Remi Gacogne [Tue, 21 Jan 2020 14:00:01 +0000 (15:00 +0100)]
dnsdist: Load an openssl configuration file, if any, during startup
This way dnsdist will load the default OpenSSL configuration, or a
custom one specified via the OPENSSL_CONF environment variable.
It allows loading an engine or configuration various options supported
by OpenSSL.
This requires OpenSSL >= 1.1.0.
Remi Gacogne [Mon, 20 Jan 2020 18:24:13 +0000 (19:24 +0100)]
rec: Add unit tests for the NSEC3 Opt-Out case
An Opt-Out NSEC3 only proves that there is no delegation, so we
should not consider a DS NODATA or a NXDOMAIN proved by that RR
secure but insecure.
This was fixed in 18c8faae6c67f734583c5c881d0d083d3253b49e and this
commit adds a few unit tests to cover the fix.
Remi Gacogne [Wed, 15 Jan 2020 13:28:25 +0000 (14:28 +0100)]
rec: Only the first filtering policy should match
Subsequent ones should not be applied.
Also make sure that NSDNAME and NSIP triggers really stop the
processing of the query, instead of just causing the current NS to
be skipped.
Remi Gacogne [Tue, 14 Jan 2020 15:26:23 +0000 (16:26 +0100)]
rec: Fix the evaluation order for filtering policies (RPZ)
Since 272e9a0034e8c5ea29d1ab7d24630424f178e926 we scanned all policies
for an exact match before looking for wildcard matches. It brokes
the promise that filtering policies are evaluated in the order they
are defined.
Remi Gacogne [Fri, 13 Dec 2019 10:16:20 +0000 (11:16 +0100)]
dnsdist: Require Python libnacl < 1.7
Otherwise we need libsodium >= 1.0.12 (required by this change:
https://github.com/saltstack/libnacl/commit/8c8b2f8bc05a5b67f39acf9a6bc0bef6fa839166
) and we don't have it in Trusty, which we still use in Travis.
Otto Moerbeek [Mon, 6 Jan 2020 14:04:25 +0000 (15:04 +0100)]
Introduce test for PR 8648.
While there, explicitly init qname-minimization in test-syncres to
false. The current code gave the impression it was turned on by
default for unit tests. We have a lot of test that count queries,
and that is highly depedent on qname minimization being on or off.
Remi Gacogne [Mon, 23 Dec 2019 17:15:49 +0000 (18:15 +0100)]
dnsdist: Allow retrieving and deleting a backend via its UUID
Backends have a UUID since the introduction of the consistent hashing
load-balancing policy, but until now it was not possible to retrieve
or delete a backend via its UUID.
Remi Gacogne [Fri, 20 Dec 2019 12:04:23 +0000 (13:04 +0100)]
auth: Clear the TSIG algo between iterations in the API
Otherwise `GSQLBackend::getTSIGKey()` will try to match the
algorithm in `keyAlgo` if it's set, which will prevent retrieving
a key with a different algorithm that the previous one.
Otto Moerbeek [Fri, 20 Dec 2019 09:08:50 +0000 (10:08 +0100)]
QName Minimization consults the cache first to see work needs to
be done. Via doCacheCheck() this can lead to a call to computeZoneCuts()
which might/does not work properly on only cached records, so always
make sure it can go out if needed. Should fix #8642.
Sander Hoentjen [Mon, 16 Dec 2019 21:44:43 +0000 (22:44 +0100)]
Fix build with gcc-10
From an e-mail from Jeff Law <law@redhat.com>:
Subject: Minor problem in pdns, dnsdist and pdns-recursor packages in Fedora
[ All three packages have embedded copies of the same problematic code
and the same patch fixes all three. ]
Red Hat's compiler team continues to try and be proactive in identifying
issues that will arise as a result of the introduction of a new GCC
release into Fedora each spring.
You're being contacted because a package you maintain in Fedora is going
to fail to build with gcc-10 in the spring. Yes, I know that's a few
months away, but it's far easier to fix this stuff proactively now than
wait.
Fixing it now also means that your package will continue to be built
with testing versions of gcc-10 as we proceed through the development
process thus allowing additional issues to be caught early.
Your particular package will fail due to an uninstantiated template for
AsyncLoader<Request>. These kinds of problems are relatively common due to
changes in the tuning of the inliner for gcc-10:
> BUILDSTDERR: /usr/bin/ld: webserver.o: in function `WebServer::serveConnection(std::shared_ptr<Socket>) const':
> BUILDSTDERR: /builddir/build/BUILD/pdns-4.2.1/pdns/webserver.cc:373: undefined reference to `YaHTTP::AsyncLoader<YaHTTP::Request>::feed(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)'
> BUILDSTDERR: collect2: error: ld returned 1 exit status
> BUILDSTDERR: make[3]: *** [Makefile:2751: ixfrdist] Error 1
>
The attached patch arranges for an instance to be instantiated when
compiling reqresp.cpp and is sufficient to fix this problem. The
choice of reqresp.cpp fairly arbitrary IIRC.
Ideally you'll with upstream to get this fixed, but a Fedora patch is
clearly OK as well. I'll install the attached fix into Fedora in a
week or so if I haven't heard from you.