPE_QUERY;
-+ else if (resp_result == DNS_R_DELEGATION)
-+ rtype = DNS_RRL_RTYPE_DELEGATION;
-+ else if (resp_result == DNS_R_NXDOMAIN)
++ break;
++ case DNS_R_DELEGATION:
++ rtype = DNS_RRL_RTYPE_REFERRAL;
++ break;
++ case DNS_R_NXRRSET:
++ rtype = DNS_RRL_RTYPE_NODATA;
++ break;
++ case DNS_R_NXDOMAIN:
+ rtype = DNS_RRL_RTYPE_NXDOMAIN;
-+ else
++ break;
++ default:
+ rtype = DNS_RRL_RTYPE_ERROR;
++ break;
++ }
+ e = get_entry(rrl, client_addr, qclass, qtype, qname, rtype,
+ now, ISC_TRUE, log_buf, log_buf_len);
+ if (e == NULL) {
@@ -2879,7 +2941,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ rrl_result = debit_rrl_entry(rrl, e, qps, scale, client_addr, now,
+ log_buf, log_buf_len);
+
-+ if (rrl->all_per_second != 0) {
++ if (rrl->all_per_second.r != 0) {
+ /*
+ * We must debit the all-per-second token bucket if we have
+ * an all-per-second limit for the IP address.
@@ -2945,6 +3007,7 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ rrl->last_logged = e;
+ }
+ e->log_secs = 0;
++
+ /*
+ * Avoid holding the lock.
+ */
@@ -2961,19 +3024,21 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ * Make a log message for the caller.
+ */
+ if (wouldlog)
-+ make_log_buf(rrl, e, rrl->log_only ? "would " : NULL,
++ make_log_buf(rrl, e,
++ rrl->log_only ? "would rate limit " : "rate limit ",
+ NULL, ISC_FALSE, qname, ISC_FALSE,
+ rrl_result, resp_result, log_buf, log_buf_len);
+
+ if (e != NULL) {
+ /*
-+ * Do not save the qname unless we might needed it for
++ * Do not save the qname unless we might need it for
+ * the ending log message.
+ */
+ if (!e->logged)
+ free_qname(rrl, e);
+ UNLOCK(&rrl->lock);
+ }
++
+ return (rrl_result);
+}
+
@@ -3017,14 +3082,14 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ h = rrl->hash;
+ if (h != NULL)
+ isc_mem_put(rrl->mctx, h,
-+ sizeof(*h)+(h->length-1)*sizeof(h->bins[0]));
++ sizeof(*h) + (h->length - 1) * sizeof(h->bins[0]));
+
+ h = rrl->old_hash;
+ if (h != NULL)
+ isc_mem_put(rrl->mctx, h,
-+ sizeof(*h)+(h->length-1)*sizeof(h->bins[0]));
++ sizeof(*h) + (h->length - 1) * sizeof(h->bins[0]));
+
-+ isc_mem_put(rrl->mctx, rrl, sizeof(*rrl));
++ isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl));
+}
+
+isc_result_t
@@ -3038,10 +3103,10 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ if (rrl == NULL)
+ return (ISC_R_NOMEMORY);
+ memset(rrl, 0, sizeof(*rrl));
-+ rrl->mctx = view->mctx;
++ isc_mem_attach(view->mctx, &rrl->mctx);
+ result = isc_mutex_init(&rrl->lock);
+ if (result != ISC_R_SUCCESS) {
-+ isc_mem_put(view->mctx, rrl, sizeof(*rrl));
++ isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl));
+ return (result);
+ }
+ isc_stdtime_get(&rrl->ts_bases[0]);
@@ -3062,10 +3127,10 @@ diff -up bind-9.9.2-P1/lib/dns/rrl.c.orig bind-9.9.2-P1/lib/dns/rrl.c
+ *rrlp = rrl;
+ return (ISC_R_SUCCESS);
+}
-diff -up bind-9.9.2-P1/lib/dns/view.c.orig bind-9.9.2-P1/lib/dns/view.c
---- bind-9.9.2-P1/lib/dns/view.c.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/lib/dns/view.c 2013-03-06 16:55:14.270039582 +0100
-@@ -48,6 +48,7 @@
+diff -r -u lib/dns/view.c-orig lib/dns/view.c
+--- lib/dns/view.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/view.c 2004-01-01 00:00:00.000000000 +0000
+@@ -49,6 +49,7 @@
#include <dns/masterdump.h>
#include <dns/order.h>
#include <dns/peer.h>
@@ -3073,7 +3138,7 @@ diff -up bind-9.9.2-P1/lib/dns/view.c.orig bind-9.9.2-P1/lib/dns/view.c
#include <dns/rbt.h>
#include <dns/rdataset.h>
#include <dns/request.h>
-@@ -181,6 +182,7 @@ dns_view_create(isc_mem_t *mctx, dns_rda
+@@ -184,6 +185,7 @@
view->answeracl_exclude = NULL;
view->denyanswernames = NULL;
view->answernames_exclude = NULL;
@@ -3081,7 +3146,7 @@ diff -up bind-9.9.2-P1/lib/dns/view.c.orig bind-9.9.2-P1/lib/dns/view.c
view->provideixfr = ISC_TRUE;
view->maxcachettl = 7 * 24 * 3600;
view->maxncachettl = 3 * 3600;
-@@ -331,9 +333,11 @@ destroy(dns_view_t *view) {
+@@ -335,9 +337,11 @@
dns_acache_detach(&view->acache);
}
dns_rpz_view_destroy(view);
@@ -3093,10 +3158,10 @@ diff -up bind-9.9.2-P1/lib/dns/view.c.orig bind-9.9.2-P1/lib/dns/view.c
#endif
if (view->requestmgr != NULL)
dns_requestmgr_detach(&view->requestmgr);
-diff -up bind-9.9.2-P1/lib/dns/win32/libdns.def.orig bind-9.9.2-P1/lib/dns/win32/libdns.def
---- bind-9.9.2-P1/lib/dns/win32/libdns.def.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/lib/dns/win32/libdns.def 2013-03-06 16:55:14.271039582 +0100
-@@ -654,6 +654,9 @@ dns_rriterator_init
+diff -r -u lib/dns/win32/libdns.def-orig lib/dns/win32/libdns.def
+--- lib/dns/win32/libdns.def-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/win32/libdns.def 2004-01-01 00:00:00.000000000 +0000
+@@ -657,6 +657,9 @@
dns_rriterator_next
dns_rriterator_nextrrset
dns_rriterator_pause
@@ -3106,10 +3171,10 @@ diff -up bind-9.9.2-P1/lib/dns/win32/libdns.def.orig bind-9.9.2-P1/lib/dns/win32
dns_sdb_putnamedrr
dns_sdb_putrdata
dns_sdb_putrr
-diff -up bind-9.9.2-P1/lib/dns/win32/libdns.dsp.orig bind-9.9.2-P1/lib/dns/win32/libdns.dsp
---- bind-9.9.2-P1/lib/dns/win32/libdns.dsp.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/lib/dns/win32/libdns.dsp 2013-03-06 16:55:14.271039582 +0100
-@@ -346,6 +346,10 @@ SOURCE=..\include\dns\rpz.h
+diff -r -u lib/dns/win32/libdns.dsp-orig lib/dns/win32/libdns.dsp
+--- lib/dns/win32/libdns.dsp-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/win32/libdns.dsp 2004-01-01 00:00:00.000000000 +0000
+@@ -346,6 +346,10 @@
# End Source File
# Begin Source File
@@ -3120,7 +3185,7 @@ diff -up bind-9.9.2-P1/lib/dns/win32/libdns.dsp.orig bind-9.9.2-P1/lib/dns/win32
SOURCE=..\include\dns\rriterator.h
# End Source File
# Begin Source File
-@@ -650,6 +654,10 @@ SOURCE=..\rpz.c
+@@ -650,6 +654,10 @@
# End Source File
# Begin Source File
@@ -3131,10 +3196,10 @@ diff -up bind-9.9.2-P1/lib/dns/win32/libdns.dsp.orig bind-9.9.2-P1/lib/dns/win32
SOURCE=..\rriterator.c
# End Source File
# Begin Source File
-diff -up bind-9.9.2-P1/lib/dns/win32/libdns.mak.orig bind-9.9.2-P1/lib/dns/win32/libdns.mak
---- bind-9.9.2-P1/lib/dns/win32/libdns.mak.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/lib/dns/win32/libdns.mak 2013-03-06 16:55:14.271039582 +0100
-@@ -184,6 +184,7 @@ CLEAN :
+diff -r -u lib/dns/win32/libdns.mak-orig lib/dns/win32/libdns.mak
+--- lib/dns/win32/libdns.mak-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/dns/win32/libdns.mak 2004-01-01 00:00:00.000000000 +0000
+@@ -184,6 +184,7 @@
- at erase "$(INTDIR)\result.obj"
- at erase "$(INTDIR)\rootns.obj"
- at erase "$(INTDIR)\rpz.obj"
@@ -3142,7 +3207,7 @@ diff -up bind-9.9.2-P1/lib/dns/win32/libdns.mak.orig bind-9.9.2-P1/lib/dns/win32
- at erase "$(INTDIR)\sdb.obj"
- at erase "$(INTDIR)\sdlz.obj"
- at erase "$(INTDIR)\soa.obj"
-@@ -309,6 +310,7 @@ LINK32_OBJS= \
+@@ -309,6 +310,7 @@
"$(INTDIR)\result.obj" \
"$(INTDIR)\rootns.obj" \
"$(INTDIR)\rpz.obj" \
@@ -3150,7 +3215,7 @@ diff -up bind-9.9.2-P1/lib/dns/win32/libdns.mak.orig bind-9.9.2-P1/lib/dns/win32
"$(INTDIR)\rriterator.obj" \
"$(INTDIR)\sdb.obj" \
"$(INTDIR)\sdlz.obj" \
-@@ -505,6 +507,8 @@ CLEAN :
+@@ -505,6 +507,8 @@
- at erase "$(INTDIR)\rootns.sbr"
- at erase "$(INTDIR)\rpz.obj"
- at erase "$(INTDIR)\rpz.sbr"
@@ -3159,7 +3224,7 @@ diff -up bind-9.9.2-P1/lib/dns/win32/libdns.mak.orig bind-9.9.2-P1/lib/dns/win32
- at erase "$(INTDIR)\rriterator.obj"
- at erase "$(INTDIR)\rriterator.sbr"
- at erase "$(INTDIR)\sdb.obj"
-@@ -651,6 +655,7 @@ BSC32_SBRS= \
+@@ -651,6 +655,7 @@
"$(INTDIR)\result.sbr" \
"$(INTDIR)\rootns.sbr" \
"$(INTDIR)\rpz.sbr" \
@@ -3167,7 +3232,7 @@ diff -up bind-9.9.2-P1/lib/dns/win32/libdns.mak.orig bind-9.9.2-P1/lib/dns/win32
"$(INTDIR)\rriterator.sbr" \
"$(INTDIR)\sdb.sbr" \
"$(INTDIR)\sdlz.sbr" \
-@@ -748,6 +753,7 @@ LINK32_OBJS= \
+@@ -748,6 +753,7 @@
"$(INTDIR)\result.obj" \
"$(INTDIR)\rootns.obj" \
"$(INTDIR)\rpz.obj" \
@@ -3175,12 +3240,10 @@ diff -up bind-9.9.2-P1/lib/dns/win32/libdns.mak.orig bind-9.9.2-P1/lib/dns/win32
"$(INTDIR)\rriterator.obj" \
"$(INTDIR)\sdb.obj" \
"$(INTDIR)\sdlz.obj" \
-@@ -1724,6 +1730,24 @@ SOURCE=..\rpz.c
- $(CPP) $(CPP_PROJ) $(SOURCE)
+@@ -1726,6 +1732,24 @@
+ !ENDIF
-+!ENDIF
-+
+SOURCE=..\rrl.c
+
+!IF "$(CFG)" == "libdns - Win32 Release"
@@ -3197,13 +3260,15 @@ diff -up bind-9.9.2-P1/lib/dns/win32/libdns.mak.orig bind-9.9.2-P1/lib/dns/win32
+ $(CPP) $(CPP_PROJ) $(SOURCE)
+
+
- !ENDIF
-
++!ENDIF
++
SOURCE=..\rriterator.c
-diff -up bind-9.9.2-P1/lib/isccfg/namedconf.c.orig bind-9.9.2-P1/lib/isccfg/namedconf.c
---- bind-9.9.2-P1/lib/isccfg/namedconf.c.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/lib/isccfg/namedconf.c 2013-03-06 16:55:14.272039581 +0100
-@@ -1244,6 +1244,39 @@ static cfg_type_t cfg_type_rpz = {
+
+ !IF "$(CFG)" == "libdns - Win32 Release"
+diff -r -u lib/isccfg/namedconf.c-orig lib/isccfg/namedconf.c
+--- lib/isccfg/namedconf.c-orig 2004-01-01 00:00:00.000000000 +0000
++++ lib/isccfg/namedconf.c 2004-01-01 00:00:00.000000000 +0000
+@@ -1270,6 +1270,40 @@
};
@@ -3212,16 +3277,17 @@ diff -up bind-9.9.2-P1/lib/isccfg/namedconf.c.orig bind-9.9.2-P1/lib/isccfg/name
+ */
+static cfg_clausedef_t rrl_clauses[] = {
+ { "responses-per-second", &cfg_type_uint32, 0 },
-+ { "errors-per-second", &cfg_type_uint32, 0 },
++ { "referrals-per-second", &cfg_type_uint32, 0 },
++ { "nodata-per-second", &cfg_type_uint32, 0 },
+ { "nxdomains-per-second", &cfg_type_uint32, 0 },
-+ { "responses-per-second", &cfg_type_uint32, 0 },
++ { "errors-per-second", &cfg_type_uint32, 0 },
+ { "all-per-second", &cfg_type_uint32, 0 },
+ { "slip", &cfg_type_uint32, 0 },
+ { "window", &cfg_type_uint32, 0 },
+ { "log-only", &cfg_type_boolean, 0 },
+ { "qps-scale", &cfg_type_uint32, 0 },
-+ { "IPv4-prefix-length", &cfg_type_uint32, 0 },
-+ { "IPv6-prefix-length", &cfg_type_uint32, 0 },
++ { "ipv4-prefix-length", &cfg_type_uint32, 0 },
++ { "ipv6-prefix-length", &cfg_type_uint32, 0 },
+ { "exempt-clients", &cfg_type_bracketed_aml, 0 },
+ { "max-table-size", &cfg_type_uint32, 0 },
+ { "min-table-size", &cfg_type_uint32, 0 },
@@ -3243,7 +3309,7 @@ diff -up bind-9.9.2-P1/lib/isccfg/namedconf.c.orig bind-9.9.2-P1/lib/isccfg/name
/*%
* dnssec-lookaside
*/
-@@ -1397,6 +1430,7 @@ view_clauses[] = {
+@@ -1423,6 +1457,7 @@
CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif
{ "response-policy", &cfg_type_rpz, 0 },
@@ -3251,14 +3317,14 @@ diff -up bind-9.9.2-P1/lib/isccfg/namedconf.c.orig bind-9.9.2-P1/lib/isccfg/name
{ NULL, NULL, 0 }
};
-diff -up bind-9.9.2-P1/version.orig bind-9.9.2-P1/version
---- bind-9.9.2-P1/version.orig 2012-10-26 06:50:34.000000000 +0200
-+++ bind-9.9.2-P1/version 2013-03-06 16:55:14.272039581 +0100
-@@ -5,6 +5,6 @@
- #
+diff -r -u version-orig version
+--- version-orig 2004-01-01 00:00:00.000000000 +0000
++++ version 2004-01-01 00:00:00.000000000 +0000
+@@ -7,6 +7,6 @@
+ DESCRIPTION="(Extended Support Version)"
MAJORVER=9
MINORVER=9
--PATCHVER=2
-+PATCHVER=2-rl.028.23
- RELEASETYPE=-P
- RELEASEVER=2
+-PATCHVER=3
++PATCHVER=3-rl.150.20
+ RELEASETYPE=
+ RELEASEVER=
diff --git a/sources b/sources
index 3341dbb..b6e38f5 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-2be7763c99b7e7b42ac3a18a267ce1aa bind-9.9.2-P2.tar.gz
+7baa8359f0773e04f63d7e694db1909c bind-9.9.3.tar.gz
6f22bed78f41bc27fa6d885b648da63e config-9.tar.bz2
More information about the scm-commits
mailing list